├── KeHook64.sln
├── KeHook64
    ├── KeHook.h
    ├── KeHook64.inf
    ├── KeHook64.vcxproj
    ├── KeHook64.vcxproj.filters
    ├── Main.cpp
    └── Utils.h
└── README.md


/KeHook64.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30503.244
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KeHook64", "KeHook64\KeHook64.vcxproj", "{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|x64.Build.0 = Debug|x64
28 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|x86.Build.0 = Debug|Win32
31 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|ARM.Build.0 = Release|ARM
34 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x64.ActiveCfg = Release|x64
39 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x64.Build.0 = Release|x64
40 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x64.Deploy.0 = Release|x64
41 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x86.ActiveCfg = Release|Win32
42 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x86.Build.0 = Release|Win32
43 | 		{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {A6F2B95C-BF8F-4ADE-8739-872BE439CA61}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/KeHook64/KeHook.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | class _KeHook {
  3 | public:
  4 | 	PBYTE Create(UNICODE_STRING _Name, PBYTE _NTFunction, PBYTE _Function);
  5 | 
  6 | 	VOID  Remove(UNICODE_STRING _Name);
  7 | 
  8 | 	VOID  RemoveAll();
  9 | 
 10 | private:
 11 | 	typedef struct _KeEntry {
 12 | 		PBYTE Trampoline;
 13 | 		PBYTE NTFunction;
 14 | 		PBYTE Function;
 15 | 		SIZE_T Size;
 16 | 		UNICODE_STRING Name;
 17 | 	} KeEntry, * PKeEntry;
 18 | 
 19 | 	KeEntry Hooks[500];
 20 | 	SIZE_T  HookCount = 0;
 21 | 
 22 | 
 23 | 	BOOL IsNameExisting(UNICODE_STRING _Name);
 24 | 
 25 | 	BOOL IsFunctionHooked(PBYTE _NTFunction);
 26 | 
 27 | 	SIZE_T FindHookLength(PBYTE _NTFunction, SIZE_T _ShellCodeLength);
 28 | };
 29 | 
 30 | _KeHook KeHook;
 31 | 
 32 | PBYTE _KeHook::Create(UNICODE_STRING _Name, PBYTE _NTFunction, PBYTE _Function) {
 33 | 	BYTE ShellCode[] = {
 34 | 		0xFF, 0x25, 0x00, 0x00, 0x00, 0x00,             // JMP + RIP
 35 | 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00  // Absolute Address
 36 | 	};
 37 | 
 38 | 	// Check NTFunction, Or find by name.
 39 | 	if (!_NTFunction) {
 40 | 		_NTFunction = (PBYTE)MmGetSystemRoutineAddress(&_Name);
 41 | 		if (!_NTFunction) {
 42 | 			Utils::Print("[KeHook] [%ws] Failed To Find NT Function", _Name.Buffer);
 43 | 			return 0;
 44 | 		}
 45 | 	}
 46 | 
 47 | 	// Check if name is used.
 48 | 	if (IsNameExisting(_Name)) {
 49 | 		Utils::Print("[KeHook] [%ws] Name Already In Use", _Name.Buffer);
 50 | 		return 0;
 51 | 	}
 52 | 
 53 | 	// Check if NT Function is hooked.
