├── .gitignore ├── DriverShared ├── ASM │ ├── HookSpecific_x64.asm │ └── HookSpecific_x86.asm ├── Disassembler │ ├── libudis86 │ │ ├── decode.c │ │ ├── decode.h │ │ ├── extern.h │ │ ├── itab.c │ │ ├── itab.h │ │ ├── syn-att.c │ │ ├── syn-intel.c │ │ ├── syn.c │ │ ├── syn.h │ │ ├── types.h │ │ ├── udint.h │ │ └── udis86.c │ ├── udis86-LICENSE.txt │ ├── udis86-README.txt │ └── udis86.h ├── DriverShared.h ├── LocalHook │ ├── alloc.c │ ├── barrier.c │ ├── caller.c │ ├── install.c │ ├── reloc.c │ └── uninstall.c ├── Rtl │ ├── error.c │ └── string.c └── rtl.h ├── EasyHook.sln ├── EasyHookDll ├── AUX_ULIB.H ├── AUX_ULIB_x64.LIB ├── AUX_ULIB_x86.LIB ├── EasyHookDll.vcproj ├── EasyHookDll_32.rc ├── EasyHookDll_64.rc ├── EasyHookLib.vcxproj ├── EasyHookLib.vcxproj.filters ├── EasyHookLib64.vcxproj ├── EasyHookLib64.vcxproj.filters ├── LocalHook │ ├── acl.c │ └── debug.cpp ├── RemoteHook │ ├── driver.cpp │ ├── entry.cpp │ ├── service.c │ ├── stealth.c │ └── thread.c ├── Rtl │ ├── file.c │ └── memory.c ├── dllmain.c ├── gacutil.cpp ├── ntstatus.h ├── resource.h └── stdafx.h ├── ExampleDll ├── ExampleDll.cpp ├── ExampleDll.vcxproj ├── ExampleDll.vcxproj.filters ├── ExampleDll64.vcxproj ├── ExampleDll64.vcxproj.filters ├── NtStructDef.h ├── ReadMe.txt ├── dllmain.cpp ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── LICENSE ├── Public └── easyhook.h ├── README.md └── Version.txt /.gitignore: -------------------------------------------------------------------------------- 1 | #ignore thumbnails created by windows 2 | Thumbs.db 3 | #Ignore files build by Visual Studio 4 | *.obj 5 | *.exe 6 | *.pdb 7 | *.user 8 | *.aps 9 | *.pch 10 | *.vspscc 11 | *_i.c 12 | *_p.c 13 | *.ncb 14 | *.suo 15 | *.tlb 16 | *.tlh 17 | *.bak 18 | *.cache 19 | *.ilk 20 | *.log 21 | *.sdf 22 | [Bb]uild*/ 23 | [Dd]eploy*/ 24 | [Bb]in 25 | [Dd]ebug*/ 26 | *.lib 27 | *.sbr 28 | obj/ 29 | [Rr]elease*/ 30 | _ReSharper*/ 31 | [Tt]est[Rr]esult* 32 | -------------------------------------------------------------------------------- /DriverShared/ASM/HookSpecific_x64.asm: -------------------------------------------------------------------------------- 1 | ; 2 | ; EasyHook - The reinvention of Windows API hooking 3 | ; 4 | ; Copyright (C) 2009 Christoph Husse 5 | ; 6 | ; This library is free software; you can redistribute it and/or 7 | ; modify it under the terms of the GNU Lesser General Public 8 | ; License as published by the Free Software Foundation; either 9 | ; version 2.1 of the License, or (at your option) any later version. 10 | ; 11 | ; This library is distributed in the hope that it will be useful, 12 | ; but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | ; Lesser General Public License for more details. 15 | ; 16 | ; You should have received a copy of the GNU Lesser General Public 17 | ; License along with this library; if not, write to the Free Software 18 | ; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 19 | ; 20 | ; Please visit http://www.codeplex.com/easyhook for more information 21 | ; about the project and latest updates. 22 | ; 23 | 24 | 25 | .CODE 26 | 27 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 28 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; StealthStub_ASM_x64 29 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 30 | public StealthStub_ASM_x64 31 | int 3 32 | StealthStub_ASM_x64 PROC 33 | sub rsp, 8 * 4 34 | 35 | mov qword ptr[rsp + 40], 0 36 | mov qword ptr[rsp + 32], 0 37 | mov r9, qword ptr [rbx + 16] ; RemoteThreadParam 38 | mov r8, qword ptr [rbx + 8] ; RemoteThreadStart 39 | mov rdx, 0 40 | mov rcx, 0 41 | call qword ptr[rbx] ; CreateThread 42 | cmp rax, 0 43 | 44 | ; signal completion 45 | mov rcx, qword ptr [rbx + 48] 46 | mov qword ptr [rbx + 48], rax 47 | call qword ptr [rbx + 56] ; SetEvent(hSyncEvent); 48 | 49 | ; wait for completion 50 | mov rdx, -1 51 | mov rcx, qword ptr [ebx + 32] 52 | call qword ptr [ebx + 24] ; WaitForSingleObject(hCompletionEvent, INFINITE) 53 | 54 | ; close handle 55 | mov rcx, qword ptr [rbx + 32] 56 | call qword ptr [rbx + 40] ; CloseHandle(hCompletionEvent); 57 | 58 | ; close handle 59 | mov rcx, qword ptr [rbx + 48] 60 | call qword ptr [rbx + 40] ; CloseHandle(hSyncEvent); 61 | 62 | ; restore context 63 | mov rax, [rbx + 64 + 8 * 0] 64 | mov rcx, [rbx + 64 + 8 * 1] 65 | mov rdx, [rbx + 64 + 8 * 2] 66 | mov rbp, [rbx + 64 + 8 * 3] 67 | mov rsp, [rbx + 64 + 8 * 4] 68 | mov rsi, [rbx + 64 + 8 * 5] 69 | mov rdi, [rbx + 64 + 8 * 6] 70 | mov r8, [rbx + 64 + 8 * 10] 71 | mov r9, [rbx + 64 + 8 * 11] 72 | mov r10, [rbx + 64 + 8 * 12] 73 | mov r11, [rbx + 64 + 8 * 13] 74 | mov r12, [rbx + 64 + 8 * 14] 75 | mov r13, [rbx + 64 + 8 * 15] 76 | mov r14, [rbx + 64 + 8 * 16] 77 | mov r15, [rbx + 64 + 8 * 17] 78 | push qword ptr[rbx + 64 + 8 * 9] ; push EFlags 79 | push qword ptr[rbx + 64 + 8 * 8] ; save old EIP 80 | mov rbx, [rbx + 64 + 8 * 7] 81 | 82 | add rsp, 8 83 | popfq 84 | 85 | ; continue execution... 86 | jmp qword ptr [rsp - 16] 87 | 88 | ; outro signature, to automatically determine code size 89 | db 78h 90 | db 56h 91 | db 34h 92 | db 12h 93 | StealthStub_ASM_x64 ENDP 94 | 95 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 96 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Trampoline_ASM_x64 97 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 98 | ; 99 | ; This method is highly optimized and executes within 78 nanoseconds 100 | ; including the intro, outro and return... 101 | ; "IsExecuted" has to be within the next code subpage to prevent the 102 | ; Self-Modifing-Code-Condition to apply which would reduce performance 103 | ; about 200 ns. 104 | 105 | ; Only for comparsion: The first proof of concept was unoptimized and 106 | ; did execute within 10000 nanoseconds... This optimized version just 107 | ; uses RIP relative addressing instead of register relative addressing, 108 | ; prevents the SMC condition and uses RIP relative jumps... 109 | 110 | 111 | public Trampoline_ASM_x64 112 | 113 | Trampoline_ASM_x64 PROC 114 | 115 | NETIntro: 116 | ;void* NETEntry; // fixed 0 (0) 117 | db 0 118 | db 0 119 | db 0 120 | db 0 121 | db 0 122 | db 0 123 | db 0 124 | db 0 125 | 126 | OldProc: 127 | ;BYTE* OldProc; // fixed 4 (8) 128 | db 0 129 | db 0 130 | db 0 131 | db 0 132 | db 0 133 | db 0 134 | db 0 135 | db 0 136 | 137 | NewProc: 138 | ;BYTE* NewProc; // fixed 8 (16) 139 | db 0 140 | db 0 141 | db 0 142 | db 0 143 | db 0 144 | db 0 145 | db 0 146 | db 0 147 | 148 | NETOutro: 149 | ;void* NETOutro; // fixed 12 (24) 150 | db 0 151 | db 0 152 | db 0 153 | db 0 154 | db 0 155 | db 0 156 | db 0 157 | db 0 158 | 159 | IsExecutedPtr: 160 | ;size_t* IsExecutedPtr; // fixed 16 (32) 161 | db 0 162 | db 0 163 | db 0 164 | db 0 165 | db 0 166 | db 0 167 | db 0 168 | db 0 169 | 170 | ; ATTENTION: 64-Bit requires stack alignment (RSP) of 16 bytes!! 171 | mov rax, rsp 172 | push rcx ; save not sanitized registers... 173 | push rdx 174 | push r8 175 | push r9 176 | 177 | sub rsp, 4 * 16 ; space for SSE registers 178 | 179 | movups [rsp + 3 * 16], xmm0 180 | movups [rsp + 2 * 16], xmm1 181 | movups [rsp + 1 * 16], xmm2 182 | movups [rsp + 0 * 16], xmm3 183 | 184 | sub rsp, 32; shadow space for method calls 185 | 186 | lea rax, [IsExecutedPtr] 187 | mov rax, [rax] 188 | db 0F0h ; interlocked increment execution counter 189 | inc qword ptr [rax] 190 | 191 | ; is a user handler available? 192 | cmp qword ptr[NewProc], 0 193 | 194 | db 3Eh ; branch usually taken 195 | jne CALL_NET_ENTRY 196 | 197 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; call original method 198 | lea rax, [IsExecutedPtr] 199 | mov rax, [rax] 200 | db 0F0h ; interlocked decrement execution counter 201 | dec qword ptr [rax] 202 | 203 | lea rax, [OldProc] 204 | jmp TRAMPOLINE_EXIT 205 | 206 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; call hook handler or original method... 207 | CALL_NET_ENTRY: 208 | 209 | 210 | ; call NET intro 211 | lea rcx, [IsExecutedPtr + 8] ; Hook handle (only a position hint) 212 | mov rdx, qword ptr [rsp + 32 + 4 * 16 + 4 * 8] ; push return address 213 | lea r8, qword ptr [rsp + 32 + 4 * 16 + 4 * 8] ; push address of return address 214 | call qword ptr [NETIntro] ; Hook->NETIntro(Hook, RetAddr, InitialRSP); 215 | 216 | ; should call original method? 217 | test rax, rax 218 | 219 | db 3Eh ; branch usually taken 220 | jne CALL_HOOK_HANDLER 221 | 222 | ; call original method 223 | lea rax, [IsExecutedPtr] 224 | mov rax, [rax] 225 | db 0F0h ; interlocked decrement execution counter 226 | dec qword ptr [rax] 227 | 228 | lea rax, [OldProc] 229 | jmp TRAMPOLINE_EXIT 230 | 231 | CALL_HOOK_HANDLER: 232 | ; adjust return address 233 | lea rax, [CALL_NET_OUTRO] 234 | mov qword ptr [rsp + 32 + 4 * 16 + 4 * 8], rax 235 | 236 | ; call hook handler 237 | lea rax, [NewProc] 238 | jmp TRAMPOLINE_EXIT 239 | 240 | CALL_NET_OUTRO: ; this is where the handler returns... 241 | 242 | ; call NET outro 243 | push 0 ; space for return address 244 | push rax 245 | 246 | sub rsp, 32 + 16; shadow space for method calls and SSE registers 247 | movups [rsp + 32], xmm0 248 | 249 | lea rcx, [IsExecutedPtr + 8] ; Param 1: Hook handle hint 250 | lea rdx, [rsp + 56] ; Param 2: Address of return address 251 | call qword ptr [NETOutro] ; Hook->NETOutro(Hook); 252 | 253 | lea rax, [IsExecutedPtr] 254 | mov rax, [rax] 255 | db 0F0h ; interlocked decrement execution counter 256 | dec qword ptr [rax] 257 | 258 | add rsp, 32 + 16 259 | movups xmm0, [rsp - 16] 260 | 261 | pop rax ; restore return value of user handler... 262 | 263 | ; finally return to saved return address - the caller of this trampoline... 264 | ret 265 | 266 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; generic outro for both cases... 267 | TRAMPOLINE_EXIT: 268 | 269 | add rsp, 32 + 16 * 4 270 | 271 | movups xmm3, [rsp - 4 * 16] 272 | movups xmm2, [rsp - 3 * 16] 273 | movups xmm1, [rsp - 2 * 16] 274 | movups xmm0, [rsp - 1 * 16] 275 | 276 | pop r9 277 | pop r8 278 | pop rdx 279 | pop rcx 280 | 281 | jmp qword ptr[rax] ; ATTENTION: In case of hook handler we will return to CALL_NET_OUTRO, otherwise to the caller... 282 | 283 | 284 | ; outro signature, to automatically determine code size 285 | db 78h 286 | db 56h 287 | db 34h 288 | db 12h 289 | 290 | Trampoline_ASM_x64 ENDP 291 | 292 | 293 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 294 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; HookInjectionCode_ASM_x64 295 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 296 | public Injection_ASM_x64 297 | 298 | Injection_ASM_x64 PROC 299 | ; no registers to save, because this is the thread main function 300 | mov r14, rcx ; save parameter to non-volatile register 301 | sub rsp, 40 ; space for register parameter stack, should be 32 bytes... no idea why it only works with 40 302 | 303 | ; call LoadLibraryW(Inject->EasyHookPath); 304 | mov rcx, qword ptr [r14 + 8] 305 | call qword ptr [r14 + 40] ; LoadLibraryW 306 | mov r13, rax 307 | test rax, rax 308 | je HookInject_FAILURE_A 309 | 310 | ; call GetProcAddress(hModule, Inject->EntryPoint) 311 | mov rdx, qword ptr [r14 + 24] 312 | mov rcx, rax 313 | call qword ptr [r14 + 56] ; GetProcAddress 314 | test rax, rax 315 | je HookInject_FAILURE_B 316 | 317 | ; call EasyHookEntry(Inject); 318 | mov rcx, r14 319 | call rax 320 | mov r15, rax ; save error code to non-volatile register 321 | 322 | ; call FreeLibrary(hEasyHookLib) 323 | mov rcx, r13 324 | call qword ptr [r14 + 48] ; FreeLibrary 325 | test rax, rax 326 | je HookInject_FAILURE_C 327 | 328 | jmp HookInject_EXIT 329 | 330 | HookInject_FAILURE_A: 331 | call qword ptr [r14 + 88] ; GetLastError 332 | or rax, 40000000h 333 | jmp HookInject_FAILURE_E 334 | HookInject_FAILURE_B: 335 | call qword ptr [r14 + 88] ; GetLastError 336 | or rax, 10000000h 337 | jmp HookInject_FAILURE_E 338 | HookInject_FAILURE_C: 339 | call qword ptr [r14 + 88] ; GetLastError 340 | or rax, 30000000h 341 | jmp HookInject_FAILURE_E 342 | HookInject_FAILURE_E: 343 | mov r15, rax ; save error value 344 | 345 | HookInject_EXIT: 346 | 347 | ; call VirtualProtect(Outro, 8, PAGE_EXECUTE_READWRITE, &OldProtect) 348 | lea rbx, qword ptr [rsp + 8] ; writes into register parameter stack 349 | mov r9, rbx 350 | mov r8, 40h 351 | mov rdx, 8 352 | mov rcx, rbx 353 | call qword ptr [r14 + 72] ; VirtualProtect 354 | test rax, rax 355 | 356 | jne HookInject_EXECUTABLE 357 | 358 | ; failed to make stack executable 359 | call qword ptr [r14 + 88] ; GetLastError 360 | or rax, 01000000h 361 | mov rcx, rax 362 | call qword ptr [r14 + 80] ; ExitThread 363 | 364 | HookInject_EXECUTABLE: 365 | ; save outro to executable stack 366 | mov rbx, [r14 + 64] ; VirtualFree() 367 | mov rbp, [r14 + 80] ; ExitThread() 368 | 369 | mov rax, 000D5FFCF8B49D3FFh 370 | ; call rbx 371 | ; mov rcx, r15 372 | ; call rbp 373 | 374 | mov qword ptr [rsp + 8], rax 375 | 376 | ; save params for VirtualFree(Inject->RemoteEntryPoint, 0, MEM_RELEASE); 377 | mov r8, 8000h 378 | mov rdx, 0h 379 | mov rcx, qword ptr [r14 + 32] 380 | 381 | lea rax, qword ptr [rsp + 8] 382 | sub rsp, 48 383 | jmp rax 384 | 385 | ; outro signature, to automatically determine code size 386 | db 78h 387 | db 56h 388 | db 34h 389 | db 12h 390 | 391 | Injection_ASM_x64 ENDP 392 | 393 | END -------------------------------------------------------------------------------- /DriverShared/ASM/HookSpecific_x86.asm: -------------------------------------------------------------------------------- 1 | ; 2 | ; EasyHook - The reinvention of Windows API hooking 3 | ; 4 | ; Copyright (C) 2009 Christoph Husse 5 | ; 6 | ; This library is free software; you can redistribute it and/or 7 | ; modify it under the terms of the GNU Lesser General Public 8 | ; License as published by the Free Software Foundation; either 9 | ; version 2.1 of the License, or (at your option) any later version. 10 | ; 11 | ; This library is distributed in the hope that it will be useful, 12 | ; but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | ; Lesser General Public License for more details. 15 | ; 16 | ; You should have received a copy of the GNU Lesser General Public 17 | ; License along with this library; if not, write to the Free Software 18 | ; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 19 | ; 20 | ; Please visit http://www.codeplex.com/easyhook for more information 21 | ; about the project and latest updates. 22 | ; 23 | 24 | .386 25 | .model flat, c 26 | .code 27 | 28 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 29 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; StealthStub_ASM_x86 30 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 31 | public StealthStub_ASM_x86@0 32 | 33 | StealthStub_ASM_x86@0 PROC 34 | 35 | ; Create thread... 36 | push 0 37 | push 0 38 | push dword ptr [ebx + 16] ; save stealth context 39 | push dword ptr [ebx + 8] ; RemoteThreadStart 40 | push 0 41 | push 0 42 | call dword ptr [ebx + 0] ; CreateThread(0, NULL, RemoteThreadStart, RemoteThreadParam, 0, NULL); 43 | 44 | 45 | ; signal thread creation... 46 | push dword ptr [ebx + 48] 47 | mov dword ptr [ebx + 48], eax 48 | call dword ptr [ebx + 56] ; SetEvent(hSyncEvent); 49 | 50 | ; wait for completion 51 | push -1 52 | push dword ptr [ebx + 32] 53 | call dword ptr [ebx + 24] ; WaitForSingleObject(hCompletionEvent, INFINITE) 54 | 55 | ; close handle 56 | push dword ptr [ebx + 32] 57 | call dword ptr [ebx + 40] ; CloseHandle(hCompletionEvent); 58 | 59 | ; close handle 60 | push dword ptr [ebx + 48] 61 | call dword ptr [ebx + 40] ; CloseHandle(hSyncEvent); 62 | 63 | 64 | ; restore context 65 | mov eax, [ebx + 64 + 8 * 0] 66 | mov ecx, [ebx + 64 + 8 * 1] 67 | mov edx, [ebx + 64 + 8 * 2] 68 | mov ebp, [ebx + 64 + 8 * 3] 69 | mov esp, [ebx + 64 + 8 * 4] 70 | mov esi, [ebx + 64 + 8 * 5] 71 | mov edi, [ebx + 64 + 8 * 6] 72 | push dword ptr[ebx + 64 + 8 * 9] ; push EFlags 73 | push dword ptr[ebx + 64 + 8 * 8] ; save old EIP 74 | mov ebx, [ebx + 64 + 8 * 7] 75 | 76 | add esp, 4 77 | popfd 78 | 79 | ; continue execution... 