 54 | 	if (IsFunctionHooked(_NTFunction)) {
 55 | 		Utils::Print("[KeHook] [%ws] Function Already Hooked", _Name.Buffer);
 56 | 		return 0;
 57 | 	}
 58 | 
 59 | 	// Find length needed on NTFunction
 60 | 	SIZE_T HookLength = FindHookLength(_NTFunction, sizeof(ShellCode));
 61 | 
 62 | 	// Create Trampoline
 63 | 	PBYTE Trampoline = (PBYTE)ExAllocatePool(NonPagedPoolExecute, HookLength + sizeof(ShellCode));
 64 | 	if (!Trampoline) {
 65 | 		Utils::Print("[KeHook] [%ws] Failed Allocating Trampoline", _Name.Buffer);
 66 | 		return 0;
 67 | 	}
 68 | 
 69 | 	// Copy NT Bytes On Trampoline
 70 | 	if (!NT_SUCCESS(Utils::SuperCopyMemory(Trampoline, _NTFunction, HookLength))) {
 71 | 		Utils::Print("[KeHook] [%ws] Failed Copying NT Bytes", _Name.Buffer);
 72 | 		ExFreePoolWithTag(Trampoline, 0);
 73 | 		return 0;
 74 | 	}
 75 | 
 76 | 	// Write JMP On Trampoline
 77 | 	*(PBYTE*)&ShellCode[6] = _NTFunction + HookLength;
 78 | 	if (!NT_SUCCESS(Utils::SuperCopyMemory(Trampoline + HookLength, &ShellCode[0], sizeof(ShellCode)))) {
 79 | 		Utils::Print("[KeHook] [%ws] Failed Writing JMP On Trampoline", _Name.Buffer);
 80 | 		ExFreePoolWithTag(Trampoline, 0);
 81 | 		return 0;
 82 | 	}
 83 | 
 84 | 
 85 | 	// Write JMP On NTFunction
 86 | 	*(PBYTE*)&ShellCode[6] = _Function;
 87 | 	if (!NT_SUCCESS(Utils::SuperCopyMemory(_NTFunction, &ShellCode[0], sizeof(ShellCode)))) {
 88 | 		Utils::Print("[KeHook] [%ws] Failed Writing JMP On NTFunction", _Name.Buffer);
 89 | 		ExFreePoolWithTag(Trampoline, 0);
 90 | 		return 0;
 91 | 	}
 92 | 
 93 | 	// NOP Left Over Bytes On NTFunction [Not Critical]
 94 | 	if (sizeof(ShellCode) > HookLength) {
 95 | 		if (!NT_SUCCESS(Utils::SuperCleanMemory(_NTFunction + sizeof(ShellCode), 0x90, HookLength - sizeof(ShellCode)))) {
 96 | 			Utils::Print("[KeHook] [%ws] Failed NOP Left Over Bytes On NTFunction", _Name.Buffer);
 97 | 		}
 98 | 	}
 99 | 
100 | 	// Log
101 | 	Utils::Print("[KeHook] [%ws] Hook Placed", _Name.Buffer);
102 | 
103 | 	KeEntry Entry;
104 | 	Entry.Name = _Name;
105 | 	Entry.Trampoline = Trampoline;
106 | 	Entry.NTFunction = _NTFunction;
107 | 	Entry.Function = _Function;
108 | 	Entry.Size = HookLength;
109 | 	Hooks[HookCount++] = Entry;
110 | 
111 | 	return Trampoline;
112 | }
113 | 
114 | VOID _KeHook::Remove(UNICODE_STRING _Name) {
115 | 	for (SIZE_T i = 0; i < HookCount; i++) {
116 | 		if (!Hooks[i].Name.Buffer || RtlCompareMemory(Hooks[i].Name.Buffer, _Name.Buffer, _Name.Length) != _Name.Length)
117 | 			continue;
118 | 
119 | 		// Copy NT BytesFrom Trampoline Onto NTFunction
120 | 		if (!NT_SUCCESS(Utils::SuperCopyMemory(Hooks[i].NTFunction, Hooks[i].Trampoline, Hooks[i].Size))) {
121 | 			Utils::Print("[KeHook] [%ws] Failed Restoring NT Bytes", Hooks[i].Name.Buffer);
122 | 			break;
123 | 		}
124 | 
125 | 		// Release Trampoline
126 | 		ExFreePoolWithTag(Hooks[i].Trampoline, 0);
127 | 
128 | 		// Log
129 | 		Utils::Print("[KeHook] [%ws] Removed Hook", Hooks[i].Name.Buffer);
130 | 
131 | 		// Clean
132 | 		RtlSecureZeroMemory(&Hooks[i], sizeof(KeEntry));
133 | 
134 | 		break;
135 | 	}
136 | }
137 | 
138 | VOID _KeHook::RemoveAll() {
139 | 	for (SIZE_T i = 0; i < HookCount; i++) {
140 | 		if (!Hooks[i].Name.Buffer)
141 | 			continue;
142 | 
143 | 		Remove(Hooks[i].Name);
144 | 	}
145 | }
146 | 
147 | 
148 | BOOL _KeHook::IsNameExisting(UNICODE_STRING _Name) {
149 | 	for (SIZE_T i = 0; i < HookCount; i++) {
150 | 		if (!Hooks[i].Name.Buffer || RtlCompareMemory(Hooks[i].Name.Buffer, _Name.Buffer, _Name.Length) != _Name.Length) continue;
151 | 		return TRUE;
152 | 		break;
153 | 	}
154 | 	return FALSE;
155 | }
156 | 
157 | BOOL _KeHook::IsFunctionHooked(PBYTE _NTFunction) {
158 | 	for (SIZE_T i = 0; i < HookCount; i++) {
159 | 		if (!Hooks[i].Name.Buffer || Hooks[i].NTFunction != _NTFunction) continue;
160 | 		return TRUE;
161 | 		break;
162 | 	}
163 | 	return FALSE;
164 | }
165 | 
166 | SIZE_T _KeHook::FindHookLength(PBYTE _NTFunction, SIZE_T _ShellCodeLength) {
167 | 	SIZE_T Length = _ShellCodeLength;
168 | 	while (true) {