80 | jmp dword ptr [esp - 8] 81 | 82 | ; outro signature, to automatically determine code size 83 | db 78h 84 | db 56h 85 | db 34h 86 | db 12h 87 | StealthStub_ASM_x86@0 ENDP 88 | 89 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 90 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Trampoline_ASM_x86 91 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 92 | public Trampoline_ASM_x86@0 93 | 94 | Trampoline_ASM_x86@0 PROC 95 | 96 | ; Handle: 1A2B3C05h 97 | ; NETEntry: 1A2B3C03h 98 | ; OldProc: 1A2B3C01h 99 | ; NewProc: 1A2B3C00h 100 | ; NETOutro: 1A2B3C06h 101 | ; IsExecuted: 1A2B3C02h 102 | ; RetAddr: 1A2B3C04h 103 | ; Ptr:NewProc: 1A2B3C07h 104 | 105 | mov eax, esp 106 | push ecx ; both are fastcall parameters, ECX is also used as "this"-pointer 107 | push edx 108 | mov ecx, eax; InitialRSP value for NETIntro()... 109 | 110 | mov eax, 1A2B3C02h 111 | db 0F0h ; interlocked increment execution counter 112 | inc dword ptr [eax] 113 | 114 | ; is a user handler available? 115 | mov eax, 1A2B3C07h 116 | cmp dword ptr[eax], 0 117 | 118 | db 3Eh ; branch usually taken 119 | jne CALL_NET_ENTRY 120 | 121 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; call original method 122 | mov eax, 1A2B3C02h 123 | db 0F0h ; interlocked decrement execution counter 124 | dec dword ptr [eax] 125 | mov eax, 1A2B3C01h 126 | jmp TRAMPOLINE_EXIT 127 | 128 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; call hook handler or original method... 129 | CALL_NET_ENTRY: 130 | 131 | ; call NET intro 132 | push ecx 133 | push dword ptr [esp + 12] ; push return address 134 | push 1A2B3C05h ; Hook handle 135 | mov eax, 1A2B3C03h 136 | call eax ; Hook->NETIntro(Hook, RetAddr); 137 | 138 | ; should call original method? 139 | test eax, eax 140 | 141 | db 3Eh ; branch usually taken 142 | jne CALL_HOOK_HANDLER 143 | 144 | ; call original method 145 | mov eax, 1A2B3C02h 146 | db 0F0h ; interlocked decrement execution counter 147 | dec dword ptr [eax] 148 | mov eax, 1A2B3C01h 149 | jmp TRAMPOLINE_EXIT 150 | 151 | CALL_HOOK_HANDLER: 152 | ; adjust return address --- ATTENTION: this offset "83h" will also change if CALL_NET_OUTRO moves due to changes... 153 | mov dword ptr [esp + 8], 1A2B3C04h 154 | 155 | ; call hook handler 156 | mov eax, 1A2B3C00h 157 | jmp TRAMPOLINE_EXIT 158 | 159 | CALL_NET_OUTRO: ; this is where the handler returns... 160 | 161 | ; call NET outro --- ATTENTION: Never change EAX/EDX from now on! 162 | push 0 ; space for return address 163 | push eax 164 | push edx 165 | 166 | lea eax, [esp + 8] 167 | push eax ; Param 2: Address of return address 168 | push 1A2B3C05h ; Param 1: Hook handle 169 | mov eax, 1A2B3C06h 170 | call eax ; Hook->NETOutro(Hook); 171 | 172 | mov eax, 1A2B3C02h 173 | db 0F0h ; interlocked decrement execution counter 174 | dec dword ptr [eax] 175 | 176 | pop edx ; restore return value of user handler... 177 | pop eax 178 | 179 | ; finally return to saved return address - the caller of this trampoline... 180 | ret 181 | 182 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; generic outro for both cases... 183 | TRAMPOLINE_EXIT: 184 | 185 | pop edx 186 | pop ecx 187 | 188 | jmp eax ; ATTENTION: In case of hook handler we will return to CALL_NET_OUTRO, otherwise to the caller... 189 | 190 | ; outro signature, to automatically determine code size 191 | db 78h 192 | db 56h 193 | db 34h 194 | db 12h 195 | 196 | Trampoline_ASM_x86@0 ENDP 197 | 198 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 199 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; HookInjectionCode_ASM_x86 200 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 201 | public Injection_ASM_x86@0 202 | Injection_ASM_x86@0 PROC 203 | ; no registers to save, because this is the thread main function 204 | ; save first param (address of hook injection information) 205 | 206 | mov esi, dword ptr [esp + 4] 207 | 208 | ; call LoadLibraryW(Inject->EasyHookPath); 209 | push dword ptr [esi + 8] 210 | 211 | call dword ptr [esi + 40] ; LoadLibraryW@4 212 | mov ebp, eax 213 | test eax, eax 214 | je HookInject_FAILURE_A 215 | 216 | ; call GetProcAddress(eax, Inject->EasyHookEntry); 217 | push dword ptr [esi + 24] 218 | push ebp 219 | call dword ptr [esi + 56] ; GetProcAddress@8 220 | test eax, eax 221 | je HookInject_FAILURE_B 222 | 223 | ; call EasyHookEntry(Inject); 224 | push esi 225 | call eax 226 | push eax ; save error code 227 | 228 | ; call FreeLibrary(ebp) 229 | push ebp 230 | call dword ptr [esi + 48] ; FreeLibrary@4 231 | test eax, eax 232 | je HookInject_FAILURE_C 233 | jmp HookInject_EXIT 234 | 235 | HookInject_FAILURE_A: 236 | call dword ptr [esi + 88] ; GetLastError 237 | or eax, 40000000h 238 | jmp HookInject_FAILURE_E 239 | HookInject_FAILURE_B: 240 | call dword ptr [esi + 88] ; GetLastError 241 | or eax, 10000000h 242 | jmp HookInject_FAILURE_E 243 | HookInject_FAILURE_C: 244 | call dword ptr [esi + 88] ; GetLastError 245 | or eax, 30000000h 246 | jmp HookInject_FAILURE_E 247 | HookInject_FAILURE_E: 248 | push eax ; save error value 249 | 250 | HookInject_EXIT: 251 | 252 | push 0 253 | push 0 254 | push 0; // shadow space for executable stack part... 255 | 256 | ; call VirtualProtect(Outro, 4, PAGE_EXECUTE_READWRITE, &OldProtect) 257 | lea ebx, dword ptr [esp + 8] ; we'll write to shadow space 258 | push ebx 259 | push 40h 260 | push 12 261 | push ebx 262 | call dword ptr [esi + 72] ; VirtualProtect@16 263 | test eax, eax 264 | 265 | jne HookInject_EXECUTABLE 266 | 267 | ; failed to make stack executable 268 | call dword ptr [esi + 88] ; GetLastError 269 | or eax, 20000000h 270 | add esp, 16 271 | ret 272 | 273 | HookInject_EXECUTABLE: 274 | ; save outro to executable stack 275 | mov dword ptr [esp], 0448BD3FFh ; call ebx [VirtualFree()] 276 | mov dword ptr [esp + 4], 05C8B0C24h ; mov eax, [esp + 12] 277 | mov dword ptr [esp + 8], 0E3FF1024h ; mov ebx, [esp + 16] 278 | ; jmp ebx [exit thread] 279 | 280 | ; save params for VirtualFree(Inject->RemoteEntryPoint, 0, MEM_RELEASE); 281 | mov ebx, [esi + 64] ; VirtualFree() 282 | push 08000h 283 | push 0 284 | push dword ptr [esi + 16] 285 | 286 | lea eax, dword ptr [esp + 12] 287 | jmp eax 288 | 289 | ; outro signature, to automatically determine code size 290 | db 78h 291 | db 56h 292 | db 34h 293 | db 12h 294 | 295 | Injection_ASM_x86@0 ENDP 296 | 297 | END -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/decode.h: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/decode.h 2 | * 3 | * Copyright (c) 2002-2009 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #ifndef UD_DECODE_H 27 | #define UD_DECODE_H 28 | 29 | #include "types.h" 30 | #include "udint.h" 31 | #include "itab.h" 32 | 33 | #define MAX_INSN_LENGTH 15 34 | 35 | /* itab prefix bits */ 36 | #define P_none ( 0 ) 37 | 38 | #define P_inv64 ( 1 << 0 ) 39 | #define P_INV64(n) ( ( n >> 0 ) & 1 ) 40 | #define P_def64 ( 1 << 1 ) 41 | #define P_DEF64(n) ( ( n >> 1 ) & 1 ) 42 | 43 | #define P_oso ( 1 << 2 ) 44 | #define P_OSO(n) ( ( n >> 2 ) & 1 ) 45 | #define P_aso ( 1 << 3 ) 46 | #define P_ASO(n) ( ( n >> 3 ) & 1 ) 47 | 48 | #define P_rexb ( 1 << 4 ) 49 | #define P_REXB(n) ( ( n >> 4 ) & 1 ) 50 | #define P_rexw ( 1 << 5 ) 51 | #define P_REXW(n) ( ( n >> 5 ) & 1 ) 52 | #define P_rexr ( 1 << 6 ) 53 | #define P_REXR(n) ( ( n >> 6 ) & 1 ) 54 | #define P_rexx ( 1 << 7 ) 55 | #define P_REXX(n) ( ( n >> 7 ) & 1 ) 56 | 57 | #define P_seg ( 1 << 8 ) 58 | #define P_SEG(n) ( ( n >> 8 ) & 1 ) 59 | 60 | #define P_vexl ( 1 << 9 ) 61 | #define P_VEXL(n) ( ( n >> 9 ) & 1 ) 62 | #define P_vexw ( 1 << 10 ) 63 | #define P_VEXW(n) ( ( n >> 10 ) & 1 ) 64 | 65 | #define P_str ( 1 << 11 ) 66 | #define P_STR(n) ( ( n >> 11 ) & 1 ) 67 | #define P_strz ( 1 << 12 ) 68 | #define P_STR_ZF(n) ( ( n >> 12 ) & 1 ) 69 | 70 | /* operand type constants -- order is important! */ 71 | 72 | enum ud_operand_code { 73 | OP_NONE, 74 | 75 | OP_A, OP_E, OP_M, OP_G, 76 | OP_I, OP_F, 77 | 78 | OP_R0, OP_R1, OP_R2, OP_R3, 79 | OP_R4, OP_R5, OP_R6, OP_R7, 80 | 81 | OP_AL, OP_CL, OP_DL, 82 | OP_AX, OP_CX, OP_DX, 83 | OP_eAX, OP_eCX, OP_eDX, 84 | OP_rAX, OP_rCX, OP_rDX, 85 | 86 | OP_ES, OP_CS, OP_SS, OP_DS, 87 | OP_FS, OP_GS, 88 | 89 | OP_ST0, OP_ST1, OP_ST2, OP_ST3, 90 | OP_ST4, OP_ST5, OP_ST6, OP_ST7, 91 | 92 | OP_J, OP_S, OP_O, 93 | OP_I1, OP_I3, OP_sI, 94 | 95 | OP_V, OP_W, OP_Q, OP_P, 96 | OP_U, OP_N, OP_MU, OP_H, 97 | OP_L, 98 | 99 | OP_R, OP_C, OP_D, 100 | 101 | OP_MR 102 | } UD_ATTR_PACKED; 103 | 104 | 105 | /* 106 | * Operand size constants 107 | * 108 | * Symbolic constants for various operand sizes. Some of these constants 109 | * are given a value equal to the width of the data (SZ_B == 8), such 110 | * that they maybe used interchangeably in the internals. Modifying them 111 | * will most certainly break things! 112 | */ 113 | typedef uint16_t ud_operand_size_t; 114 | 115 | #define SZ_NA 0 116 | #define SZ_Z 1 117 | #define SZ_V 2 118 | #define SZ_Y 3 119 | #define SZ_X 4 120 | #define SZ_RDQ 7 121 | #define SZ_B 8 122 | #define SZ_W 16 123 | #define SZ_D 32 124 | #define SZ_Q 64 125 | #define SZ_T 80 126 | #define SZ_O 12 127 | #define SZ_DQ 128 /* double quad */ 128 | #define SZ_QQ 256 /* quad quad */ 129 | 130 | /* 131 | * Complex size types; that encode sizes for operands of type MR (memory or 132 | * register); for internal use only. Id space above 256. 133 | */ 134 | #define SZ_BD ((SZ_B << 8) | SZ_D) 135 | #define SZ_BV ((SZ_B << 8) | SZ_V) 136 | #define SZ_WD ((SZ_W << 8) | SZ_D) 137 | #define SZ_WV ((SZ_W << 8) | SZ_V) 138 | #define SZ_WY ((SZ_W << 8) | SZ_Y) 139 | #define SZ_DY ((SZ_D << 8) | SZ_Y) 140 | #define SZ_WO ((SZ_W << 8) | SZ_O) 141 | #define SZ_DO ((SZ_D << 8) | SZ_O) 142 | #define SZ_QO ((SZ_Q << 8) | SZ_O) 143 | 144 | 145 | /* resolve complex size type. 146 | */ 147 | static UD_INLINE ud_operand_size_t 148 | Mx_mem_size(ud_operand_size_t size) 149 | { 150 | return (size >> 8) & 0xff; 151 | } 152 | 153 | static UD_INLINE ud_operand_size_t 154 | Mx_reg_size(ud_operand_size_t size) 155 | { 156 | return size & 0xff; 157 | } 158 | 159 | /* A single operand of an entry in the instruction table. 160 | * (internal use only) 161 | */ 162 | struct ud_itab_entry_operand 163 | { 164 | enum ud_operand_code type; 165 | ud_operand_size_t size; 166 | }; 167 | 168 | 169 | /* A single entry in an instruction table. 170 | *(internal use only) 171 | */ 172 | struct ud_itab_entry 173 | { 174 | enum ud_mnemonic_code mnemonic; 175 | struct ud_itab_entry_operand operand1; 176 | struct ud_itab_entry_operand operand2; 177 | struct ud_itab_entry_operand operand3; 178 | struct ud_itab_entry_operand operand4; 179 | uint32_t prefix; 180 | }; 181 | 182 | struct ud_lookup_table_list_entry { 183 | const uint16_t *table; 184 | enum ud_table_type type; 185 | const char *meta; 186 | }; 187 | 188 | extern struct ud_itab_entry ud_itab[]; 189 | extern struct ud_lookup_table_list_entry ud_lookup_table_list[]; 190 | 191 | #endif /* UD_DECODE_H */ 192 | 193 | /* vim:cindent 194 | * vim:expandtab 195 | * vim:ts=4 196 | * vim:sw=4 197 | */ 198 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/extern.h: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/extern.h 2 | * 3 | * Copyright (c) 2002-2009, 2013 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #ifndef UD_EXTERN_H 27 | #define UD_EXTERN_H 28 | 29 | #ifdef __cplusplus 30 | extern "C" { 31 | #endif 32 | 33 | #include "types.h" 34 | 35 | //#if defined(_MSC_VER) && defined(_USRDLL) 36 | //# ifdef LIBUDIS86_EXPORTS 37 | //# define LIBUDIS86_DLLEXTERN __declspec(dllexport) 38 | //# else 39 | //# define LIBUDIS86_DLLEXTERN __declspec(dllimport) 40 | //# endif 41 | //#else 42 | //# define LIBUDIS86_DLLEXTERN 43 | //#endif 44 | // EasyHook does not need to export the UDIS86 library 45 | #define LIBUDIS86_DLLEXTERN 46 | 47 | /* ============================= PUBLIC API ================================= */ 48 | 49 | extern LIBUDIS86_DLLEXTERN void ud_init(struct ud*); 50 | 51 | extern LIBUDIS86_DLLEXTERN void ud_set_mode(struct ud*, uint8_t); 52 | 53 | extern LIBUDIS86_DLLEXTERN void ud_set_pc(struct ud*, uint64_t); 54 | 55 | extern LIBUDIS86_DLLEXTERN void ud_set_input_hook(struct ud*, int (*)(struct ud*)); 56 | 57 | extern LIBUDIS86_DLLEXTERN void ud_set_input_buffer(struct ud*, const uint8_t*, size_t); 58 | 59 | #if !__UD_STANDALONE__ && !DRIVER 60 | extern LIBUDIS86_DLLEXTERN void ud_set_input_file(struct ud*, FILE*); 61 | #endif /* __UD_STANDALONE__ */ 62 | 63 | extern LIBUDIS86_DLLEXTERN void ud_set_vendor(struct ud*, unsigned); 64 | 65 | extern LIBUDIS86_DLLEXTERN void ud_set_syntax(struct ud*, void (*)(struct ud*)); 66 | 67 | extern LIBUDIS86_DLLEXTERN void ud_input_skip(struct ud*, size_t); 68 | 69 | extern LIBUDIS86_DLLEXTERN int ud_input_end(const struct ud*); 70 | 71 | extern LIBUDIS86_DLLEXTERN unsigned int ud_decode(struct ud*); 72 | 73 | extern LIBUDIS86_DLLEXTERN unsigned int ud_disassemble(struct ud*); 74 | 75 | extern LIBUDIS86_DLLEXTERN void ud_translate_intel(struct ud*); 76 | 77 | extern LIBUDIS86_DLLEXTERN void ud_translate_att(struct ud*); 78 | 79 | extern LIBUDIS86_DLLEXTERN const char* ud_insn_asm(const struct ud* u); 80 | 81 | extern LIBUDIS86_DLLEXTERN const uint8_t* ud_insn_ptr(const struct ud* u); 82 | 83 | extern LIBUDIS86_DLLEXTERN uint64_t ud_insn_off(const struct ud*); 84 | 85 | extern LIBUDIS86_DLLEXTERN const char* ud_insn_hex(struct ud*); 86 | 87 | extern LIBUDIS86_DLLEXTERN unsigned int ud_insn_len(const struct ud* u); 88 | 89 | extern LIBUDIS86_DLLEXTERN const struct ud_operand* ud_insn_opr(const struct ud *u, unsigned int n); 90 | 91 | extern LIBUDIS86_DLLEXTERN int ud_opr_is_sreg(const struct ud_operand *opr); 92 | 93 | extern LIBUDIS86_DLLEXTERN int ud_opr_is_gpr(const struct ud_operand *opr); 94 | 95 | extern LIBUDIS86_DLLEXTERN enum ud_mnemonic_code ud_insn_mnemonic(const struct ud *u); 96 | 97 | extern LIBUDIS86_DLLEXTERN const char* ud_lookup_mnemonic(enum ud_mnemonic_code c); 98 | 99 | extern LIBUDIS86_DLLEXTERN void ud_set_user_opaque_data(struct ud*, void*); 100 | 101 | extern LIBUDIS86_DLLEXTERN void* ud_get_user_opaque_data(const struct ud*); 102 | 103 | extern LIBUDIS86_DLLEXTERN void ud_set_asm_buffer(struct ud *u, char *buf, size_t size); 104 | 105 | extern LIBUDIS86_DLLEXTERN void ud_set_sym_resolver(struct ud *u, 106 | const char* (*resolver)(struct ud*, 107 | uint64_t addr, 108 | int64_t *offset)); 109 | 110 | /* ========================================================================== */ 111 | 112 | #ifdef __cplusplus 113 | } 114 | #endif 115 | #endif /* UD_EXTERN_H */ 116 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/syn-att.c: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/syn-att.c 2 | * 3 | * Copyright (c) 2002-2009 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #include "types.h" 27 | #include "extern.h" 28 | #include "decode.h" 29 | #include "itab.h" 30 | #include "syn.h" 31 | #include "udint.h" 32 | 33 | /* ----------------------------------------------------------------------------- 34 | * opr_cast() - Prints an operand cast. 35 | * ----------------------------------------------------------------------------- 36 | */ 37 | static void 38 | opr_cast(struct ud* u, struct ud_operand* op) 39 | { 40 | switch(op->size) { 41 | case 16 : case 32 : 42 | ud_asmprintf(u, "*"); break; 43 | default: break; 44 | } 45 | } 46 | 47 | /* ----------------------------------------------------------------------------- 48 | * gen_operand() - Generates assembly output for each operand. 49 | * ----------------------------------------------------------------------------- 50 | */ 51 | static void 52 | gen_operand(struct ud* u, struct ud_operand* op) 53 | { 54 | switch(op->type) { 55 | case UD_OP_CONST: 56 | ud_asmprintf(u, "$0x%x", op->lval.udword); 57 | break; 58 | 59 | case UD_OP_REG: 60 | ud_asmprintf(u, "%%%s", ud_reg_tab[op->base - UD_R_AL]); 61 | break; 62 | 63 | case UD_OP_MEM: 64 | if (u->br_far) { 65 | opr_cast(u, op); 66 | } 67 | if (u->pfx_seg) { 68 | ud_asmprintf(u, "%%%s:", ud_reg_tab[u->pfx_seg - UD_R_AL]); 69 | } 70 | if (op->offset != 0) { 71 | ud_syn_print_mem_disp(u, op, 0); 72 | } 73 | if (op->base) { 74 | ud_asmprintf(u, "(%%%s", ud_reg_tab[op->base - UD_R_AL]); 75 | } 76 | if (op->index) { 77 | if (op->base) { 78 | ud_asmprintf(u, ","); 79 | } else { 80 | ud_asmprintf(u, "("); 81 | } 82 | ud_asmprintf(u, "%%%s", ud_reg_tab[op->index - UD_R_AL]); 83 | } 84 | if (op->scale) { 85 | ud_asmprintf(u, ",%d", op->scale); 86 | } 87 | if (op->base || op->index) { 88 | ud_asmprintf(u, ")"); 89 | } 90 | break; 91 | 92 | case UD_OP_IMM: 93 | ud_asmprintf(u, "$"); 94 | ud_syn_print_imm(u, op); 95 | break; 96 | 97 | case UD_OP_JIMM: 98 | ud_syn_print_addr(u, ud_syn_rel_target(u, op)); 99 | break; 100 | 101 | case UD_OP_PTR: 102 | switch (op->size) { 103 | case 32: 104 | ud_asmprintf(u, "$0x%x, $0x%x", op->lval.ptr.seg, 105 | op->lval.ptr.off & 0xFFFF); 106 | break; 107 | case 48: 108 | ud_asmprintf(u, "$0x%x, $0x%x", op->lval.ptr.seg, 109 | op->lval.ptr.off); 110 | break; 111 | } 112 | break; 113 | 114 | default: return; 115 | } 116 | } 117 | 118 | /* ============================================================================= 119 | * translates to AT&T syntax 120 | * ============================================================================= 121 | */ 122 | extern void 123 | ud_translate_att(struct ud *u) 124 | { 125 | int size = 0; 126 | int star = 0; 127 | 128 | /* check if P_OSO prefix is used */ 129 | if (! P_OSO(u->itab_entry->prefix) && u->pfx_opr) { 130 | switch (u->dis_mode) { 131 | case 16: 132 | ud_asmprintf(u, "o32 "); 133 | break; 134 | case 32: 135 | case 64: 136 | ud_asmprintf(u, "o16 "); 137 | break; 138 | } 139 | } 140 | 141 | /* check if P_ASO prefix was used */ 142 | if (! P_ASO(u->itab_entry->prefix) && u->pfx_adr) { 143 | switch (u->dis_mode) { 144 | case 16: 145 | ud_asmprintf(u, "a32 "); 146 | break; 147 | case 32: 148 | ud_asmprintf(u, "a16 "); 149 | break; 150 | case 64: 151 | ud_asmprintf(u, "a32 "); 152 | break; 153 | } 154 | } 155 | 156 | if (u->pfx_lock) 157 | ud_asmprintf(u, "lock "); 158 | if (u->pfx_rep) { 159 | ud_asmprintf(u, "rep "); 160 | } else if (u->pfx_rep) { 161 | ud_asmprintf(u, "repe "); 162 | } else if (u->pfx_repne) { 163 | ud_asmprintf(u, "repne "); 164 | } 165 | 166 | /* special instructions */ 167 | switch (u->mnemonic) { 168 | case UD_Iretf: 169 | ud_asmprintf(u, "lret "); 170 | break; 171 | case UD_Idb: 172 | ud_asmprintf(u, ".byte 0x%x", u->operand[0].lval.ubyte); 173 | return; 174 | case UD_Ijmp: 175 | case UD_Icall: 176 | if (u->br_far) ud_asmprintf(u, "l"); 177 | if (u->operand[0].type == UD_OP_REG) { 178 | star = 1; 179 | } 180 | ud_asmprintf(u, "%s", ud_lookup_mnemonic(u->mnemonic)); 181 | break; 182 | case UD_Ibound: 183 | case UD_Ienter: 184 | if (u->operand[0].type != UD_NONE) 185 | gen_operand(u, &u->operand[0]); 186 | if (u->operand[1].type != UD_NONE) { 187 | ud_asmprintf(u, ","); 188 | gen_operand(u, &u->operand[1]); 189 | } 190 | return; 191 | default: 192 | ud_asmprintf(u, "%s", ud_lookup_mnemonic(u->mnemonic)); 193 | } 194 | 195 | if (size == 8) { 196 | ud_asmprintf(u, "b"); 197 | } else if (size == 16) { 198 | ud_asmprintf(u, "w"); 199 | } else if (size == 64) { 200 | ud_asmprintf(u, "q"); 201 | } 202 | 203 | if (star) { 204 | ud_asmprintf(u, " *"); 205 | } else { 206 | ud_asmprintf(u, " "); 207 | } 208 | 209 | if (u->operand[3].type != UD_NONE) { 210 | gen_operand(u, &u->operand[3]); 211 | ud_asmprintf(u, ", "); 212 | } 213 | if (u->operand[2].type != UD_NONE) { 214 | gen_operand(u, &u->operand[2]); 215 | ud_asmprintf(u, ", "); 216 | } 217 | if (u->operand[1].type != UD_NONE) { 218 | gen_operand(u, &u->operand[1]); 219 | ud_asmprintf(u, ", "); 220 | } 221 | if (u->operand[0].type != UD_NONE) { 222 | gen_operand(u, &u->operand[0]); 223 | } 224 | } 225 | 226 | /* 227 | vim: set ts=2 sw=2 expandtab 228 | */ 229 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/syn-intel.c: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/syn-intel.c 2 | * 3 | * Copyright (c) 2002-2013 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #include "types.h" 27 | #include "extern.h" 28 | #include "decode.h" 29 | #include "itab.h" 30 | #include "syn.h" 31 | #include "udint.h" 32 | 33 | /* ----------------------------------------------------------------------------- 34 | * opr_cast() - Prints an operand cast. 35 | * ----------------------------------------------------------------------------- 36 | */ 37 | static void 38 | opr_cast(struct ud* u, struct ud_operand* op) 39 | { 40 | if (u->br_far) { 41 | ud_asmprintf(u, "far "); 42 | } 43 | switch(op->size) { 44 | case 8: ud_asmprintf(u, "byte " ); break; 45 | case 16: ud_asmprintf(u, "word " ); break; 46 | case 32: ud_asmprintf(u, "dword "); break; 47 | case 64: ud_asmprintf(u, "qword "); break; 48 | case 80: ud_asmprintf(u, "tword "); break; 49 | case 128: ud_asmprintf(u, "oword "); break; 50 | case 256: ud_asmprintf(u, "yword "); break; 51 | default: break; 52 | } 53 | } 54 | 55 | /* ----------------------------------------------------------------------------- 56 | * gen_operand() - Generates assembly output for each operand. 57 | * ----------------------------------------------------------------------------- 58 | */ 59 | static void gen_operand(struct ud* u, struct ud_operand* op, int syn_cast) 60 | { 61 | switch(op->type) { 62 | case UD_OP_REG: 63 | ud_asmprintf(u, "%s", ud_reg_tab[op->base - UD_R_AL]); 64 | break; 65 | 66 | case UD_OP_MEM: 67 | if (syn_cast) { 68 | opr_cast(u, op); 69 | } 70 | ud_asmprintf(u, "["); 71 | if (u->pfx_seg) { 72 | ud_asmprintf(u, "%s:", ud_reg_tab[u->pfx_seg - UD_R_AL]); 73 | } 74 | if (op->base) { 75 | ud_asmprintf(u, "%s", ud_reg_tab[op->base - UD_R_AL]); 76 | } 77 | if (op->index) { 78 | ud_asmprintf(u, "%s%s", op->base != UD_NONE? "+" : "", 79 | ud_reg_tab[op->index - UD_R_AL]); 80 | if (op->scale) { 81 | ud_asmprintf(u, "*%d", op->scale); 82 | } 83 | } 84 | if (op->offset != 0) { 85 | ud_syn_print_mem_disp(u, op, (op->base != UD_NONE || 86 | op->index != UD_NONE) ? 1 : 0); 87 | } 88 | ud_asmprintf(u, "]"); 89 | break; 90 | 91 | case UD_OP_IMM: 92 | ud_syn_print_imm(u, op); 93 | break; 94 | 95 | 96 | case UD_OP_JIMM: 97 | ud_syn_print_addr(u, ud_syn_rel_target(u, op)); 98 | break; 99 | 100 | case UD_OP_PTR: 101 | switch (op->size) { 102 | case 32: 103 | ud_asmprintf(u, "word 0x%x:0x%x", op->lval.ptr.seg, 104 | op->lval.ptr.off & 0xFFFF); 105 | break; 106 | case 48: 107 | ud_asmprintf(u, "dword 0x%x:0x%x", op->lval.ptr.seg, 108 | op->lval.ptr.off); 109 | break; 110 | } 111 | break; 112 | 113 | case UD_OP_CONST: 114 | if (syn_cast) opr_cast(u, op); 115 | ud_asmprintf(u, "%d", op->lval.udword); 116 | break; 117 | 118 | default: return; 119 | } 120 | } 121 | 122 | /* ============================================================================= 123 | * translates to intel syntax 124 | * ============================================================================= 125 | */ 126 | extern void 127 | ud_translate_intel(struct ud* u) 128 | { 129 | /* check if P_OSO prefix is used */ 130 | if (!P_OSO(u->itab_entry->prefix) && u->pfx_opr) { 131 | switch (u->dis_mode) { 132 | case 16: ud_asmprintf(u, "o32 "); break; 133 | case 32: 134 | case 64: ud_asmprintf(u, "o16 "); break; 135 | } 136 | } 137 | 138 | /* check if P_ASO prefix was used */ 139 | if (!P_ASO(u->itab_entry->prefix) && u->pfx_adr) { 140 | switch (u->dis_mode) { 141 | case 16: ud_asmprintf(u, "a32 "); break; 142 | case 32: ud_asmprintf(u, "a16 "); break; 143 | case 64: ud_asmprintf(u, "a32 "); break; 144 | } 145 | } 146 | 147 | if (u->pfx_seg && 148 | u->operand[0].type != UD_OP_MEM && 149 | u->operand[1].type != UD_OP_MEM ) { 150 | ud_asmprintf(u, "%s ", ud_reg_tab[u->pfx_seg - UD_R_AL]); 151 | } 152 | 153 | if (u->pfx_lock) { 154 | ud_asmprintf(u, "lock "); 155 | } 156 | if (u->pfx_rep) { 157 | ud_asmprintf(u, "rep "); 158 | } else if (u->pfx_repe) { 159 | ud_asmprintf(u, "repe "); 160 | } else if (u->pfx_repne) { 161 | ud_asmprintf(u, "repne "); 162 | } 163 | 164 | /* print the instruction mnemonic */ 165 | ud_asmprintf(u, "%s", ud_lookup_mnemonic(u->mnemonic)); 166 | 167 | if (u->operand[0].type != UD_NONE) { 168 | int cast = 0; 169 | ud_asmprintf(u, " "); 170 | if (u->operand[0].type == UD_OP_MEM) { 171 | if (u->operand[1].type == UD_OP_IMM || 172 | u->operand[1].type == UD_OP_CONST || 173 | u->operand[1].type == UD_NONE || 174 | (u->operand[0].size != u->operand[1].size)) { 175 | cast = 1; 176 | } else if (u->operand[1].type == UD_OP_REG && 177 | u->operand[1].base == UD_R_CL) { 178 | switch (u->mnemonic) { 179 | case UD_Ircl: 180 | case UD_Irol: 181 | case UD_Iror: 182 | case UD_Ircr: 183 | case UD_Ishl: 184 | case UD_Ishr: 185 | case UD_Isar: 186 | cast = 1; 187 | break; 188 | default: break; 189 | } 190 | } 191 | } 192 | gen_operand(u, &u->operand[0], cast); 193 | } 194 | 195 | if (u->operand[1].type != UD_NONE) { 196 | int cast = 0; 197 | ud_asmprintf(u, ", "); 198 | if (u->operand[1].type == UD_OP_MEM && 199 | u->operand[0].size != u->operand[1].size && 200 | !ud_opr_is_sreg(&u->operand[0])) { 201 | cast = 1; 202 | } 203 | gen_operand(u, &u->operand[1], cast); 204 | } 205 | 206 | if (u->operand[2].type != UD_NONE) { 207 | int cast = 0; 208 | ud_asmprintf(u, ", "); 209 | if (u->operand[2].type == UD_OP_MEM && 210 | u->operand[2].size != u->operand[1].size) { 211 | cast = 1; 212 | } 213 | gen_operand(u, &u->operand[2], cast); 214 | } 215 | 216 | if (u->operand[3].type != UD_NONE) { 217 | ud_asmprintf(u, ", "); 218 | gen_operand(u, &u->operand[3], 0); 219 | } 220 | } 221 | 222 | /* 223 | vim: set ts=2 sw=2 expandtab 224 | */ 225 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/syn.c: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/syn.c 2 | * 3 | * Copyright (c) 2002-2013 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #include "types.h" 27 | #include "decode.h" 28 | #include "syn.h" 29 | #include "udint.h" 30 | #ifdef DRIVER 31 | #pragma warning(disable : 4201) 32 | #include 33 | #include 34 | #pragma warning(default : 4201) 35 | #endif 36 | /* 37 | * Register Table - Order Matters (types.h)! 38 | * 39 | */ 40 | const char* ud_reg_tab[] = 41 | { 42 | "al", "cl", "dl", "bl", 43 | "ah", "ch", "dh", "bh", 44 | "spl", "bpl", "sil", "dil", 45 | "r8b", "r9b", "r10b", "r11b", 46 | "r12b", "r13b", "r14b", "r15b", 47 | 48 | "ax", "cx", "dx", "bx", 49 | "sp", "bp", "si", "di", 50 | "r8w", "r9w", "r10w", "r11w", 51 | "r12w", "r13w", "r14w", "r15w", 52 | 53 | "eax", "ecx", "edx", "ebx", 54 | "esp", "ebp", "esi", "edi", 55 | "r8d", "r9d", "r10d", "r11d", 56 | "r12d", "r13d", "r14d", "r15d", 57 | 58 | "rax", "rcx", "rdx", "rbx", 59 | "rsp", "rbp", "rsi", "rdi", 60 | "r8", "r9", "r10", "r11", 61 | "r12", "r13", "r14", "r15", 62 | 63 | "es", "cs", "ss", "ds", 64 | "fs", "gs", 65 | 66 | "cr0", "cr1", "cr2", "cr3", 67 | "cr4", "cr5", "cr6", "cr7", 68 | "cr8", "cr9", "cr10", "cr11", 69 | "cr12", "cr13", "cr14", "cr15", 70 | 71 | "dr0", "dr1", "dr2", "dr3", 72 | "dr4", "dr5", "dr6", "dr7", 73 | "dr8", "dr9", "dr10", "dr11", 74 | "dr12", "dr13", "dr14", "dr15", 75 | 76 | "mm0", "mm1", "mm2", "mm3", 77 | "mm4", "mm5", "mm6", "mm7", 78 | 79 | "st0", "st1", "st2", "st3", 80 | "st4", "st5", "st6", "st7", 81 | 82 | "xmm0", "xmm1", "xmm2", "xmm3", 83 | "xmm4", "xmm5", "xmm6", "xmm7", 84 | "xmm8", "xmm9", "xmm10", "xmm11", 85 | "xmm12", "xmm13", "xmm14", "xmm15", 86 | 87 | "ymm0", "ymm1", "ymm2", "ymm3", 88 | "ymm4", "ymm5", "ymm6", "ymm7", 89 | "ymm8", "ymm9", "ymm10", "ymm11", 90 | "ymm12", "ymm13", "ymm14", "ymm15", 91 | 92 | "rip" 93 | }; 94 | 95 | 96 | uint64_t 97 | ud_syn_rel_target(struct ud *u, struct ud_operand *opr) 98 | { 99 | const uint64_t trunc_mask = 0xffffffffffffffffull >> (64 - u->opr_mode); 100 | switch (opr->size) { 101 | case 8 : return (u->pc + opr->lval.sbyte) & trunc_mask; 102 | case 16: return (u->pc + opr->lval.sword) & trunc_mask; 103 | case 32: return (u->pc + opr->lval.sdword) & trunc_mask; 104 | default: UD_ASSERT(!"invalid relative offset size."); 105 | return 0ull; 106 | } 107 | } 108 | 109 | 110 | /* 111 | * asmprintf 112 | * Printf style function for printing translated assembly 113 | * output. Returns the number of characters written and 114 | * moves the buffer pointer forward. On an overflow, 115 | * returns a negative number and truncates the output. 116 | */ 117 | int 118 | ud_asmprintf(struct ud *u, const char *fmt, ...) 119 | { 120 | int ret; 121 | int avail; 122 | va_list ap; 123 | va_start(ap, fmt); 124 | avail = (int)(u->asm_buf_size - u->asm_buf_fill - 1 /* nullchar */); 125 | #ifdef DRIVER 126 | ret = RtlStringCbVPrintfA((char*)u->asm_buf + u->asm_buf_fill, avail, fmt, ap); 127 | #else 128 | ret = vsnprintf_s((char*)u->asm_buf + u->asm_buf_fill, avail, avail, fmt, ap); 129 | #endif 130 | if (ret < 0 || ret > avail) { 131 | u->asm_buf_fill = u->asm_buf_size - 1; 132 | } else { 133 | u->asm_buf_fill += ret; 134 | } 135 | va_end(ap); 136 | return ret; 137 | } 138 | 139 | 140 | void 141 | ud_syn_print_addr(struct ud *u, uint64_t addr) 142 | { 143 | const char *name = NULL; 144 | if (u->sym_resolver) { 145 | int64_t offset = 0; 146 | name = u->sym_resolver(u, addr, &offset); 147 | if (name) { 148 | if (offset) { 149 | ud_asmprintf(u, "%s%+" FMT64 "d", name, offset); 150 | } else { 151 | ud_asmprintf(u, "%s", name); 152 | } 153 | return; 154 | } 155 | } 156 | ud_asmprintf(u, "0x%" FMT64 "x", addr); 157 | } 158 | 159 | 160 | void 161 | ud_syn_print_imm(struct ud* u, const struct ud_operand *op) 162 | { 163 | uint64_t v; 164 | if (op->_oprcode == OP_sI && op->size != u->opr_mode) { 165 | if (op->size == 8) { 166 | v = (int64_t)op->lval.sbyte; 167 | } else { 168 | UD_ASSERT(op->size == 32); 169 | v = (int64_t)op->lval.sdword; 170 | } 171 | if (u->opr_mode < 64) { 172 | v = v & ((1ull << u->opr_mode) - 1ull); 173 | } 174 | } else { 175 | switch (op->size) { 176 | case 8 : v = op->lval.ubyte; break; 177 | case 16: v = op->lval.uword; break; 178 | case 32: v = op->lval.udword; break; 179 | case 64: v = op->lval.uqword; break; 180 | default: UD_ASSERT(!"invalid offset"); v = 0; /* keep cc happy */ 181 | } 182 | } 183 | ud_asmprintf(u, "0x%" FMT64 "x", v); 184 | } 185 | 186 | 187 | void 188 | ud_syn_print_mem_disp(struct ud* u, const struct ud_operand *op, int sign) 189 | { 190 | UD_ASSERT(op->offset != 0); 191 | if (op->base == UD_NONE && op->index == UD_NONE) { 192 | uint64_t v; 193 | UD_ASSERT(op->scale == UD_NONE && op->offset != 8); 194 | /* unsigned mem-offset */ 195 | switch (op->offset) { 196 | case 16: v = op->lval.uword; break; 197 | case 32: v = op->lval.udword; break; 198 | case 64: v = op->lval.uqword; break; 199 | default: UD_ASSERT(!"invalid offset"); v = 0; /* keep cc happy */ 200 | } 201 | ud_asmprintf(u, "0x%" FMT64 "x", v); 202 | } else { 203 | int64_t v; 204 | UD_ASSERT(op->offset != 64); 205 | switch (op->offset) { 206 | case 8 : v = op->lval.sbyte; break; 207 | case 16: v = op->lval.sword; break; 208 | case 32: v = op->lval.sdword; break; 209 | default: UD_ASSERT(!"invalid offset"); v = 0; /* keep cc happy */ 210 | } 211 | if (v < 0) { 212 | ud_asmprintf(u, "-0x%" FMT64 "x", -v); 213 | } else if (v > 0) { 214 | ud_asmprintf(u, "%s0x%" FMT64 "x", sign? "+" : "", v); 215 | } 216 | } 217 | } 218 | 219 | /* 220 | vim: set ts=2 sw=2 expandtab 221 | */ 222 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/syn.h: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/syn.h 2 | * 3 | * Copyright (c) 2002-2009 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #ifndef UD_SYN_H 27 | #define UD_SYN_H 28 | 29 | #include "types.h" 30 | #ifndef __UD_STANDALONE__ 31 | # include 32 | #endif /* __UD_STANDALONE__ */ 33 | 34 | extern const char* ud_reg_tab[]; 35 | 36 | uint64_t ud_syn_rel_target(struct ud*, struct ud_operand*); 37 | 38 | #ifdef __GNUC__ 39 | int ud_asmprintf(struct ud *u, const char *fmt, ...) 