169 | 		if (*(BYTE*)(_NTFunction + Length) == 0x45) break; // MOV
170 | 		if (*(BYTE*)(_NTFunction + Length) == 0x48) break; // MOV
171 | 		if (*(BYTE*)(_NTFunction + Length) == 0xC3) break; // RTRN
172 | 		Length++;
173 | 	};
174 | 	return Length;
175 | }
176 | 
177 | 


--------------------------------------------------------------------------------
/KeHook64/KeHook64.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; KeHook64.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=KeHook64.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockDown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | KeHook64_Device_CoInstaller_CopyFiles = 11
17 | 
18 | ; ================= Class section =====================
19 | 
20 | [ClassInstall32]
21 | Addreg=SampleClassReg
22 | 
23 | [SampleClassReg]
24 | HKR,,,0,%ClassName%
25 | HKR,,Icon,,-5
26 | 
27 | [SourceDisksNames]
28 | 1 = %DiskName%,,,""
29 | 
30 | [SourceDisksFiles]
31 | KeHook64.sys  = 1,,
32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
33 | 
34 | ;*****************************************
35 | ; Install Section
36 | ;*****************************************
37 | 
38 | [Manufacturer]
39 | %ManufacturerName%=Standard,NT$ARCH$
40 | 
41 | [Standard.NT$ARCH$]
42 | %KeHook64.DeviceDesc%=KeHook64_Device, Root\KeHook64 ; TODO: edit hw-id
43 | 
44 | [KeHook64_Device.NT]
45 | CopyFiles=Drivers_Dir
46 | 
47 | [Drivers_Dir]
48 | KeHook64.sys
49 | 
50 | ;-------------- Service installation
51 | [KeHook64_Device.NT.Services]
52 | AddService = KeHook64,%SPSVCINST_ASSOCSERVICE%, KeHook64_Service_Inst
53 | 
54 | ; -------------- KeHook64 driver install sections
55 | [KeHook64_Service_Inst]
56 | DisplayName    = %KeHook64.SVCDESC%
57 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
58 | StartType      = 3               ; SERVICE_DEMAND_START
59 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
60 | ServiceBinary  = %12%\KeHook64.sys
61 | 
62 | ;
63 | ;--- KeHook64_Device Coinstaller installation ------
64 | ;
65 | 
66 | [KeHook64_Device.NT.CoInstallers]
67 | AddReg=KeHook64_Device_CoInstaller_AddReg
68 | CopyFiles=KeHook64_Device_CoInstaller_CopyFiles
69 | 
70 | [KeHook64_Device_CoInstaller_AddReg]
71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
72 | 
73 | [KeHook64_Device_CoInstaller_CopyFiles]
74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
75 | 
76 | [KeHook64_Device.NT.Wdf]
77 | KmdfService =  KeHook64, KeHook64_wdfsect
78 | [KeHook64_wdfsect]
79 | KmdfLibraryVersion = $KMDFVERSION$
80 | 
81 | [Strings]
82 | SPSVCINST_ASSOCSERVICE= 0x00000002
83 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
84 | ClassName="Samples" ; TODO: edit ClassName
85 | DiskName = "KeHook64 Installation Disk"
86 | KeHook64.DeviceDesc = "KeHook64 Device"
87 | KeHook64.SVCDESC = "KeHook64 Service"
88 | 


--------------------------------------------------------------------------------
/KeHook64/KeHook64.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{6E9B50E8-5EDC-45BE-B9D2-46B6552347B4}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>KeHook64</RootNamespace>
 45 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 46 |   </PropertyGroup>
 47 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 49 |     <TargetVersion>Windows10</TargetVersion>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 52 |     <ConfigurationType>Driver</ConfigurationType>
 53 |     <DriverType>KMDF</DriverType>
 54 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 57 |     <TargetVersion>Windows10</TargetVersion>
 58 |     <UseDebugLibraries>false</UseDebugLibraries>
 59 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 60 |     <ConfigurationType>Driver</ConfigurationType>
 61 |     <DriverType>KMDF</DriverType>
 62 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 63 |   </PropertyGroup>
 64 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 65 |     <TargetVersion>Windows10</TargetVersion>
 66 |     <UseDebugLibraries>true</UseDebugLibraries>
 67 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 68 |     <ConfigurationType>Driver</ConfigurationType>