40 | __attribute__ ((format (printf, 2, 3))); 41 | #else 42 | int ud_asmprintf(struct ud *u, const char *fmt, ...); 43 | #endif 44 | 45 | void ud_syn_print_addr(struct ud *u, uint64_t addr); 46 | void ud_syn_print_imm(struct ud* u, const struct ud_operand *op); 47 | void ud_syn_print_mem_disp(struct ud* u, const struct ud_operand *, int sign); 48 | 49 | #endif /* UD_SYN_H */ 50 | 51 | /* 52 | vim: set ts=2 sw=2 expandtab 53 | */ 54 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/types.h: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/types.h 2 | * 3 | * Copyright (c) 2002-2013 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #ifndef UD_TYPES_H 27 | #define UD_TYPES_H 28 | 29 | #ifdef __KERNEL__ 30 | /* 31 | * -D__KERNEL__ is automatically passed on the command line when 32 | * building something as part of the Linux kernel. Assume standalone 33 | * mode. 34 | */ 35 | # include 36 | # include 37 | # ifndef __UD_STANDALONE__ 38 | # define __UD_STANDALONE__ 1 39 | # endif 40 | #endif /* __KERNEL__ */ 41 | 42 | #if !defined(__UD_STANDALONE__) 43 | # include 44 | # include 45 | #endif 46 | 47 | /* gcc specific extensions */ 48 | #ifdef __GNUC__ 49 | # define UD_ATTR_PACKED __attribute__((packed)) 50 | #else 51 | # define UD_ATTR_PACKED 52 | #endif /* UD_ATTR_PACKED */ 53 | 54 | 55 | /* ----------------------------------------------------------------------------- 56 | * All possible "types" of objects in udis86. Order is Important! 57 | * ----------------------------------------------------------------------------- 58 | */ 59 | enum ud_type 60 | { 61 | UD_NONE, 62 | 63 | /* 8 bit GPRs */ 64 | UD_R_AL, UD_R_CL, UD_R_DL, UD_R_BL, 65 | UD_R_AH, UD_R_CH, UD_R_DH, UD_R_BH, 66 | UD_R_SPL, UD_R_BPL, UD_R_SIL, UD_R_DIL, 67 | UD_R_R8B, UD_R_R9B, UD_R_R10B, UD_R_R11B, 68 | UD_R_R12B, UD_R_R13B, UD_R_R14B, UD_R_R15B, 69 | 70 | /* 16 bit GPRs */ 71 | UD_R_AX, UD_R_CX, UD_R_DX, UD_R_BX, 72 | UD_R_SP, UD_R_BP, UD_R_SI, UD_R_DI, 73 | UD_R_R8W, UD_R_R9W, UD_R_R10W, UD_R_R11W, 74 | UD_R_R12W, UD_R_R13W, UD_R_R14W, UD_R_R15W, 75 | 76 | /* 32 bit GPRs */ 77 | UD_R_EAX, UD_R_ECX, UD_R_EDX, UD_R_EBX, 78 | UD_R_ESP, UD_R_EBP, UD_R_ESI, UD_R_EDI, 79 | UD_R_R8D, UD_R_R9D, UD_R_R10D, UD_R_R11D, 80 | UD_R_R12D, UD_R_R13D, UD_R_R14D, UD_R_R15D, 81 | 82 | /* 64 bit GPRs */ 83 | UD_R_RAX, UD_R_RCX, UD_R_RDX, UD_R_RBX, 84 | UD_R_RSP, UD_R_RBP, UD_R_RSI, UD_R_RDI, 85 | UD_R_R8, UD_R_R9, UD_R_R10, UD_R_R11, 86 | UD_R_R12, UD_R_R13, UD_R_R14, UD_R_R15, 87 | 88 | /* segment registers */ 89 | UD_R_ES, UD_R_CS, UD_R_SS, UD_R_DS, 90 | UD_R_FS, UD_R_GS, 91 | 92 | /* control registers*/ 93 | UD_R_CR0, UD_R_CR1, UD_R_CR2, UD_R_CR3, 94 | UD_R_CR4, UD_R_CR5, UD_R_CR6, UD_R_CR7, 95 | UD_R_CR8, UD_R_CR9, UD_R_CR10, UD_R_CR11, 96 | UD_R_CR12, UD_R_CR13, UD_R_CR14, UD_R_CR15, 97 | 98 | /* debug registers */ 99 | UD_R_DR0, UD_R_DR1, UD_R_DR2, UD_R_DR3, 100 | UD_R_DR4, UD_R_DR5, UD_R_DR6, UD_R_DR7, 101 | UD_R_DR8, UD_R_DR9, UD_R_DR10, UD_R_DR11, 102 | UD_R_DR12, UD_R_DR13, UD_R_DR14, UD_R_DR15, 103 | 104 | /* mmx registers */ 105 | UD_R_MM0, UD_R_MM1, UD_R_MM2, UD_R_MM3, 106 | UD_R_MM4, UD_R_MM5, UD_R_MM6, UD_R_MM7, 107 | 108 | /* x87 registers */ 109 | UD_R_ST0, UD_R_ST1, UD_R_ST2, UD_R_ST3, 110 | UD_R_ST4, UD_R_ST5, UD_R_ST6, UD_R_ST7, 111 | 112 | /* extended multimedia registers */ 113 | UD_R_XMM0, UD_R_XMM1, UD_R_XMM2, UD_R_XMM3, 114 | UD_R_XMM4, UD_R_XMM5, UD_R_XMM6, UD_R_XMM7, 115 | UD_R_XMM8, UD_R_XMM9, UD_R_XMM10, UD_R_XMM11, 116 | UD_R_XMM12, UD_R_XMM13, UD_R_XMM14, UD_R_XMM15, 117 | 118 | /* 256B multimedia registers */ 119 | UD_R_YMM0, UD_R_YMM1, UD_R_YMM2, UD_R_YMM3, 120 | UD_R_YMM4, UD_R_YMM5, UD_R_YMM6, UD_R_YMM7, 121 | UD_R_YMM8, UD_R_YMM9, UD_R_YMM10, UD_R_YMM11, 122 | UD_R_YMM12, UD_R_YMM13, UD_R_YMM14, UD_R_YMM15, 123 | 124 | UD_R_RIP, 125 | 126 | /* Operand Types */ 127 | UD_OP_REG, UD_OP_MEM, UD_OP_PTR, UD_OP_IMM, 128 | UD_OP_JIMM, UD_OP_CONST 129 | }; 130 | 131 | #include "itab.h" 132 | 133 | union ud_lval { 134 | int8_t sbyte; 135 | uint8_t ubyte; 136 | int16_t sword; 137 | uint16_t uword; 138 | int32_t sdword; 139 | uint32_t udword; 140 | int64_t sqword; 141 | uint64_t uqword; 142 | struct { 143 | uint16_t seg; 144 | uint32_t off; 145 | } ptr; 146 | }; 147 | 148 | /* ----------------------------------------------------------------------------- 149 | * struct ud_operand - Disassembled instruction Operand. 150 | * ----------------------------------------------------------------------------- 151 | */ 152 | struct ud_operand { 153 | enum ud_type type; 154 | uint16_t size; 155 | enum ud_type base; 156 | enum ud_type index; 157 | uint8_t scale; 158 | uint8_t offset; 159 | union ud_lval lval; 160 | /* 161 | * internal use only 162 | */ 163 | uint64_t _legacy; /* this will be removed in 1.8 */ 164 | uint8_t _oprcode; 165 | }; 166 | 167 | /* ----------------------------------------------------------------------------- 168 | * struct ud - The udis86 object. 169 | * ----------------------------------------------------------------------------- 170 | */ 171 | struct ud 172 | { 173 | /* 174 | * input buffering 175 | */ 176 | int (*inp_hook) (struct ud*); 177 | #ifndef __UD_STANDALONE__ 178 | FILE* inp_file; 179 | #endif 180 | const uint8_t* inp_buf; 181 | size_t inp_buf_size; 182 | size_t inp_buf_index; 183 | uint8_t inp_curr; 184 | size_t inp_ctr; 185 | uint8_t inp_sess[64]; 186 | int inp_end; 187 | int inp_peek; 188 | 189 | void (*translator)(struct ud*); 190 | uint64_t insn_offset; 191 | char insn_hexcode[64]; 192 | 193 | /* 194 | * Assembly output buffer 195 | */ 196 | char *asm_buf; 197 | size_t asm_buf_size; 198 | size_t asm_buf_fill; 199 | char asm_buf_int[128]; 200 | 201 | /* 202 | * Symbol resolver for use in the translation phase. 203 | */ 204 | const char* (*sym_resolver)(struct ud*, uint64_t addr, int64_t *offset); 205 | 206 | uint8_t dis_mode; 207 | uint64_t pc; 208 | uint8_t vendor; 209 | enum ud_mnemonic_code mnemonic; 210 | struct ud_operand operand[4]; 211 | uint8_t error; 212 | uint8_t _rex; 213 | uint8_t pfx_rex; 214 | uint8_t pfx_seg; 215 | uint8_t pfx_opr; 216 | uint8_t pfx_adr; 217 | uint8_t pfx_lock; 218 | uint8_t pfx_str; 219 | uint8_t pfx_rep; 220 | uint8_t pfx_repe; 221 | uint8_t pfx_repne; 222 | uint8_t opr_mode; 223 | uint8_t adr_mode; 224 | uint8_t br_far; 225 | uint8_t br_near; 226 | uint8_t have_modrm; 227 | uint8_t modrm; 228 | uint8_t vex_op; 229 | uint8_t vex_b1; 230 | uint8_t vex_b2; 231 | uint8_t primary_opcode; 232 | void * user_opaque_data; 233 | struct ud_itab_entry * itab_entry; 234 | struct ud_lookup_table_list_entry *le; 235 | }; 236 | 237 | /* ----------------------------------------------------------------------------- 238 | * Type-definitions 239 | * ----------------------------------------------------------------------------- 240 | */ 241 | typedef enum ud_type ud_type_t; 242 | typedef enum ud_mnemonic_code ud_mnemonic_code_t; 243 | 244 | typedef struct ud ud_t; 245 | typedef struct ud_operand ud_operand_t; 246 | 247 | #define UD_SYN_INTEL ud_translate_intel 248 | #define UD_SYN_ATT ud_translate_att 249 | #define UD_EOI (-1) 250 | #define UD_INP_CACHE_SZ 32 251 | #define UD_VENDOR_AMD 0 252 | #define UD_VENDOR_INTEL 1 253 | #define UD_VENDOR_ANY 2 254 | 255 | #endif 256 | 257 | /* 258 | vim: set ts=2 sw=2 expandtab 259 | */ 260 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/libudis86/udint.h: -------------------------------------------------------------------------------- 1 | /* udis86 - libudis86/udint.h -- definitions for internal use only 2 | * 3 | * Copyright (c) 2002-2009 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #ifndef _UDINT_H_ 27 | #define _UDINT_H_ 28 | 29 | #ifdef HAVE_CONFIG_H 30 | # include 31 | #endif /* HAVE_CONFIG_H */ 32 | 33 | #if defined(UD_DEBUG) && HAVE_ASSERT_H 34 | # include 35 | # define UD_ASSERT(_x) assert(_x) 36 | #else 37 | # define UD_ASSERT(_x) 38 | #endif /* !HAVE_ASSERT_H */ 39 | 40 | #if defined(UD_DEBUG) 41 | #define UDERR(u, msg) \ 42 | do { \ 43 | (u)->error = 1; \ 44 | fprintf(stderr, "decode-error: %s:%d: %s", \ 45 | __FILE__, __LINE__, (msg)); \ 46 | } while (0) 47 | #else 48 | #define UDERR(u, m) \ 49 | __pragma(warning(push)) \ 50 | __pragma(warning(disable:4127)) \ 51 | do { \ 52 | (u)->error = 1; \ 53 | } while (0) \ 54 | __pragma(warning(pop)) 55 | #endif /* !LOGERR */ 56 | 57 | #define UD_RETURN_ON_ERROR(u) \ 58 | __pragma(warning(push)) \ 59 | __pragma(warning(disable:4127)) \ 60 | do { \ 61 | if ((u)->error != 0) { \ 62 | return (u)->error; \ 63 | } \ 64 | } while (0) \ 65 | __pragma(warning(pop)) 66 | 67 | #define UD_RETURN_WITH_ERROR(u, m) \ 68 | __pragma(warning(push)) \ 69 | __pragma(warning(disable:4127)) \ 70 | do { \ 71 | UDERR(u, m); \ 72 | return (u)->error; \ 73 | } while (0) \ 74 | __pragma(warning(pop)) 75 | 76 | #ifndef __UD_STANDALONE__ 77 | # define UD_NON_STANDALONE(x) x 78 | #else 79 | # define UD_NON_STANDALONE(x) 80 | #endif 81 | 82 | /* printf formatting int64 specifier */ 83 | #ifdef FMT64 84 | # undef FMT64 85 | #endif 86 | #if defined(_MSC_VER) || defined(__BORLANDC__) 87 | # define FMT64 "I64" 88 | #else 89 | # if defined(__APPLE__) 90 | # define FMT64 "ll" 91 | # elif defined(__amd64__) || defined(__x86_64__) 92 | # define FMT64 "l" 93 | # else 94 | # define FMT64 "ll" 95 | # endif /* !x64 */ 96 | #endif 97 | 98 | /* define an inline macro */ 99 | #if defined(_MSC_VER) || defined(__BORLANDC__) 100 | # define UD_INLINE __inline /* MS Visual Studio requires __inline 101 | instead of inline for C code */ 102 | #else 103 | # define UD_INLINE inline 104 | #endif 105 | 106 | #endif /* _UDINT_H_ */ 107 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/udis86-LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2002-2012, Vivek Thampi 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, 8 | this list of conditions and the following disclaimer. 9 | 2. Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 14 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 15 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 16 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 17 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 18 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 19 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 20 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 22 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/udis86-README.txt: -------------------------------------------------------------------------------- 1 | udis86 2 | ====== 3 | 4 | Udis86 is a disassembler engine that interprets and decodes a stream of 5 | binary machine code bytes as opcodes defined in the x86 and x86-64 class 6 | of Instruction Set Archictures. The core component of this project is 7 | libudis86 which provides a clean and simple interface to disassemble 8 | binary code, and to inspect the disassembly to various degrees of 9 | details. The library is designed to aid software projects that entail 10 | analysis and manipulation of all flavors of x86 binary code. 11 | 12 | 13 | LICENSE 14 | ------- 15 | 16 | udis86 is an open source project, distributed under the terms of the 17 | 2-clause "Simplified BSD License". A copy of the license is included 18 | with the source in $(SRC)/LICENSE. 19 | 20 | 21 | libudis86 22 | --------- 23 | 24 | * Full support for the x86 and x86-64 (AMD64) range of instruction set 25 | architectures. 26 | * Full support for all AMD-V, INTEL-VMX, MMX, SSE, SSE2, SSE3, SSSE3, 27 | SSE4.1, SSE4.2, FPU(x87), and AMD 3Dnow! instructions. 28 | * Supports 16bit, 32bit, and 64bit disassembly modes. 29 | * Supports instruction meta-data using XML based decode tables. 30 | * Generates output in AT&T or INTEL assembler language syntaxes. 31 | * Supports flexbile input methods: File, Buffer, and Hooks. 32 | * Reentrant. 33 | * Clean and very easy-to-use API. 34 | 35 | 36 | udcli 37 | ----- 38 | 39 | udcli is a small command-line tool for your quick disassembly needs. 40 | 41 | $ echo "65 67 89 87 76 65 54 56 78 89 09 00 87" | udcli -32 -x 42 | 0000000000000000 656789877665 mov [gs:bx+0x6576], eax 43 | 0000000000000000 54 push esp 44 | 0000000000000000 56 push esi 45 | 0000000000000000 7889 js 0x93 46 | 0000000000000000 0900 or [eax], eax 47 | 48 | 49 | Documentation 50 | ------------- 51 | 52 | libudis86 api is fully documented and included with the package in 53 | $(SRC)/docs/manual 54 | 55 | 56 | Author 57 | ------ 58 | 59 | udis86 is written and maintained by Vivek Thampi (vivek.mt@gmail.com). 60 | -------------------------------------------------------------------------------- /DriverShared/Disassembler/udis86.h: -------------------------------------------------------------------------------- 1 | /* udis86 - udis86.h 2 | * 3 | * Copyright (c) 2002-2009 Vivek Thampi 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without modification, 7 | * are permitted provided that the following conditions are met: 8 | * 9 | * * Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * * Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 16 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 19 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 20 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 22 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 24 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | #ifndef UDIS86_H 27 | #define UDIS86_H 28 | 29 | #include "libudis86/types.h" 30 | #include "libudis86/extern.h" 31 | #include "libudis86/itab.h" 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /DriverShared/DriverShared.h: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\DriverShared.h) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #ifndef _DRIVERSHARED_H_ 27 | #define _DRIVERSHARED_H_ 28 | 29 | #ifdef __cplusplus 30 | extern "C"{ 31 | #endif 32 | 33 | #pragma warning (disable:4054) // function/data conversion 34 | #pragma warning (disable:4055) // data/function conversion 35 | #pragma warning (disable:4200) // zero-sized array in struct/union 36 | #pragma warning (disable:4204) // non-constant init 37 | #pragma warning (disable:4100) // unreferenced parameter 38 | 39 | 40 | #include "rtl.h" 41 | 42 | #define EASYHOOK_NT_INTERNAL EXTERN_C NTSTATUS __stdcall 43 | #define EASYHOOK_BOOL_INTERNAL EXTERN_C BOOL __stdcall 44 | 45 | #define EASYHOOK_INJECT_MANAGED 0x00000001 46 | 47 | typedef struct _NOTIFICATION_REQUEST_ 48 | { 49 | ULONG MaxCount; 50 | ULONG Count; 51 | ULONG Entries[0]; 52 | }NOTIFICATION_REQUEST, *PNOTIFICATION_REQUEST; 53 | 54 | typedef struct _HOOK_ACL_ 55 | { 56 | ULONG Count; 57 | BOOL IsExclusive; 58 | ULONG Entries[MAX_ACE_COUNT]; 59 | }HOOK_ACL; 60 | 61 | #define LOCAL_HOOK_SIGNATURE ((ULONG)0x6A910BE2) 62 | 63 | typedef struct _LOCAL_HOOK_INFO_ 64 | { 65 | PLOCAL_HOOK_INFO Next; 66 | ULONG NativeSize; 67 | UCHAR* TargetProc; 68 | ULONGLONG TargetBackup; 69 | ULONGLONG TargetBackup_x64; 70 | ULONGLONG HookCopy; 71 | ULONG EntrySize; 72 | UCHAR* Trampoline; 73 | ULONG HLSIndex; 74 | ULONG HLSIdent; 75 | void* Callback; 76 | HOOK_ACL LocalACL; 77 | ULONG Signature; 78 | TRACED_HOOK_HANDLE Tracking; 79 | 80 | void* RandomValue; // fixed 81 | void* HookIntro; // fixed 82 | UCHAR* OldProc; // fixed 83 | UCHAR* HookProc; // fixed 84 | void* HookOutro; // fixed 85 | int* IsExecutedPtr; // fixed 86 | }LOCAL_HOOK_INFO, *PLOCAL_HOOK_INFO; 87 | 88 | 89 | extern LOCAL_HOOK_INFO GlobalHookListHead; 90 | extern LOCAL_HOOK_INFO GlobalRemovalListHead; 91 | extern RTL_SPIN_LOCK GlobalHookLock; 92 | extern ULONG GlobalSlotList[]; 93 | 94 | EASYHOOK_BOOL_INTERNAL LhIsValidHandle( 95 | TRACED_HOOK_HANDLE InTracedHandle, 96 | PLOCAL_HOOK_INFO* OutHandle); 97 | 98 | void LhCriticalInitialize(); 99 | 100 | void LhModuleInfoFinalize(); 101 | 102 | void LhCriticalFinalize(); 103 | 104 | void* LhAllocateMemory(void* InEntryPoint); 105 | 106 | void LhFreeMemory(PLOCAL_HOOK_INFO* RefHandle); 107 | 108 | HOOK_ACL* LhBarrierGetAcl(); 109 | 110 | ULONGLONG LhBarrierIntro(LOCAL_HOOK_INFO* InHandle, void* InRetAddr, void** InAddrOfRetAddr); 111 | 112 | void* __stdcall LhBarrierOutro(LOCAL_HOOK_INFO* InHandle, void** InAddrOfRetAddr); 113 | 114 | EASYHOOK_NT_INTERNAL LhAllocateHook( 115 | void* InEntryPoint, 116 | void* InHookProc, 117 | void* InCallback, 118 | LOCAL_HOOK_INFO** Hook, 119 | ULONG* RelocSize); 120 | 121 | EASYHOOK_NT_INTERNAL LhDisassembleInstruction( 122 | void* InPtr, 123 | ULONG* length, 124 | PSTR buf, 125 | LONG buffSize, 126 | ULONG64 *nextInstr); 127 | 128 | EASYHOOK_NT_INTERNAL LhRelocateRIPRelativeInstruction( 129 | ULONGLONG InOffset, 130 | ULONGLONG InTargetOffset, 131 | BOOL* OutWasRelocated); 132 | 133 | EASYHOOK_NT_INTERNAL LhRelocateEntryPoint( 134 | UCHAR* InEntryPoint, 135 | ULONG InEPSize, 136 | UCHAR* Buffer, 137 | ULONG* OutRelocSize); 138 | 139 | EASYHOOK_NT_INTERNAL LhRoundToNextInstruction( 140 | void* InCodePtr, 141 | ULONG InCodeSize); 142 | 143 | EASYHOOK_NT_INTERNAL LhGetInstructionLength(void* InPtr); 144 | 145 | /* 146 | Helper API 147 | */ 148 | EASYHOOK_NT_INTERNAL DbgCriticalInitialize(); 149 | 150 | EASYHOOK_NT_INTERNAL DbgCriticalFinalize(); 151 | 152 | #ifdef __cplusplus 153 | } 154 | #endif 155 | 156 | #endif -------------------------------------------------------------------------------- /DriverShared/LocalHook/alloc.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\alloc.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | void LhFreeMemory(PLOCAL_HOOK_INFO* RefHandle) 29 | { 30 | /* 31 | Description: 32 | 33 | Will release the memory for a given hook. 34 | 35 | Parameters: 36 | 37 | - RefHandle 38 | 39 | A pointer to a valid hook handle. It will be set to NULL 40 | by this method! 41 | */ 42 | 43 | #if defined(_M_X64) && !defined(DRIVER) 44 | VirtualFree(*RefHandle, 0, MEM_RELEASE); 45 | #else 46 | RtlFreeMemory(*RefHandle); 47 | #endif 48 | 49 | *RefHandle = NULL; 50 | } 51 | 52 | /////////////////////////////////////////////////////////////////////////////////// 53 | /////////////////////// LhAllocateMemory 54 | /////////////////////////////////////////////////////////////////////////////////// 55 | void* LhAllocateMemory(void* InEntryPoint) 56 | { 57 | /* 58 | Description: 59 | 60 | Allocates one page of hook specific memory. 61 | 62 | Parameters: 63 | 64 | - InEntryPoint 65 | 66 | Ignored for 32-Bit versions and drivers. In 64-Bit user mode, the returned 67 | pointer will always be in a 31-bit boundary around this parameter. This way 68 | a relative jumper can still be placed instead of having to consume much more entry 69 | point bytes for an absolute jump! 70 | 71 | Returns: 72 | 73 | NULL if no memory could be allocated, a valid pointer otherwise. 74 | 75 | */ 76 | 77 | UCHAR* Res = NULL; 78 | 79 | #if defined(_M_X64) && !defined(DRIVER) 80 | LONGLONG Base; 81 | LONGLONG iStart; 82 | LONGLONG iEnd; 83 | LONGLONG Index; 84 | 85 | #endif 86 | 87 | #if !defined(DRIVER) 88 | SYSTEM_INFO SysInfo; 89 | ULONG PAGE_SIZE; 90 | 91 | GetSystemInfo(&SysInfo); 92 | 93 | PAGE_SIZE = SysInfo.dwPageSize; 94 | #endif 95 | 96 | 97 | // reserve page with execution privileges 98 | #if defined(_M_X64) && !defined(DRIVER) 99 | 100 | /* 101 | Reserve memory around entry point... 102 | */ 103 | iStart = ((LONGLONG)InEntryPoint) - ((LONGLONG)0x7FFFFF00); 104 | iEnd = ((LONGLONG)InEntryPoint) + ((LONGLONG)0x7FFFFF00); 105 | 106 | if(iStart < (LONGLONG)SysInfo.lpMinimumApplicationAddress) 107 | iStart = (LONGLONG)SysInfo.lpMinimumApplicationAddress; // shall not be null, because then VirtualAlloc() will not work as expected 108 | 109 | if(iEnd > (LONGLONG)SysInfo.lpMaximumApplicationAddress) 110 | iEnd = (LONGLONG)SysInfo.lpMaximumApplicationAddress; 111 | 112 | // we are trying to get memory as near as possible to relocate most RIP-relative instructions 113 | for(Base = (LONGLONG)InEntryPoint, Index = 0; ; Index += PAGE_SIZE) 114 | { 115 | BOOLEAN end = TRUE; 116 | if(Base + Index < iEnd) 117 | { 118 | if((Res = (UCHAR*)VirtualAlloc((void*)(Base + Index), PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) != NULL) 119 | break; 120 | end = FALSE; 121 | } 122 | 123 | if(Base - Index > iStart) 124 | { 125 | if((Res = (BYTE*)VirtualAlloc((void*)(Base - Index), PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) != NULL) 126 | break; 127 | end = FALSE; 128 | } 129 | 130 | if (end) 131 | break; 132 | } 133 | 134 | if(Res == NULL) 135 | return NULL; 136 | #else 137 | // in 32-bit mode the trampoline will always be reachable 138 | if((Res = (UCHAR*)RtlAllocateMemory(TRUE, PAGE_SIZE)) == NULL) 139 | return NULL; 140 | 141 | #endif 142 | 143 | return Res; 144 | } -------------------------------------------------------------------------------- /DriverShared/LocalHook/uninstall.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\uninstall.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | 29 | EASYHOOK_NT_EXPORT LhUninstallHook(TRACED_HOOK_HANDLE InHandle) 30 | { 31 | /* 32 | Description: 33 | 34 | Removes the given hook. To also release associated resources, 35 | you will have to call LhWaitForPendingRemovals(). In any case 36 | your hook handler will never be executed again, after calling this 37 | method. 38 | 39 | Parameters: 40 | 41 | - InHandle 42 | 43 | A traced hook handle. If the hook is already removed, this method 44 | will still return STATUS_SUCCESS. 45 | */ 46 | LOCAL_HOOK_INFO* Hook = NULL; 47 | LOCAL_HOOK_INFO* List; 48 | LOCAL_HOOK_INFO* Prev; 49 | NTSTATUS NtStatus; 50 | BOOLEAN IsAllocated = FALSE; 51 | 52 | if(!IsValidPointer(InHandle, sizeof(HOOK_TRACE_INFO))) 53 | return FALSE; 54 | 55 | RtlAcquireLock(&GlobalHookLock); 56 | { 57 | if((InHandle->Link != NULL) && LhIsValidHandle(InHandle, &Hook)) 58 | { 59 | InHandle->Link = NULL; 60 | 61 | if(Hook->HookProc != NULL) 62 | { 63 | Hook->HookProc = NULL; 64 | 65 | IsAllocated = TRUE; 66 | } 67 | } 68 | 69 | if(!IsAllocated) 70 | { 71 | RtlReleaseLock(&GlobalHookLock); 72 | 73 | RETURN; 74 | } 75 | 76 | // remove from global list 77 | List = GlobalHookListHead.Next; 78 | Prev = &GlobalHookListHead; 79 | 80 | while(List != NULL) 81 | { 82 | if(List == Hook) 83 | { 84 | Prev->Next = Hook->Next; 85 | 86 | break; 87 | } 88 | 89 | List = List->Next; 90 | } 91 | 92 | // add to removal list 93 | Hook->Next = GlobalRemovalListHead.Next; 94 | GlobalRemovalListHead.Next = Hook; 95 | } 96 | RtlReleaseLock(&GlobalHookLock); 97 | 98 | RETURN(STATUS_SUCCESS); 99 | 100 | //THROW_OUTRO: 101 | FINALLY_OUTRO: 102 | return NtStatus; 103 | } 104 | 105 | 106 | 107 | 108 | 109 | 110 | EASYHOOK_NT_EXPORT LhUninstallAllHooks() 111 | { 112 | /* 113 | Description: 114 | 115 | Will remove ALL hooks. To also release associated resources, 116 | you will have to call LhWaitForPendingRemovals(). 117 | */ 118 | LOCAL_HOOK_INFO* Hook; 119 | LOCAL_HOOK_INFO* List; 120 | NTSTATUS NtStatus; 121 | 122 | RtlAcquireLock(&GlobalHookLock); 123 | { 124 | // remove from global list 125 | List = GlobalHookListHead.Next; 126 | 127 | while(List != NULL) 128 | { 129 | Hook = List; 130 | List = List->Next; 131 | 132 | // remove tracking 133 | if(LhIsValidHandle(Hook->Tracking, NULL)) 134 | { 135 | Hook->Tracking->Link = NULL; 136 | } 137 | 138 | // add to removal list 139 | Hook->HookProc = NULL; 140 | Hook->Next = GlobalRemovalListHead.Next; 141 | 142 | GlobalRemovalListHead.Next = Hook; 143 | } 144 | 145 | GlobalHookListHead.Next = NULL; 146 | } 147 | RtlReleaseLock(&GlobalHookLock); 148 | 149 | RETURN(STATUS_SUCCESS); 150 | 151 | FINALLY_OUTRO: 152 | return NtStatus; 153 | } 154 | 155 | 156 | 157 | 158 | 159 | 160 | EASYHOOK_NT_EXPORT LhWaitForPendingRemovals() 161 | { 162 | /* 163 | Descriptions: 164 | 165 | For stability reasons, all resources associated with a hook 166 | have to be released if no thread is currently executing the 167 | handler. Separating this wait loop from the uninstallation 168 | method is a great performance gain, because you can release 169 | all hooks first, and then wait for all removals simultaneously. 170 | 171 | */ 172 | PLOCAL_HOOK_INFO Hook; 173 | NTSTATUS NtStatus = STATUS_SUCCESS; 174 | INT32 Timeout = 1000; 175 | #ifdef X64_DRIVER 176 | KIRQL CurrentIRQL = PASSIVE_LEVEL; 177 | #endif 178 | 179 | #pragma warning(disable: 4127) 180 | while(TRUE) 181 | #pragma warning(default: 4127) 182 | { 183 | // pop from removal list 184 | RtlAcquireLock(&GlobalHookLock); 185 | { 186 | Hook = GlobalRemovalListHead.Next; 187 | 188 | if(Hook == NULL) 189 | { 190 | RtlReleaseLock(&GlobalHookLock); 191 | 192 | break; 193 | } 194 | 195 | GlobalRemovalListHead.Next = Hook->Next; 196 | } 197 | RtlReleaseLock(&GlobalHookLock); 198 | 199 | // restore entry point... 200 | if(Hook->HookCopy == *((ULONGLONG*)Hook->TargetProc)) 201 | { 202 | #ifdef X64_DRIVER 203 | CurrentIRQL = KeGetCurrentIrql(); 204 | RtlWPOff(); 205 | #endif 206 | *((ULONGLONG*)Hook->TargetProc) = Hook->TargetBackup; 207 | #ifdef X64_DRIVER 208 | *((ULONGLONG*)(Hook->TargetProc + 8)) = Hook->TargetBackup_x64; 209 | RtlWPOn(CurrentIRQL); 210 | #endif 211 | 212 | #pragma warning(disable: 4127) 213 | while (TRUE) 214 | #pragma warning(default: 4127) 215 | { 216 | if (*Hook->IsExecutedPtr <= 0) 217 | { 218 | // release slot 219 | if (GlobalSlotList[Hook->HLSIndex] == Hook->HLSIdent) 220 | { 221 | GlobalSlotList[Hook->HLSIndex] = 0; 222 | } 223 | 224 | // release memory... 225 | LhFreeMemory(&Hook); 226 | break; 227 | } 228 | 229 | if (Timeout <= 0) 230 | { 231 | // this hook was not released within timeout or cannot be released. 232 | // We will leak the memory, but not hang forever. 233 | NtStatus = STATUS_TIMEOUT; 234 | break; 235 | } 236 | 237 | RtlSleep(25); 238 | Timeout -= 25; 239 | } 240 | } 241 | else 242 | { 243 | // hook was changed... no chance to release resources 244 | } 245 | } 246 | 247 | return NtStatus; 248 | } 249 | 250 | 251 | 252 | 253 | void LhCriticalFinalize() 254 | { 255 | /* 256 | Description: 257 | 258 | Will be called in the DLL_PROCESS_DETACH event and just uninstalls 259 | all hooks. If it is possible also their memory is released. 260 | */ 261 | LhUninstallAllHooks(); 262 | 263 | LhWaitForPendingRemovals(); 264 | 265 | RtlDeleteLock(&GlobalHookLock); 266 | } -------------------------------------------------------------------------------- /DriverShared/Rtl/error.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\error.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | static PWCHAR LastError = L""; 29 | static ULONG LastErrorCode = 0; 30 | 31 | EASYHOOK_NT_EXPORT RtlGetLastError() 32 | { 33 | return LastErrorCode; 34 | } 35 | 36 | PWCHAR RtlGetLastErrorString() 37 | { 38 | return LastError; 39 | } 40 | 41 | #ifndef DRIVER 42 | PWCHAR RtlGetLastErrorStringCopy() 43 | { 44 | // https://easyhook.codeplex.com/workitem/24958 45 | ULONG len = (ULONG)(wcslen(LastError)+1)*sizeof(TCHAR); 46 | PWCHAR pBuffer = (PWCHAR) CoTaskMemAlloc(len); 47 | CopyMemory(pBuffer, LastError, len); 48 | 49 | return pBuffer; 50 | } 51 | #endif 52 | 53 | WCHAR* RtlErrorCodeToString(LONG InCode) 54 | { 55 | switch(InCode) 56 | { 57 | case STATUS_SUCCESS: return L"STATUS_SUCCESS"; 58 | case STATUS_NOT_SUPPORTED: return L"STATUS_NOT_SUPPORTED"; 59 | case STATUS_INTERNAL_ERROR: return L"STATUS_INTERNAL_ERROR"; 60 | case STATUS_PROCEDURE_NOT_FOUND: return L"STATUS_PROCEDURE_NOT_FOUND"; 61 | case STATUS_NOINTERFACE: return L"STATUS_NOINTERFACE"; 62 | case STATUS_INFO_LENGTH_MISMATCH: return L"STATUS_INFO_LENGTH_MISMATCH"; 63 | case STATUS_BUFFER_TOO_SMALL: return L"STATUS_BUFFER_TOO_SMALL"; 64 | case STATUS_INVALID_PARAMETER: return L"STATUS_INVALID_PARAMETER"; 65 | case STATUS_INSUFFICIENT_RESOURCES: return L"STATUS_INSUFFICIENT_RESOURCES"; 66 | case STATUS_UNHANDLED_EXCEPTION: return L"STATUS_UNHANDLED_EXCEPTION"; 67 | case STATUS_NOT_FOUND: return L"STATUS_NOT_FOUND"; 68 | case STATUS_NOT_IMPLEMENTED: return L"STATUS_NOT_IMPLEMENTED"; 69 | case STATUS_ACCESS_DENIED: return L"STATUS_ACCESS_DENIED"; 70 | case STATUS_ALREADY_REGISTERED: return L"STATUS_ALREADY_REGISTERED"; 71 | case STATUS_WOW_ASSERTION: return L"STATUS_WOW_ASSERTION"; 72 | case STATUS_BUFFER_OVERFLOW: return L"STATUS_BUFFER_OVERFLOW"; 73 | case STATUS_DLL_INIT_FAILED: return L"STATUS_DLL_INIT_FAILED"; 74 | case STATUS_INVALID_PARAMETER_1: return L"STATUS_INVALID_PARAMETER_1"; 75 | case STATUS_INVALID_PARAMETER_2: return L"STATUS_INVALID_PARAMETER_2"; 76 | case STATUS_INVALID_PARAMETER_3: return L"STATUS_INVALID_PARAMETER_3"; 77 | case STATUS_INVALID_PARAMETER_4: return L"STATUS_INVALID_PARAMETER_4"; 78 | case STATUS_INVALID_PARAMETER_5: return L"STATUS_INVALID_PARAMETER_5"; 79 | case STATUS_INVALID_PARAMETER_6: return L"STATUS_INVALID_PARAMETER_6"; 80 | case STATUS_INVALID_PARAMETER_7: return L"STATUS_INVALID_PARAMETER_7"; 81 | case STATUS_INVALID_PARAMETER_8: return L"STATUS_INVALID_PARAMETER_8"; 82 | default: return L"UNKNOWN"; 83 | } 84 | } 85 | 86 | void RtlSetLastError(LONG InCode, NTSTATUS InNtStatus, WCHAR* InMessage) 87 | { 88 | LastErrorCode = InCode; 89 | 90 | if(InMessage == NULL) 91 | LastError = L""; 92 | else 93 | { 94 | #if _DEBUG 95 | // output to debugger 96 | if (lstrlenW(InMessage) > 0) 97 | { 98 | WCHAR msg[1024] = { 0 }; 99 | LPVOID lpMsgBuf; 100 | 101 | if (InNtStatus == STATUS_SUCCESS) 102 | { 103 | FormatMessage( 104 | FORMAT_MESSAGE_ALLOCATE_BUFFER | 105 | FORMAT_MESSAGE_FROM_SYSTEM | 106 | FORMAT_MESSAGE_IGNORE_INSERTS, 107 | NULL, 108 | InCode, 109 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 110 | (LPTSTR) &lpMsgBuf, 111 | 0, NULL ); 112 | _snwprintf_s(msg, 1024, _TRUNCATE, L"%s (%s)", InMessage, lpMsgBuf); 113 | } 114 | else 115 | { 116 | _snwprintf_s(msg, 1024, _TRUNCATE, L"%s (%s)", InMessage, RtlErrorCodeToString(InNtStatus)); 117 | } 118 | DEBUGMSG(msg); 119 | 120 | LocalFree(lpMsgBuf); 121 | } 122 | #endif 123 | LastError = (PWCHAR)InMessage; 124 | } 125 | } 126 | 127 | #ifndef DRIVER 128 | void RtlAssert(BOOL InAssert,LPCWSTR lpMessageText) 129 | { 130 | if(InAssert) 131 | return; 132 | 133 | #ifdef _DEBUG 134 | DebugBreak(); 135 | #endif 136 | 137 | FatalAppExitW(0, lpMessageText); 138 | 139 | } 140 | #endif -------------------------------------------------------------------------------- /DriverShared/Rtl/string.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\string.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | ULONG RtlAnsiLength(CHAR* InString) 29 | { 30 | ULONG Length = 0; 31 | 32 | while(*InString != 0) 33 | { 34 | Length++; 35 | InString++; 36 | } 37 | 38 | return Length; 39 | } 40 | 41 | ULONG RtlUnicodeLength(WCHAR* InString) 42 | { 43 | ULONG Length = 0; 44 | 45 | while(*InString != 0) 46 | { 47 | Length++; 48 | InString++; 49 | } 50 | 51 | return Length; 52 | } 53 | 54 | LONG RtlAnsiIndexOf( 55 | CHAR* InString, 56 | CHAR InChar) 57 | { 58 | ULONG Index = 0; 59 | 60 | while(*InString != 0) 61 | { 62 | if(*InString == InChar) 63 | return Index; 64 | 65 | Index++; 66 | InString++; 67 | } 68 | 69 | return -1; 70 | } 71 | 72 | LONG RtlAnsiSubString( 73 | CHAR* InString, 74 | ULONG InOffset, 75 | ULONG InCount, 76 | CHAR* InTarget, 77 | ULONG InTargetMaxLen) 78 | { 79 | ULONG Index = 0; 80 | ULONG Result = 0; 81 | 82 | while(*InString != 0) 83 | { 84 | if(Index >= InOffset + InCount) 85 | { 86 | *InTarget = 0; 87 | 88 | return Result; 89 | } 90 | 91 | if(Index >= InOffset) 92 | { 93 | Result++; 94 | 95 | if(InTargetMaxLen < Result) 96 | return -1; 97 | 98 | *InTarget = *InString; 99 | 100 | InTarget++; 101 | } 102 | 103 | Index++; 104 | InString++; 105 | } 106 | 107 | return -1; 108 | } 109 | 110 | 111 | LONGLONG RtlAnsiHexToLongLong(const CHAR *s, int len) 112 | { 113 | // Almost equivalent behaviour to strtol (but long long and doesn't support signed hex) 114 | int c; 115 | LONGLONG rc = 0; 116 | const char *start = s; 117 | if ('0' == s[0] && ('x' == s[1] || 'X' == s[1])) 118 | s += 2; 119 | for (rc = 0; (s - start < len && '\0' != (c = *s)); s++) { 120 | if (c >= 'a' && c <= 'f') { 121 | c = c - 'a' + 10; 122 | } 123 | else if (c >= 'A' && c <= 'F') { 124 | c = c - 'A' + 10; 125 | } 126 | else if (c >= '0' && c <= '9') { 127 | c = c - '0'; 128 | } 129 | else { 130 | //errno = EINVAL; 131 | return 0; 132 | } 133 | #ifndef LLONG_MAX 134 | #define LLONG_MAX 9223372036854775807i64 135 | #endif 136 | if (rc > (LLONG_MAX / 16)) { 137 | //errno = ERANGE; 138 | return LLONG_MAX; 139 | } 140 | rc *= 16; 141 | rc += (LONGLONG)c; 142 | } 143 | return rc; 144 | } 145 | 146 | BOOL RtlAnsiDbgHexToLongLong( 147 | CHAR* InHexString, 148 | ULONG InMinStrLen, 149 | LONGLONG* OutValue) 150 | { 151 | ULONG Index = 0; 152 | CHAR c; 153 | LONGLONG Result = 0; 154 | LONGLONG Tmp; 155 | 156 | while((c = *InHexString) != 0) 157 | { 158 | if((c >= '0') && (c <= '9')) 159 | Tmp = c - '0'; 160 | else if ((c >= 'a') && (c <= 'f')) 161 | Tmp = c - 'a' + 10; 162 | else if ((c >= 'A') && (c <= 'F')) 163 | Tmp = c - 'A' + 10; 164 | else 165 | return FALSE; 166 | 167 | if(Index >= 16) 168 | return FALSE; 169 | 170 | Result += Tmp << (60 - (Index * 4)); 171 | 172 | Index++; 173 | InHexString++; 174 | } 175 | 176 | if(Index < InMinStrLen) 177 | return FALSE; 178 | 179 | *OutValue = Result; 180 | 181 | return TRUE; 182 | } 183 | 184 | void RtlLongLongToUnicodeHex(LONGLONG InValue, WCHAR* InBuffer) 185 | { 186 | ULONG Index; 187 | ULONG iChar; 188 | WCHAR c; 189 | 190 | for(Index = 0, iChar = 0; Index < 64; Index += 4, iChar++) 191 | { 192 | #ifdef _M_X64 193 | c = ((LONGLONG)InValue >> Index) & 0x0F; 194 | #else 195 | if(Index < 32) 196 | c = (WCHAR)(((LONG)InValue >> Index) & 0x0F); 197 | else 198 | c = 0; 199 | #endif 200 | 201 | if(c < 10) 202 | c += '0'; 203 | else 204 | c += 'A' - 10; 205 | 206 | InBuffer[15 - iChar] = c; 207 | } 208 | 209 | InBuffer[16] = 0; 210 | } -------------------------------------------------------------------------------- /DriverShared/rtl.h: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\rtl.h) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #ifndef _EASYHOOK_RTL_ 27 | #define _EASYHOOK_RTL_ 28 | 29 | #ifdef __cplusplus 30 | extern "C"{ 31 | #endif 32 | 33 | #include "stdafx.h" 34 | 35 | #if _DEBUG 36 | #define DEBUGMSG(message) { WCHAR debugMsg[1024] = { 0 }; _snwprintf_s(debugMsg, 1024, _TRUNCATE, L"%s\n", message); OutputDebugStringW(debugMsg); } 37 | #else 38 | #define DEBUGMSG(message) { } 39 | #endif 40 | 41 | #ifndef DRIVER 42 | #define ASSERT(expr, Msg) RtlAssert((BOOL)(expr),(LPCWSTR) Msg); 43 | #define THROW(code, Msg) { NtStatus = (code); RtlSetLastError(GetLastError(), NtStatus, Msg); goto THROW_OUTRO; } 44 | #else 45 | #pragma warning(disable: 4005) 46 | #define ASSERT( exp, Msg ) ((!