 69 |     <DriverType>KMDF</DriverType>
 70 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 73 |     <TargetVersion>Windows10</TargetVersion>
 74 |     <UseDebugLibraries>false</UseDebugLibraries>
 75 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 76 |     <ConfigurationType>Driver</ConfigurationType>
 77 |     <DriverType>KMDF</DriverType>
 78 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 79 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 82 |     <TargetVersion>Windows10</TargetVersion>
 83 |     <UseDebugLibraries>true</UseDebugLibraries>
 84 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 85 |     <ConfigurationType>Driver</ConfigurationType>
 86 |     <DriverType>KMDF</DriverType>
 87 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 88 |   </PropertyGroup>
 89 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 90 |     <TargetVersion>Windows10</TargetVersion>
 91 |     <UseDebugLibraries>false</UseDebugLibraries>
 92 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 93 |     <ConfigurationType>Driver</ConfigurationType>
 94 |     <DriverType>KMDF</DriverType>
 95 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 96 |   </PropertyGroup>
 97 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 98 |     <TargetVersion>Windows10</TargetVersion>
 99 |     <UseDebugLibraries>true</UseDebugLibraries>
100 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
101 |     <ConfigurationType>Driver</ConfigurationType>
102 |     <DriverType>KMDF</DriverType>
103 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
106 |     <TargetVersion>Windows10</TargetVersion>
107 |     <UseDebugLibraries>false</UseDebugLibraries>
108 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
109 |     <ConfigurationType>Driver</ConfigurationType>
110 |     <DriverType>KMDF</DriverType>
111 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
112 |   </PropertyGroup>
113 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
114 |   <ImportGroup Label="ExtensionSettings">
115 |   </ImportGroup>
116 |   <ImportGroup Label="PropertySheets">
117 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
118 |   </ImportGroup>
119 |   <PropertyGroup Label="UserMacros" />
120 |   <PropertyGroup />
121 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
122 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
123 |   </PropertyGroup>
124 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
125 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
126 |   </PropertyGroup>
127 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
128 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
129 |   </PropertyGroup>
130 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
131 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
134 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
135 |   </PropertyGroup>
136 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
137 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
138 |   </PropertyGroup>
139 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
140 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
141 |   </PropertyGroup>
142 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
143 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
144 |   </PropertyGroup>
145 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
146 |     <ClCompile>
147 |       <LanguageStandard>stdcpp17</LanguageStandard>
148 |       <TreatWarningAsError>false</TreatWarningAsError>
149 |     </ClCompile>
150 |     <Link>
151 |       <TreatLinkerWarningAsErrors>false</TreatLinkerWarningAsErrors>
152 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
153 |     </Link>
154 |   </ItemDefinitionGroup>
155 |   <ItemGroup>
156 |     <Inf Include="KeHook64.inf" />
157 |   </ItemGroup>
158 |   <ItemGroup>
159 |     <FilesToPackage Include="$(TargetPath)" />
160 |   </ItemGroup>
161 |   <ItemGroup>
162 |     <ClCompile Include="Main.cpp" />
163 |   </ItemGroup>