(exp)) ? (RtlAssert(#exp, __FILE__, __LINE__, NULL), FALSE) : TRUE) 47 | #pragma warning(default: 4005) 48 | #define THROW(code, Msg) { NtStatus = (code); RtlSetLastError(NtStatus, NtStatus, Msg); goto THROW_OUTRO; } 49 | #endif 50 | 51 | #define RETURN { RtlSetLastError(STATUS_SUCCESS, STATUS_SUCCESS, L""); NtStatus = STATUS_SUCCESS; goto FINALLY_OUTRO; } 52 | #define FORCE(expr) { if(!RTL_SUCCESS(NtStatus = (expr))) goto THROW_OUTRO; } 53 | #define IsValidPointer RtlIsValidPointer 54 | 55 | #ifdef DRIVER 56 | 57 | typedef struct _RTL_SPIN_LOCK_ 58 | { 59 | KSPIN_LOCK Lock; 60 | KIRQL OldIrql; 61 | }RTL_SPIN_LOCK; 62 | 63 | #else 64 | 65 | typedef struct _RTL_SPIN_LOCK_ 66 | { 67 | CRITICAL_SECTION Lock; 68 | BOOL IsOwned; 69 | }RTL_SPIN_LOCK; 70 | 71 | #endif 72 | 73 | void RtlInitializeLock(RTL_SPIN_LOCK* InLock); 74 | 75 | void RtlAcquireLock(RTL_SPIN_LOCK* InLock); 76 | 77 | void RtlReleaseLock(RTL_SPIN_LOCK* InLock); 78 | 79 | void RtlDeleteLock(RTL_SPIN_LOCK* InLock); 80 | 81 | void RtlSleep(ULONG InTimeout); 82 | 83 | void* RtlAllocateMemory( 84 | BOOL InZeroMemory, 85 | ULONG InSize); 86 | 87 | void RtlFreeMemory(void* InPointer); 88 | 89 | #undef RtlCopyMemory 90 | void RtlCopyMemory( 91 | PVOID InDest, 92 | PVOID InSource, 93 | ULONG InByteCount); 94 | 95 | #undef RtlMoveMemory 96 | BOOL RtlMoveMemory( 97 | PVOID InDest, 98 | PVOID InSource, 99 | ULONG InByteCount); 100 | 101 | #undef RtlZeroMemory 102 | void RtlZeroMemory( 103 | PVOID InTarget, 104 | ULONG InByteCount); 105 | 106 | LONG RtlProtectMemory( 107 | void* InPointer, 108 | ULONG InSize, 109 | ULONG InNewProtection); 110 | 111 | #ifndef DRIVER 112 | void RtlAssert(BOOL InAssert,LPCWSTR lpMessageText); 113 | #endif 114 | 115 | void RtlSetLastError( 116 | LONG InCode, 117 | LONG InNtStatus, 118 | WCHAR* InMessage); 119 | 120 | LONGLONG RtlAnsiHexToLongLong( 121 | const CHAR *s, 122 | int len); 123 | 124 | BOOL RtlAnsiDbgHexToLongLong( 125 | CHAR* InHexString, 126 | ULONG InMinStrLen, 127 | LONGLONG* OutValue); 128 | 129 | LONG RtlAnsiSubString( 130 | CHAR* InString, 131 | ULONG InOffset, 132 | ULONG InCount, 133 | CHAR* InTarget, 134 | ULONG InTargetMaxLen); 135 | 136 | LONG RtlAnsiIndexOf( 137 | CHAR* InString, 138 | CHAR InChar); 139 | 140 | ULONG RtlAnsiLength(CHAR* InString); 141 | 142 | ULONG RtlUnicodeLength(WCHAR* InString); 143 | 144 | void RtlLongLongToUnicodeHex(LONGLONG InValue, WCHAR* InBuffer); 145 | 146 | BOOL RtlIsValidPointer(PVOID InPtr, ULONG InSize); 147 | 148 | #if X64_DRIVER 149 | // Write Protection Off 150 | KIRQL RtlWPOff(); 151 | //Write Protection On 152 | void RtlWPOn(KIRQL irql); 153 | 154 | #endif 155 | 156 | #ifdef __cplusplus 157 | } 158 | #endif 159 | 160 | #endif -------------------------------------------------------------------------------- /EasyHook.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 11 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EasyHookLib", "EasyHookDll\EasyHookLib.vcxproj", "{201F9007-06E4-46AC-8916-58AD8D9E879A}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EasyHookLib64", "EasyHookDll\EasyHookLib64.vcxproj", "{F4A40955-0F82-4E36-90DB-32B086FBD4F3}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExampleDll", "ExampleDll\ExampleDll.vcxproj", "{71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}" 9 | ProjectSection(ProjectDependencies) = postProject 10 | {201F9007-06E4-46AC-8916-58AD8D9E879A} = {201F9007-06E4-46AC-8916-58AD8D9E879A} 11 | EndProjectSection 12 | EndProject 13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExampleDll64", "ExampleDll\ExampleDll64.vcxproj", "{29EB511B-E76E-4720-B332-C41C0D59D6AE}" 14 | ProjectSection(ProjectDependencies) = postProject 15 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3} = {F4A40955-0F82-4E36-90DB-32B086FBD4F3} 16 | EndProjectSection 17 | EndProject 18 | Global 19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 20 | Debug|Mixed Platforms = Debug|Mixed Platforms 21 | Debug|Win32 = Debug|Win32 22 | Debug|x64 = Debug|x64 23 | Release|Mixed Platforms = Release|Mixed Platforms 24 | Release|Win32 = Release|Win32 25 | Release|x64 = Release|x64 26 | EndGlobalSection 27 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 28 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 29 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Debug|Mixed Platforms.Build.0 = Debug|Win32 30 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Debug|Win32.ActiveCfg = Debug|Win32 31 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Debug|Win32.Build.0 = Debug|Win32 32 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Debug|x64.ActiveCfg = Debug|Win32 33 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Release|Mixed Platforms.ActiveCfg = Release|Win32 34 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Release|Mixed Platforms.Build.0 = Release|Win32 35 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Release|Win32.ActiveCfg = Release|Win32 36 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Release|Win32.Build.0 = Release|Win32 37 | {201F9007-06E4-46AC-8916-58AD8D9E879A}.Release|x64.ActiveCfg = Release|Win32 38 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Debug|Mixed Platforms.ActiveCfg = Debug|x64 39 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Debug|Mixed Platforms.Build.0 = Debug|x64 40 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Debug|Win32.ActiveCfg = Debug|x64 41 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Debug|x64.ActiveCfg = Debug|x64 42 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Debug|x64.Build.0 = Debug|x64 43 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Release|Mixed Platforms.ActiveCfg = Release|x64 44 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Release|Mixed Platforms.Build.0 = Release|x64 45 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Release|Win32.ActiveCfg = Release|x64 46 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Release|x64.ActiveCfg = Release|x64 47 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3}.Release|x64.Build.0 = Release|x64 48 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 49 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Debug|Mixed Platforms.Build.0 = Debug|Win32 50 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Debug|Win32.ActiveCfg = Debug|Win32 51 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Debug|Win32.Build.0 = Debug|Win32 52 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Debug|x64.ActiveCfg = Debug|Win32 53 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Release|Mixed Platforms.ActiveCfg = Release|Win32 54 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Release|Mixed Platforms.Build.0 = Release|Win32 55 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Release|Win32.ActiveCfg = Release|Win32 56 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Release|Win32.Build.0 = Release|Win32 57 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E}.Release|x64.ActiveCfg = Release|Win32 58 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Debug|Mixed Platforms.ActiveCfg = Debug|x64 59 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Debug|Mixed Platforms.Build.0 = Debug|x64 60 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Debug|Win32.ActiveCfg = Debug|x64 61 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Debug|x64.ActiveCfg = Debug|x64 62 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Debug|x64.Build.0 = Debug|x64 63 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Release|Mixed Platforms.ActiveCfg = Release|x64 64 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Release|Mixed Platforms.Build.0 = Release|x64 65 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Release|Win32.ActiveCfg = Release|x64 66 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Release|x64.ActiveCfg = Release|x64 67 | {29EB511B-E76E-4720-B332-C41C0D59D6AE}.Release|x64.Build.0 = Release|x64 68 | EndGlobalSection 69 | GlobalSection(SolutionProperties) = preSolution 70 | HideSolutionNode = FALSE 71 | EndGlobalSection 72 | EndGlobal 73 | -------------------------------------------------------------------------------- /EasyHookDll/AUX_ULIB.H: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) 2004 Microsoft Corporation 4 | 5 | Module Name: 6 | 7 | aux_ulib.h 8 | 9 | Abstract: 10 | 11 | User mode shim to access system functionality that is not properly exposed 12 | to applications in currently shipping operating systems. 13 | 14 | --*/ 15 | 16 | #ifndef _AUX_SHLD_LIB_H 17 | #define _AUX_SHLD_LIB_H 18 | 19 | #include 20 | 21 | #ifdef __cplusplus 22 | extern "C" { 23 | #endif 24 | 25 | /*++ 26 | 27 | Routine Description: 28 | 29 | This routine must be successfully called by an application before any 30 | other routine in the library may be called. It serves to initialize any global 31 | state that may be required by other routines in the file. 32 | 33 | It is safe to call this routine in a multi-threaded environment. 34 | 35 | Arguments: 36 | 37 | None. 38 | 39 | Return Value: 40 | 41 | Boolean status. Error code available via GetLastError (). 42 | 43 | --*/ 44 | 45 | BOOL 46 | WINAPI 47 | AuxUlibInitialize ( 48 | VOID 49 | ); 50 | 51 | /*++ 52 | 53 | Routine Description: 54 | 55 | This routine is used to set the current file system cache working set size. It 56 | requires that the caller has enabled the SE_INCREASE_QUOTA_PRIVILEGE 57 | in the currently active token prior to invoking this routine. 58 | 59 | This API is supported on Windows 2000 and later. 60 | 61 | Arguments: 62 | 63 | MinimumFileCacheSize - The minimum file cache size. Use (SIZE_T)-1 if 64 | the file cache is being flushed. 65 | 66 | MaximumFileCacheSize - The maximum file cache size. Use (SIZE_T)-1 67 | if the file cache is being flushed. 68 | 69 | Flags - Flags relevant to the file cache size adjustment. Currently this must 70 | be zero. 71 | 72 | Return Value: 73 | 74 | Boolean status. Error code available via GetLastError (). If the routine is 75 | invoked prior to invoking the initialization routine, the returned error code 76 | will be ERROR_INVALID_FUNCTION. 77 | 78 | --*/ 79 | 80 | BOOL 81 | WINAPI 82 | AuxUlibSetSystemFileCacheSize ( 83 | IN SIZE_T MinimumFileCacheSize, 84 | IN SIZE_T MaximumFileCacheSize, 85 | IN DWORD Flags 86 | ); 87 | 88 | /*++ 89 | 90 | Routine Description: 91 | 92 | This routine is used to determine whether or not the caller is executing 93 | code while holding a system synchronization primitive. Such a situation 94 | can arise when the OS temporarily calls into user-specified code as part 95 | of the DLL load procedure. 96 | 97 | A caller can benefit from this information by avoiding operations that 98 | could potentially lead to deadlocks, e.g., acquiring a process private lock. 99 | 100 | For example, consider the following case: 101 | 102 | Thread A runs the THREAD_ATTACH routine for DLL X. This routine 103 | is invoked with OS DLL synchronization held. Suppose further that 104 | as part of this routine Thread A acquires some lock in DLL X (Lx). 105 | 106 | Thread B runs some code in DLL X that, while holding Lx, calls the OS 107 | library loader to, e.g. GetModuleHandle. As this routine acquires 108 | OS DLL synchronization, Thread B will deadlock with Thread A. 109 | 110 | This is an inherent limitation in the design of the OS loader as it 111 | performs such callouts as THREAD_ATTACH while holding loader 112 | synchronization. It can be partially ameliorated if Thread A detects 113 | that it is running with DLL synchronization held and only try-acquires 114 | other locks (such as Lx) that it may wish to take 115 | 116 | Arguments: 117 | 118 | SynchronizationHeld - Boolean value which indicates whether or not 119 | synchronization is held. 120 | 121 | Return Value: 122 | 123 | Boolean status. Error code available via GetLastError (). If the routine is 124 | invoked prior to invoking the initialization routine, the returned error code 125 | will be ERROR_INVALID_FUNCTION. 126 | 127 | --*/ 128 | 129 | BOOL WINAPI 130 | AuxUlibIsDLLSynchronizationHeld ( 131 | OUT PBOOL SynchronizationHeld 132 | ); 133 | 134 | #ifdef __cplusplus 135 | } 136 | #endif 137 | 138 | #endif // _AUX_SHLD_LIB_H 139 | -------------------------------------------------------------------------------- /EasyHookDll/AUX_ULIB_x64.LIB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/EasyHookDll/AUX_ULIB_x64.LIB -------------------------------------------------------------------------------- /EasyHookDll/AUX_ULIB_x86.LIB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/EasyHookDll/AUX_ULIB_x86.LIB -------------------------------------------------------------------------------- /EasyHookDll/EasyHookDll_32.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/EasyHookDll/EasyHookDll_32.rc -------------------------------------------------------------------------------- /EasyHookDll/EasyHookDll_64.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/EasyHookDll/EasyHookDll_64.rc -------------------------------------------------------------------------------- /EasyHookDll/EasyHookLib.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {4d8bb9fe-c7e3-4cc2-84ef-ab8b1c9d0970} 10 | 11 | 12 | {65c22cf5-9858-4c09-ac39-fb89d842a8b8} 13 | 14 | 15 | {3d9fb4f5-3790-477e-806c-df9274b632bc} 16 | 17 | 18 | {e3faa4ac-0a1d-498f-a58d-b79c297e9e46} 19 | 20 | 21 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 22 | h;hpp;hxx;hm;inl;inc;xsd 23 | 24 | 25 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 26 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 27 | 28 | 29 | {1b060902-90d6-413b-a8c1-5e85422deca9} 30 | 31 | 32 | 33 | 34 | {4855d8cb-8b9c-4c0c-8145-d171085cbb12} 35 | 36 | 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files\LocalHook 43 | 44 | 45 | Source Files\LocalHook 46 | 47 | 48 | Source Files\LocalHook 49 | 50 | 51 | Source Files\LocalHook 52 | 53 | 54 | Source Files\LocalHook 55 | 56 | 57 | Source Files\LocalHook 58 | 59 | 60 | Source Files\LocalHook 61 | 62 | 63 | Source Files\LocalHook 64 | 65 | 66 | Source Files\RemoteHook 67 | 68 | 69 | Source Files\RemoteHook 70 | 71 | 72 | Source Files\RemoteHook 73 | 74 | 75 | Source Files\RemoteHook 76 | 77 | 78 | Source Files\RemoteHook 79 | 80 | 81 | Source Files\RemoteHook 82 | 83 | 84 | Source Files\Rtl 85 | 86 | 87 | Source Files\Rtl 88 | 89 | 90 | Source Files\Rtl 91 | 92 | 93 | Source Files\Rtl 94 | 95 | 96 | Source Files\Disassembler 97 | 98 | 99 | Source Files\Disassembler\libudis86 100 | 101 | 102 | Source Files\Disassembler\libudis86 103 | 104 | 105 | Source Files\Disassembler\libudis86 106 | 107 | 108 | Source Files\Disassembler\libudis86 109 | 110 | 111 | Source Files\Disassembler\libudis86 112 | 113 | 114 | 115 | 116 | Header Files 117 | 118 | 119 | Header Files 120 | 121 | 122 | Header Files 123 | 124 | 125 | Header Files 126 | 127 | 128 | Header Files 129 | 130 | 131 | Header Files 132 | 133 | 134 | Header Files 135 | 136 | 137 | Header Files 138 | 139 | 140 | Header Files 141 | 142 | 143 | Header Files 144 | 145 | 146 | Header Files 147 | 148 | 149 | Header Files 150 | 151 | 152 | 153 | 154 | Source Files\ASM 155 | 156 | 157 | Source Files\ASM 158 | 159 | 160 | 161 | 162 | Resource Files 163 | 164 | 165 | -------------------------------------------------------------------------------- /EasyHookDll/EasyHookLib64.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | {F4A40955-0F82-4E36-90DB-32B086FBD4F3} 15 | EasyHookDll 16 | Win32Proj 17 | 8.1 18 | 19 | 20 | 21 | StaticLibrary 22 | Unicode 23 | true 24 | v100 25 | 26 | 27 | StaticLibrary 28 | Static 29 | Unicode 30 | v100 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | <_ProjectFileVersion>10.0.40219.1 45 | $(SolutionDir)$(PlatformName)\$(Configuration)\ 46 | $(PlatformName)\$(Configuration)\$(ProjectName)\ 47 | true 48 | 49 | $(SolutionDir)$(PlatformName)\$(Configuration)\ 50 | $(PlatformName)\$(Configuration)\$(ProjectName)\ 51 | false 52 | AllRules.ruleset 53 | 54 | 55 | AllRules.ruleset 56 | 57 | 58 | $(ProjectName) 59 | $(ProjectName) 60 | 61 | 62 | 63 | X64 64 | 65 | 66 | Disabled 67 | $(SolutionDir)\DriverShared;$(SolutionDir);$(SolutionDir)\Public;$(ProjectDir);%(AdditionalIncludeDirectories) 68 | WIN32;_DEBUG;_WINDOWS;_USRDLL;EASYHOOK_LIB;%(PreprocessorDefinitions) 69 | true 70 | true 71 | EnableFastChecks 72 | true 73 | MultiThreadedDebug 74 | NotUsing 75 | Level4 76 | ProgramDatabase 77 | StdCall 78 | %(ForcedIncludeFiles) 79 | Async 80 | 81 | 82 | Aux_ulib_x64.lib;psapi.lib;%(AdditionalDependencies) 83 | $(TargetPath) 84 | true 85 | Windows 86 | MachineX64 87 | 88 | 89 | 90 | 91 | 92 | 93 | false 94 | 95 | 96 | /MACHINE:X64 %(AdditionalOptions) 97 | 98 | 99 | 100 | 101 | X64 102 | 103 | 104 | Full 105 | true 106 | Speed 107 | $(SolutionDir)\DriverShared;$(SolutionDir);$(SolutionDir)\Public;$(ProjectDir);%(AdditionalIncludeDirectories) 108 | WIN32;_WINDOWS;_USRDLL;EASYHOOK_LIB;%(PreprocessorDefinitions) 109 | true 110 | 111 | 112 | MultiThreaded 113 | false 114 | NotUsing 115 | Level4 116 | ProgramDatabase 117 | StdCall 118 | CompileAsCpp 119 | %(ForcedIncludeFiles) 120 | Async 121 | 122 | 123 | Aux_ulib_x64.lib;psapi.lib;%(AdditionalDependencies) 124 | $(TargetPath) 125 | true 126 | Windows 127 | true 128 | true 129 | MachineX64 130 | 131 | 132 | 133 | 134 | 135 | 136 | false 137 | false 138 | 139 | 140 | /MACHINE:X64 %(AdditionalOptions) 141 | 142 | 143 | 144 | 145 | CompileAsC 146 | CompileAsC 147 | 148 | 149 | CompileAsC 150 | CompileAsC 151 | 152 | 153 | CompileAsC 154 | CompileAsC 155 | 156 | 157 | CompileAsC 158 | CompileAsC 159 | 160 | 161 | CompileAsC 162 | CompileAsC 163 | 164 | 165 | CompileAsC 166 | CompileAsC 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | cd "$(IntDir)" 191 | ml64.exe /D_WIN32 /c /Cx "%(FullPath)" 192 | 193 | $(IntDir)%(Filename).obj;%(Outputs) 194 | cd "$(IntDir)" 195 | ml64.exe /D_WIN32 /c /Cx "%(FullPath)" 196 | 197 | $(IntDir)%(Filename).obj;%(Outputs) 198 | 199 | 200 | true 201 | cd "$(IntDir)" 202 | ml.exe /D_WIN32 /c /Cx "%(FullPath)" 203 | 204 | $(IntDir)%(Filename).obj;%(Outputs) 205 | true 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | -------------------------------------------------------------------------------- /EasyHookDll/EasyHookLib64.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {4d8bb9fe-c7e3-4cc2-84ef-ab8b1c9d0970} 10 | 11 | 12 | {65c22cf5-9858-4c09-ac39-fb89d842a8b8} 13 | 14 | 15 | {3d9fb4f5-3790-477e-806c-df9274b632bc} 16 | 17 | 18 | {e3faa4ac-0a1d-498f-a58d-b79c297e9e46} 19 | 20 | 21 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 22 | h;hpp;hxx;hm;inl;inc;xsd 23 | 24 | 25 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 26 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 27 | 28 | 29 | {1b060902-90d6-413b-a8c1-5e85422deca9} 30 | 31 | 32 | 33 | 34 | {4855d8cb-8b9c-4c0c-8145-d171085cbb12} 35 | 36 | 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files\LocalHook 43 | 44 | 45 | Source Files\LocalHook 46 | 47 | 48 | Source Files\LocalHook 49 | 50 | 51 | Source Files\LocalHook 52 | 53 | 54 | Source Files\LocalHook 55 | 56 | 57 | Source Files\LocalHook 58 | 59 | 60 | Source Files\LocalHook 61 | 62 | 63 | Source Files\LocalHook 64 | 65 | 66 | Source Files\RemoteHook 67 | 68 | 69 | Source Files\RemoteHook 70 | 71 | 72 | Source Files\RemoteHook 73 | 74 | 75 | Source Files\RemoteHook 76 | 77 | 78 | Source Files\RemoteHook 79 | 80 | 81 | Source Files\RemoteHook 82 | 83 | 84 | Source Files\Rtl 85 | 86 | 87 | Source Files\Rtl 88 | 89 | 90 | Source Files\Rtl 91 | 92 | 93 | Source Files\Rtl 94 | 95 | 96 | Source Files\Disassembler 97 | 98 | 99 | Source Files\Disassembler\libudis86 100 | 101 | 102 | Source Files\Disassembler\libudis86 103 | 104 | 105 | Source Files\Disassembler\libudis86 106 | 107 | 108 | Source Files\Disassembler\libudis86 109 | 110 | 111 | Source Files\Disassembler\libudis86 112 | 113 | 114 | 115 | 116 | Header Files 117 | 118 | 119 | Header Files 120 | 121 | 122 | Header Files 123 | 124 | 125 | Header Files 126 | 127 | 128 | Header Files 129 | 130 | 131 | Header Files 132 | 133 | 134 | Header Files 135 | 136 | 137 | Header Files 138 | 139 | 140 | Header Files 141 | 142 | 143 | Header Files 144 | 145 | 146 | Header Files 147 | 148 | 149 | Header Files 150 | 151 | 152 | 153 | 154 | Source Files\ASM 155 | 156 | 157 | Source Files\ASM 158 | 159 | 160 | 161 | 162 | Resource Files 163 | 164 | 165 | -------------------------------------------------------------------------------- /EasyHookDll/LocalHook/acl.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\acl.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | LONG LhSetACL( 29 | HOOK_ACL* InAcl, 30 | BOOL InIsExclusive, 31 | ULONG* InThreadIdList, 32 | ULONG InThreadCount) 33 | { 34 | /* 35 | Description: 36 | 37 | This method is used internally to provide a generic interface to 38 | either the global or local hook ACLs. 39 | 40 | Parameters: 41 | - InAcl 42 | NULL if you want to set the global ACL. 43 | Any LOCAL_HOOK_INFO::LocalACL to set the hook specific ACL. 44 | 45 | - InIsExclusive 46 | TRUE if all listed thread shall be excluded from interception, 47 | FALSE otherwise 48 | 49 | - InThreadIdList 50 | An array of thread IDs. If you specific zero for an entry in this array, 51 | it will be automatically replaced with the calling thread ID. 52 | 53 | - InThreadCount 54 | The count of entries listed in the thread ID list. This value must not exceed 55 | MAX_ACE_COUNT! 56 | */ 57 | 58 | ULONG Index; 59 | 60 | ASSERT(IsValidPointer(InAcl, sizeof(HOOK_ACL)),L"acl.c - IsValidPointer(InAcl, sizeof(HOOK_ACL))"); 61 | 62 | if(InThreadCount > MAX_ACE_COUNT) 63 | return STATUS_INVALID_PARAMETER_2; 64 | 65 | if(!IsValidPointer(InThreadIdList, InThreadCount * sizeof(ULONG))) 66 | return STATUS_INVALID_PARAMETER_1; 67 | 68 | for(Index = 0; Index < InThreadCount; Index++) 69 | { 70 | if(InThreadIdList[Index] == 0) 71 | InThreadIdList[Index] = GetCurrentThreadId(); 72 | } 73 | 74 | // set ACL... 75 | InAcl->IsExclusive = InIsExclusive; 76 | InAcl->Count = InThreadCount; 77 | 78 | RtlCopyMemory(InAcl->Entries, InThreadIdList, InThreadCount * sizeof(ULONG)); 79 | 80 | return STATUS_SUCCESS; 81 | } 82 | 83 | EASYHOOK_NT_EXPORT LhSetInclusiveACL( 84 | ULONG* InThreadIdList, 85 | ULONG InThreadCount, 86 | TRACED_HOOK_HANDLE InHandle) 87 | { 88 | /* 89 | Description: 90 | 91 | Sets an inclusive hook local ACL based on the given thread ID list. 92 | Only threads in this list will be intercepted by the hook. If the 93 | global ACL also is inclusive, then all threads stated there are 94 | intercepted too. 95 | 96 | Parameters: 97 | - InThreadIdList 98 | An array of thread IDs. If you specific zero for an entry in this array, 99 | it will be automatically replaced with the calling thread ID. 100 | 101 | - InThreadCount 102 | The count of entries listed in the thread ID list. This value must not exceed 103 | MAX_ACE_COUNT! 104 | 105 | - InHandle 106 | The hook handle whose local ACL is going to be set. 107 | */ 108 | PLOCAL_HOOK_INFO Handle; 109 | 110 | if(!LhIsValidHandle(InHandle, &Handle)) 111 | return STATUS_INVALID_PARAMETER_3; 112 | 113 | return LhSetACL(&Handle->LocalACL, FALSE, InThreadIdList, InThreadCount); 114 | } 115 | 116 | EASYHOOK_NT_EXPORT LhSetExclusiveACL( 117 | ULONG* InThreadIdList, 118 | ULONG InThreadCount, 119 | TRACED_HOOK_HANDLE InHandle) 120 | { 121 | /* 122 | Description: 123 | 124 | Sets an inclusive hook local ACL based on the given thread ID list. 125 | 126 | Parameters: 127 | - InThreadIdList 128 | An array of thread IDs. If you specific zero for an entry in this array, 129 | it will be automatically replaced with the calling thread ID. 130 | 131 | - InThreadCount 132 | The count of entries listed in the thread ID list. This value must not exceed 133 | MAX_ACE_COUNT! 134 | 135 | - InHandle 136 | The hook handle whose local ACL is going to be set. 137 | */ 138 | PLOCAL_HOOK_INFO Handle; 139 | 140 | if(!LhIsValidHandle(InHandle, &Handle)) 141 | return STATUS_INVALID_PARAMETER_3; 142 | 143 | return LhSetACL(&Handle->LocalACL, TRUE, InThreadIdList, InThreadCount); 144 | } 145 | 146 | EASYHOOK_NT_EXPORT LhSetGlobalInclusiveACL( 147 | ULONG* InThreadIdList, 148 | ULONG InThreadCount) 149 | { 150 | /* 151 | Description: 152 | 153 | Sets an inclusive global ACL based on the given thread ID list. 154 | 155 | Parameters: 156 | - InThreadIdList 157 | An array of thread IDs. If you specific zero for an entry in this array, 158 | it will be automatically replaced with the calling thread ID. 159 | 160 | - InThreadCount 161 | The count of entries listed in the thread ID list. This value must not exceed 162 | MAX_ACE_COUNT! 163 | */ 164 | return LhSetACL(LhBarrierGetAcl(), FALSE, InThreadIdList, InThreadCount); 165 | } 166 | 167 | EASYHOOK_NT_EXPORT LhSetGlobalExclusiveACL( 168 | ULONG* InThreadIdList, 169 | ULONG InThreadCount) 170 | { 171 | /* 172 | Description: 173 | 174 | Sets an exclusive global ACL based on the given thread ID list. 175 | 176 | Parameters: 177 | - InThreadIdList 178 | An array of thread IDs. If you specific zero for an entry in this array, 179 | it will be automatically replaced with the calling thread ID. 180 | 181 | - InThreadCount 182 | The count of entries listed in the thread ID list. This value must not exceed 183 | MAX_ACE_COUNT! 184 | */ 185 | return LhSetACL(LhBarrierGetAcl(), TRUE, InThreadIdList, InThreadCount); 186 | } -------------------------------------------------------------------------------- /EasyHookDll/RemoteHook/driver.cpp: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\driver.cpp) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | 29 | EASYHOOK_NT_EXPORT RhInstallDriver( 30 | WCHAR* InDriverPath, 31 | WCHAR* InDriverName) 32 | { 33 | /* 34 | Description: 35 | 36 | Installs the given driver. 37 | 38 | Parameters: 39 | 40 | - InDriverPath 41 | 42 | A relative or full path to the driver's executable 43 | 44 | - InDriverName 45 | 46 | A name to register the driver in the service control manager. 47 | 48 | */ 49 | WCHAR DriverPath[MAX_PATH + 1]; 50 | SC_HANDLE hSCManager = NULL; 51 | SC_HANDLE hService = NULL; 52 | NTSTATUS NtStatus; 53 | 54 | GetFullPathNameW(InDriverPath, MAX_PATH, DriverPath, NULL); 55 | 56 | if(!RtlFileExists(DriverPath)) 57 | THROW(STATUS_NOT_FOUND, L"The EasyHook driver file does not exist."); 58 | 59 | if((hSCManager = OpenSCManagerW( 60 | NULL, 61 | NULL, 62 | SC_MANAGER_ALL_ACCESS)) == NULL) 63 | THROW(STATUS_ACCESS_DENIED, L"Unable to open service control manager. Are you running as administrator?"); 64 | 65 | // does service exist? 66 | if((hService = OpenService( 67 | hSCManager, 68 | InDriverName, 69 | SERVICE_ALL_ACCESS)) == NULL) 70 | { 71 | if(GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST) 72 | THROW(STATUS_INTERNAL_ERROR, L"An unknown error has occurred during driver installation."); 73 | 74 | // Create the service 75 | if((hService = CreateServiceW( 76 | hSCManager, 77 | InDriverName, 78 | InDriverName, 79 | SERVICE_ALL_ACCESS, 80 | SERVICE_KERNEL_DRIVER, 81 | SERVICE_DEMAND_START, 82 | SERVICE_ERROR_NORMAL, 83 | DriverPath, 84 | NULL, NULL, NULL, NULL, NULL)) == NULL) 85 | THROW(STATUS_INTERNAL_ERROR, L"Unable to install driver."); 86 | } 87 | 88 | // start and connect service... 89 | if(!StartServiceW(hService, 0, NULL) && (GetLastError() != ERROR_SERVICE_ALREADY_RUNNING) 90 | && (GetLastError() != ERROR_SERVICE_DISABLED)) 91 | THROW(STATUS_INTERNAL_ERROR, L"Unable to start driver!"); 92 | 93 | RETURN; 94 | 95 | THROW_OUTRO: 96 | FINALLY_OUTRO: 97 | { 98 | if(hService != NULL) 99 | { 100 | DeleteService(hService); 101 | 102 | CloseServiceHandle(hService); 103 | } 104 | 105 | if(hSCManager != NULL) 106 | CloseServiceHandle(hSCManager); 107 | 108 | return NtStatus; 109 | } 110 | } 111 | 112 | EASYHOOK_NT_EXPORT RhInstallSupportDriver() 113 | { 114 | /* 115 | Description: 116 | 117 | Installs the EasyHook support driver. 118 | This will allow your driver to successfully obtain the EasyHook driver 119 | API using EasyHookQueryInterface(). 120 | 121 | */ 122 | WCHAR* DriverName = L"EasyHook32Drv.sys"; 123 | 124 | if(RhIsX64System()) 125 | DriverName = L"EasyHook64Drv.sys"; 126 | 127 | return RhInstallDriver(DriverName, DriverName); 128 | } 129 | -------------------------------------------------------------------------------- /EasyHookDll/RemoteHook/service.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\service.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | EASYHOOK_NT_EXPORT RtlInstallService( 29 | WCHAR* InServiceName, 30 | WCHAR* InExePath, 31 | WCHAR* InChannelName) 32 | { 33 | /* 34 | Description: 35 | 36 | This method is intended for the managed layer only. It will 37 | provide a convenient way to install a service which seems to 38 | be impossible with NET code in any efficient manner. 39 | 40 | Parameters: 41 | 42 | - InServiceName 43 | 44 | A unique service name under which the service shall be registered. 45 | In case of the EasyHook service, this value is expected to be exactly 46 | the filename without extension of the full "InExePath". 47 | 48 | - InExePath 49 | 50 | A relative or absolute path to the service EXE file. 51 | 52 | - InChannelName 53 | 54 | The channel name for the service to register its IPC channel. 55 | This should be randomly generated. 56 | 57 | Returns: 58 | 59 | STATUS_ALREADY_REGISTERED 60 | 61 | A service with this name is already registered. To prevent name collisions 62 | I recommend to rename the service to an unique name for your specific 63 | application. Please refer to the README file for more information. 64 | 65 | STATUS_ACCESS_DENIED 66 | 67 | You are not administrator?! 68 | */ 69 | SC_HANDLE hSCManager = NULL; 70 | SC_HANDLE hService = NULL; 71 | NTSTATUS NtStatus; 72 | LPCWSTR StartParams[1] = {InChannelName}; 73 | ULONG res; 74 | 75 | if((hSCManager = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS)) == NULL) 76 | THROW(STATUS_ACCESS_DENIED, L"Unable to open service control manager. Check for administrator privileges!"); 77 | 78 | /* 79 | Does service exist? 80 | Internally the service will always be removed automatically. 81 | So there shouldn't be any problems. Only if two or more concurrent 82 | applications are using EasyHook, this will lead to an error, because 83 | it is very hard to don't get them confused. 