164 |   <ItemGroup>
165 |     <ClInclude Include="KeHook.h" />
166 |     <ClInclude Include="Utils.h" />
167 |   </ItemGroup>
168 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
169 |   <ImportGroup Label="ExtensionTargets">
170 |   </ImportGroup>
171 | </Project>


--------------------------------------------------------------------------------
/KeHook64/KeHook64.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="KeHook64.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="Main.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClInclude Include="Utils.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="KeHook.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |   </ItemGroup>
39 | </Project>


--------------------------------------------------------------------------------
/KeHook64/Main.cpp:
--------------------------------------------------------------------------------
 1 | #include <ntifs.h>
 2 | #include <stdarg.h>
 3 | #include <windef.h>
 4 | 
 5 | #include "Utils.h"
 6 | #include "KeHook.h"
 7 | 
 8 | DRIVER_INITIALIZE DriverEntry;
 9 | 
10 | #pragma region Example Hook
11 | typedef BOOLEAN(*lpKeSetTimerEx)(PKTIMER Timer, LARGE_INTEGER DueTime, LONG Period, PKDPC Dpc);
12 | PBYTE oKeSetTimerEx;
13 | 
14 | BOOLEAN HookedKeSetTimerEx(PKTIMER Timer, LARGE_INTEGER DueTime, LONG Period, PKDPC Dpc) {
15 | 	Utils::Print("Called 'KeSetTimerEx' From pID: %d", PsGetCurrentProcessId());
16 | 	return ((lpKeSetTimerEx)oKeSetTimerEx)(Timer, DueTime,Period, Dpc);
17 | }
18 | #pragma endregion
19 | 
20 | VOID DriverUnload(PDRIVER_OBJECT DriverObject) {
21 | 	Utils::Print("Unload Started");
22 | 
23 | 	KeHook.RemoveAll();
24 | 
25 | 	Utils::Print("Unload Finished");
26 | }
27 | 
28 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING DriverName) {
29 | 
30 | 	Utils::Print("Load Started");
31 | 
32 | 	// Example Hook
33 | 	oKeSetTimerEx = KeHook.Create(RTL_CONSTANT_STRING(L"KeSetTimerEx"), (PBYTE)KeSetTimerEx, (PBYTE)HookedKeSetTimerEx);
34 | 
35 | 	Utils::Print("Load Finished");
36 | 
37 | 	return STATUS_SUCCESS;
38 | }


--------------------------------------------------------------------------------
/KeHook64/Utils.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | namespace Utils {
 3 | 	VOID Print(PCHAR Message, ...);
 4 | 	NTSTATUS SuperCopyMemory(PBYTE Dest, PBYTE Src, ULONG Length);
 5 | 	NTSTATUS SuperCleanMemory(PBYTE Dest, BYTE Val, ULONG Length);
 6 | }
 7 | 
 8 | VOID Utils::Print(PCHAR Message, ...) {
 9 | 	va_list(Arguments);
10 | 	va_start(Arguments, Message);
11 | 	vDbgPrintExWithPrefix("[xPaw] ", 0, 0, Message, Arguments);
12 | 	va_end(Arguments);
13 | }
14 | 
15 | NTSTATUS Utils::SuperCopyMemory(PBYTE Dest, PBYTE Src, ULONG Length) {
16 | 	PMDL mdl = IoAllocateMdl(Dest, Length, 0, 0, 0);
17 | 	if (!mdl) return STATUS_UNSUCCESSFUL;
18 | 
19 | 	MmBuildMdlForNonPagedPool(mdl);
20 | 	PBYTE Mapped = (PBYTE)MmMapLockedPages(mdl, KernelMode);
21 | 	if (!Mapped) {
22 | 		IoFreeMdl(mdl);
23 | 		return STATUS_UNSUCCESSFUL;
24 | 	}
25 | 
26 | 	KIRQL kirql = KeRaiseIrqlToDpcLevel();
27 | 	memcpy(Mapped, Src, Length);
28 | 	KeLowerIrql(kirql);
29 | 
30 | 	MmUnmapLockedPages(Mapped, mdl);
31 | 	IoFreeMdl(mdl);
32 | 
33 | 	return STATUS_SUCCESS;
34 | }
35 | 
36 | NTSTATUS Utils::SuperCleanMemory(PBYTE Dest, BYTE Val, ULONG Length) {
37 | 	PMDL mdl = IoAllocateMdl(Dest, Length, 0, 0, 0);
38 | 	if (!mdl) return STATUS_UNSUCCESSFUL;
39 | 
40 | 	MmBuildMdlForNonPagedPool(mdl);
41 | 	PBYTE Mapped = (PBYTE)MmMapLockedPages(mdl, KernelMode);
42 | 	if (!Mapped) {
43 | 		IoFreeMdl(mdl);
44 | 		return STATUS_UNSUCCESSFUL;
45 | 	}
46 | 
47 | 	KIRQL kirql = KeRaiseIrqlToDpcLevel();
48 | 	memset(Mapped, Val, Length);
49 | 	KeLowerIrql(kirql);
50 | 
51 | 	MmUnmapLockedPages(Mapped, mdl);
52 | 	IoFreeMdl(mdl);
53 | 
54 | 	return STATUS_SUCCESS;
55 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # KeHook64 (Kernel/Driver)
2 | Kernel Hook X64 Compile As Release
3 | 
4 | 


--------------------------------------------------------------------------------