84 | */ 85 | if((hService = OpenService(hSCManager, InServiceName, SERVICE_ALL_ACCESS)) == NULL) 86 | { 87 | if(GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST) 88 | THROW(STATUS_INTERNAL_ERROR, L"Unable to open already registered service."); 89 | } 90 | else 91 | { 92 | DeleteService(hService); 93 | 94 | CloseServiceHandle(hService); 95 | 96 | hService = NULL; 97 | 98 | THROW(STATUS_ALREADY_REGISTERED, L"The service is already registered. Use the service control manager to remove it!"); 99 | } 100 | 101 | // install service 102 | if((hService = CreateServiceW( 103 | hSCManager, 104 | InServiceName, 105 | InServiceName, 106 | SERVICE_ALL_ACCESS, 107 | SERVICE_WIN32_OWN_PROCESS, 108 | SERVICE_DEMAND_START, 109 | SERVICE_ERROR_NORMAL, 110 | InExePath, 111 | NULL, NULL, NULL, NULL, NULL)) == NULL) 112 | THROW(STATUS_INTERNAL_ERROR, L"Unable to install service as system process."); 113 | 114 | // start service 115 | if(!StartServiceW(hService, 1, (LPCWSTR*)StartParams)) 116 | { 117 | res = GetLastError(); 118 | 119 | THROW(STATUS_INTERNAL_ERROR, L"Unable to start service."); 120 | } 121 | 122 | RETURN(STATUS_SUCCESS); 123 | 124 | THROW_OUTRO: 125 | FINALLY_OUTRO: 126 | { 127 | if(hService != NULL) 128 | { 129 | DeleteService(hService); 130 | 131 | CloseServiceHandle(hService); 132 | } 133 | 134 | if(hSCManager != NULL) 135 | CloseServiceHandle(hSCManager); 136 | 137 | return NtStatus; 138 | } 139 | } -------------------------------------------------------------------------------- /EasyHookDll/Rtl/file.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\file.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | BOOL RtlFileExists(WCHAR* InPath) 29 | { 30 | HANDLE hFile; 31 | 32 | if((hFile = CreateFileW(InPath, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)) == INVALID_HANDLE_VALUE) 33 | return FALSE; 34 | 35 | CloseHandle(hFile); 36 | 37 | return TRUE; 38 | } 39 | 40 | LONG RtlGetWorkingDirectory(WCHAR* OutPath, ULONG InMaxLength) 41 | { 42 | NTSTATUS NtStatus; 43 | LONG Index; 44 | 45 | Index = GetModuleFileName(NULL, OutPath, InMaxLength); 46 | 47 | if(GetLastError() == ERROR_INSUFFICIENT_BUFFER) 48 | THROW(STATUS_BUFFER_TOO_SMALL, L"The given buffer is too small."); 49 | 50 | // remove file name... 51 | for(Index--; Index >= 0; Index--) 52 | { 53 | if(OutPath[Index] == '\\') 54 | { 55 | OutPath[Index + 1] = 0; 56 | 57 | break; 58 | } 59 | } 60 | 61 | RETURN; 62 | 63 | THROW_OUTRO: 64 | FINALLY_OUTRO: 65 | return NtStatus; 66 | } 67 | 68 | LONG RtlGetCurrentModulePath(WCHAR* OutPath, ULONG InMaxLength) 69 | { 70 | NTSTATUS NtStatus; 71 | 72 | GetModuleFileName(hCurrentModule, OutPath, InMaxLength); 73 | 74 | if(GetLastError() == ERROR_INSUFFICIENT_BUFFER) 75 | THROW(STATUS_BUFFER_TOO_SMALL, L"The given buffer is too small."); 76 | 77 | RETURN; 78 | 79 | THROW_OUTRO: 80 | FINALLY_OUTRO: 81 | return NtStatus; 82 | } 83 | -------------------------------------------------------------------------------- /EasyHookDll/Rtl/memory.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\memory.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | void RtlInitializeLock(RTL_SPIN_LOCK* OutLock) 29 | { 30 | RtlZeroMemory(OutLock, sizeof(RTL_SPIN_LOCK)); 31 | 32 | InitializeCriticalSection(&OutLock->Lock); 33 | } 34 | 35 | void RtlAcquireLock(RTL_SPIN_LOCK* InLock) 36 | { 37 | EnterCriticalSection(&InLock->Lock); 38 | 39 | ASSERT(!InLock->IsOwned,L"memory.c - !InLock->IsOwned"); 40 | 41 | InLock->IsOwned = TRUE; 42 | } 43 | 44 | void RtlReleaseLock(RTL_SPIN_LOCK* InLock) 45 | { 46 | ASSERT(InLock->IsOwned,L"memory.c - InLock->IsOwned"); 47 | 48 | InLock->IsOwned = FALSE; 49 | 50 | LeaveCriticalSection(&InLock->Lock); 51 | } 52 | 53 | void RtlDeleteLock(RTL_SPIN_LOCK* InLock) 54 | { 55 | ASSERT(!InLock->IsOwned,L"memory.c - InLock->IsOwned"); 56 | 57 | DeleteCriticalSection(&InLock->Lock); 58 | } 59 | 60 | void RtlSleep(ULONG InTimeout) 61 | { 62 | Sleep(InTimeout); 63 | } 64 | 65 | 66 | void RtlCopyMemory( 67 | PVOID InDest, 68 | PVOID InSource, 69 | ULONG InByteCount) 70 | { 71 | ULONG Index; 72 | UCHAR* Dest = (UCHAR*)InDest; 73 | UCHAR* Src = (UCHAR*)InSource; 74 | 75 | for(Index = 0; Index < InByteCount; Index++) 76 | { 77 | *Dest = *Src; 78 | 79 | Dest++; 80 | Src++; 81 | } 82 | } 83 | 84 | BOOL RtlMoveMemory( 85 | PVOID InDest, 86 | PVOID InSource, 87 | ULONG InByteCount) 88 | { 89 | PVOID Buffer = RtlAllocateMemory(FALSE, InByteCount); 90 | 91 | if(Buffer == NULL) 92 | return FALSE; 93 | 94 | RtlCopyMemory(Buffer, InSource, InByteCount); 95 | RtlCopyMemory(InDest, Buffer, InByteCount); 96 | 97 | RtlFreeMemory(Buffer); 98 | return TRUE; 99 | } 100 | 101 | #ifndef _DEBUG 102 | #pragma optimize ("", off) // suppress _memset 103 | #endif 104 | void RtlZeroMemory( 105 | PVOID InTarget, 106 | ULONG InByteCount) 107 | { 108 | ULONG Index; 109 | UCHAR* Target = (UCHAR*)InTarget; 110 | 111 | for(Index = 0; Index < InByteCount; Index++) 112 | { 113 | *Target = 0; 114 | 115 | Target++; 116 | } 117 | } 118 | #ifndef _DEBUG 119 | #pragma optimize ("", on) 120 | #endif 121 | 122 | 123 | void* RtlAllocateMemory(BOOL InZeroMemory, ULONG InSize) 124 | { 125 | void* Result = 126 | #ifdef _DEBUG 127 | malloc(InSize); 128 | #else 129 | HeapAlloc(hEasyHookHeap, 0, InSize); 130 | #endif 131 | 132 | if(InZeroMemory && (Result != NULL)) 133 | RtlZeroMemory(Result, InSize); 134 | 135 | return Result; 136 | } 137 | 138 | LONG RtlProtectMemory(void* InPointer, ULONG InSize, ULONG InNewProtection) 139 | { 140 | DWORD OldProtect; 141 | NTSTATUS NtStatus; 142 | 143 | if(!VirtualProtect(InPointer, InSize, InNewProtection, &OldProtect)) 144 | THROW(STATUS_INVALID_PARAMETER, L"Unable to make memory executable.") 145 | else 146 | RETURN; 147 | 148 | THROW_OUTRO: 149 | FINALLY_OUTRO: 150 | return NtStatus; 151 | } 152 | 153 | void RtlFreeMemory(void* InPointer) 154 | { 155 | ASSERT(InPointer != NULL,L"InPointer != NULL"); 156 | 157 | #ifdef _DEBUG 158 | free(InPointer); 159 | #else 160 | HeapFree(hEasyHookHeap, 0, InPointer); 161 | #endif 162 | } 163 | 164 | LONG RtlInterlockedIncrement(LONG* RefValue) 165 | { 166 | return InterlockedIncrement(RefValue); 167 | } 168 | 169 | BOOL RtlIsValidPointer(PVOID InPtr, ULONG InSize) 170 | { 171 | if((InPtr == NULL) || (InPtr == (PVOID)~0)) 172 | return FALSE; 173 | 174 | ASSERT(!IsBadReadPtr(InPtr, InSize),L"memory.c - !IsBadReadPtr(InPtr, InSize)"); 175 | 176 | return TRUE; 177 | } -------------------------------------------------------------------------------- /EasyHookDll/dllmain.c: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\dllmain.c) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include "stdafx.h" 27 | 28 | HMODULE hNtDll = NULL; 29 | HMODULE hKernel32 = NULL; 30 | HMODULE hCurrentModule = NULL; 31 | DWORD RhTlsIndex; 32 | HANDLE hEasyHookHeap = NULL; 33 | 34 | EXTERN_C BOOL APIENTRY EasyHookDllMain(HMODULE hModule, 35 | DWORD ul_reason_for_call, 36 | LPVOID lpReserved 37 | ) 38 | { 39 | #ifdef _DEBUG 40 | int CurrentFlags; 41 | #endif 42 | 43 | switch (ul_reason_for_call) 44 | { 45 | case DLL_PROCESS_ATTACH: 46 | { 47 | hCurrentModule = hModule; 48 | 49 | #ifdef _DEBUG 50 | CurrentFlags = _CrtSetDbgFlag(_CRTDBG_REPORT_FLAG); 51 | CurrentFlags |= _CRTDBG_DELAY_FREE_MEM_DF; 52 | CurrentFlags |= _CRTDBG_LEAK_CHECK_DF; 53 | CurrentFlags |= _CRTDBG_CHECK_ALWAYS_DF; 54 | _CrtSetDbgFlag(CurrentFlags); 55 | #endif 56 | 57 | if(((hNtDll = LoadLibraryA("ntdll.dll")) == NULL) || 58 | ((hKernel32 = LoadLibraryA("kernel32.dll")) == NULL)) 59 | return FALSE; 60 | 61 | hEasyHookHeap = HeapCreate(0, 0, 0); 62 | 63 | DbgCriticalInitialize(); 64 | 65 | LhBarrierProcessAttach(); 66 | 67 | LhCriticalInitialize(); 68 | 69 | // allocate tls slot 70 | if((RhTlsIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) 71 | return FALSE; 72 | }break; 73 | case DLL_THREAD_ATTACH: 74 | { 75 | }break; 76 | case DLL_THREAD_DETACH: 77 | { 78 | LhBarrierThreadDetach(); 79 | }break; 80 | case DLL_PROCESS_DETACH: 81 | { 82 | // free tls slot 83 | TlsFree(RhTlsIndex); 84 | 85 | if (lpReserved != NULL) // if lpReserved != NULL then LhWaitForPendingRemovals COULD cause an endless loop 86 | break; 87 | 88 | // remove all hooks and shutdown thread barrier... 89 | LhCriticalFinalize(); 90 | 91 | LhModuleInfoFinalize(); 92 | 93 | LhBarrierProcessDetach(); 94 | 95 | DbgCriticalFinalize(); 96 | 97 | HeapDestroy(hEasyHookHeap); 98 | 99 | FreeLibrary(hNtDll); 100 | FreeLibrary(hKernel32); 101 | }break; 102 | } 103 | return TRUE; 104 | } 105 | 106 | -------------------------------------------------------------------------------- /EasyHookDll/gacutil.cpp: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\gacutil.cpp) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #include 27 | #include 28 | #include 29 | #include "stdafx.h" 30 | 31 | typedef HRESULT (__stdcall *CreateAsmCache)(IAssemblyCache **ppAsmCache, DWORD dwReserved); 32 | typedef HRESULT (__stdcall *LoadLibraryShim_PROC)(LPCWSTR szDllName, LPCWSTR szVersion, LPVOID pvReserved, HMODULE *phModDll); 33 | 34 | typedef struct _INTERNAL_CONTEXT_{ 35 | HMODULE hFusionDll; 36 | HMODULE hMsCorEE; 37 | CreateAsmCache CreateAssemblyCache; 38 | LoadLibraryShim_PROC LoadLibraryShim; 39 | CComPtr Cache; 40 | }INTERNAL_CONTEXT, *LPINTERNAL_CONTEXT; 41 | 42 | extern "C" __declspec(dllexport) void __stdcall GacReleaseContext(LPINTERNAL_CONTEXT* RefContext){ 43 | 44 | if(*RefContext == NULL) 45 | return; 46 | 47 | LPINTERNAL_CONTEXT Context = *RefContext; 48 | 49 | if(Context->hFusionDll != NULL) 50 | FreeLibrary(Context->hFusionDll); 51 | 52 | if(Context->hMsCorEE != NULL) 53 | FreeLibrary(Context->hMsCorEE); 54 | 55 | memset(Context, 0, sizeof(INTERNAL_CONTEXT)); 56 | 57 | RtlFreeMemory(Context); 58 | 59 | *RefContext = NULL; 60 | } 61 | 62 | extern "C" int __cdecl main(int argc, char** argw){ return 0; } 63 | 64 | extern "C" __declspec(dllexport) LPINTERNAL_CONTEXT __stdcall GacCreateContext(){ 65 | LPINTERNAL_CONTEXT Result = NULL; 66 | 67 | if((Result = (LPINTERNAL_CONTEXT)RtlAllocateMemory(TRUE, sizeof(INTERNAL_CONTEXT))) == NULL) 68 | return NULL; 69 | 70 | memset(Result, 0, sizeof(INTERNAL_CONTEXT)); 71 | 72 | if((Result->hMsCorEE = LoadLibrary(L"mscoree.dll")) == NULL) 73 | goto ERROR_ABORT; 74 | 75 | if((Result->LoadLibraryShim = (LoadLibraryShim_PROC)GetProcAddress(Result->hMsCorEE, "LoadLibraryShim")) == NULL) 76 | goto ERROR_ABORT; 77 | 78 | Result->LoadLibraryShim(L"fusion.dll", 0, 0, &Result->hFusionDll); 79 | 80 | if(Result->hFusionDll == NULL) 81 | goto ERROR_ABORT; 82 | 83 | if((Result->CreateAssemblyCache = (CreateAsmCache)GetProcAddress(Result->hFusionDll, "CreateAssemblyCache")) == NULL) 84 | goto ERROR_ABORT; 85 | 86 | if (!SUCCEEDED(Result->CreateAssemblyCache(&Result->Cache, 0))) 87 | goto ERROR_ABORT; 88 | 89 | return Result; 90 | 91 | ERROR_ABORT: 92 | 93 | GacReleaseContext(&Result); 94 | 95 | return NULL; 96 | } 97 | 98 | extern "C" __declspec(dllexport) BOOL __stdcall GacInstallAssembly( 99 | LPINTERNAL_CONTEXT InContext, 100 | WCHAR* InAssemblyPath, 101 | WCHAR* InDescription, 102 | WCHAR* InUniqueID){ 103 | 104 | FUSION_INSTALL_REFERENCE InstallInfo; 105 | 106 | // setup installation parameters 107 | memset(&InstallInfo, 0, sizeof(InstallInfo)); 108 | 109 | InstallInfo.cbSize = sizeof(InstallInfo); 110 | InstallInfo.dwFlags = 0; 111 | InstallInfo.guidScheme = FUSION_REFCOUNT_OPAQUE_STRING_GUID; 112 | InstallInfo.szIdentifier = InUniqueID; 113 | InstallInfo.szNonCannonicalData = InDescription; 114 | 115 | // install assembly with given parameters 116 | if(!SUCCEEDED(InContext->Cache->InstallAssembly(0, InAssemblyPath, &InstallInfo))) 117 | return FALSE; 118 | 119 | return TRUE; 120 | } 121 | 122 | extern "C" __declspec(dllexport) BOOL __stdcall GacUninstallAssembly( 123 | LPINTERNAL_CONTEXT InContext, 124 | WCHAR* InAssemblyName, 125 | WCHAR* InDescription, 126 | WCHAR* InUniqueID){ 127 | 128 | FUSION_INSTALL_REFERENCE InstallInfo; 129 | 130 | // setup uninstallation parameters 131 | memset(&InstallInfo, 0, sizeof(InstallInfo)); 132 | 133 | InstallInfo.cbSize = sizeof(InstallInfo); 134 | InstallInfo.dwFlags = 0; 135 | InstallInfo.guidScheme = FUSION_REFCOUNT_OPAQUE_STRING_GUID; 136 | InstallInfo.szIdentifier = InUniqueID; 137 | InstallInfo.szNonCannonicalData = InDescription; 138 | 139 | CComPtr Cache; 140 | 141 | if (!SUCCEEDED(InContext->CreateAssemblyCache(&Cache, 0))) 142 | return FALSE; 143 | 144 | // uninstall assembly with given parameters 145 | if(!SUCCEEDED(Cache->UninstallAssembly(0, InAssemblyName, &InstallInfo, NULL))) 146 | return FALSE; 147 | 148 | return TRUE; 149 | } -------------------------------------------------------------------------------- /EasyHookDll/ntstatus.h: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\ntstatus.h) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #ifndef _NTSTATUS_H_ 27 | #define _NTSTATUS_H_ 28 | 29 | #define STATUS_SUCCESS ((NTSTATUS)0x000000000) 30 | #define STATUS_NOT_SUPPORTED ((NTSTATUS)0xC00000BBL) 31 | #define STATUS_INTERNAL_ERROR ((NTSTATUS)0xC00000E5L) 32 | #define STATUS_PROCEDURE_NOT_FOUND ((NTSTATUS)0xC000007AL) 33 | #define STATUS_NOINTERFACE ((NTSTATUS)0xC00002B9L) 34 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 35 | #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L) 36 | #define STATUS_INVALID_PARAMETER ((NTSTATUS)0xC000000DL) 37 | #define STATUS_INSUFFICIENT_RESOURCES ((NTSTATUS)0xC000009AL) 38 | #define STATUS_UNHANDLED_EXCEPTION ((NTSTATUS)0xC0000144L) 39 | #define STATUS_NOT_FOUND ((NTSTATUS)0xC0000225L) 40 | #define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) 41 | #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 42 | #define STATUS_ALREADY_REGISTERED ((NTSTATUS)0xC0000718L) 43 | #define STATUS_WOW_ASSERTION ((NTSTATUS)0xC0009898L) 44 | #define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L) 45 | #define STATUS_DLL_INIT_FAILED ((NTSTATUS)0xC0000142L) 46 | 47 | 48 | #define STATUS_INVALID_PARAMETER_1 ((NTSTATUS)0xC00000EFL) 49 | #define STATUS_INVALID_PARAMETER_1 ((NTSTATUS)0xC00000EFL) 50 | #define STATUS_INVALID_PARAMETER_2 ((NTSTATUS)0xC00000F0L) 51 | #define STATUS_INVALID_PARAMETER_3 ((NTSTATUS)0xC00000F1L) 52 | #define STATUS_INVALID_PARAMETER_4 ((NTSTATUS)0xC00000F2L) 53 | #define STATUS_INVALID_PARAMETER_5 ((NTSTATUS)0xC00000F3L) 54 | #define STATUS_INVALID_PARAMETER_6 ((NTSTATUS)0xC00000F4L) 55 | #define STATUS_INVALID_PARAMETER_7 ((NTSTATUS)0xC00000F5L) 56 | #define STATUS_INVALID_PARAMETER_8 ((NTSTATUS)0xC00000F6L) 57 | 58 | #endif -------------------------------------------------------------------------------- /EasyHookDll/resource.h: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\resource.h) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | //{{NO_DEPENDENCIES}} 27 | // Microsoft Visual C++ generated include file. 28 | // Used by EasyHookDll.rc 29 | 30 | // Next default values for new objects 31 | // 32 | #ifdef APSTUDIO_INVOKED 33 | #ifndef APSTUDIO_READONLY_SYMBOLS 34 | #define _APS_NEXT_RESOURCE_VALUE 101 35 | #define _APS_NEXT_COMMAND_VALUE 40001 36 | #define _APS_NEXT_CONTROL_VALUE 1001 37 | #define _APS_NEXT_SYMED_VALUE 101 38 | #endif 39 | #endif 40 | -------------------------------------------------------------------------------- /EasyHookDll/stdafx.h: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\stdafx.h) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #ifndef _STDAFX_H_ 27 | #define _STDAFX_H_ 28 | 29 | 30 | // support for Windows 2000 SP4 and later... 31 | __pragma(warning(push)) 32 | __pragma(warning(disable:4005)) 33 | #define NTDDI_VERSION NTDDI_WIN2KSP4 34 | #define _WIN32_WINNT 0x500 35 | #define _WIN32_IE_ _WIN32_IE_WIN2KSP4 36 | __pragma(warning(pop)) 37 | 38 | #pragma warning (disable:4100) // unreference formal parameter 39 | #pragma warning(disable:4201) // nameless struct/union 40 | #pragma warning(disable:4102) // unreferenced label 41 | #pragma warning(disable:4127) // conditional expression is constant 42 | 43 | 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | 53 | #pragma warning(disable: 4005) 54 | #include 55 | #pragma warning(default: 4005) 56 | 57 | #ifdef __cplusplus 58 | extern "C"{ 59 | #endif 60 | 61 | #include "EasyHook.h" 62 | #include "DriverShared.h" 63 | 64 | BOOL RtlFileExists(WCHAR* InPath); 65 | LONG RtlGetWorkingDirectory(WCHAR* OutPath, ULONG InMaxLength); 66 | LONG RtlGetCurrentModulePath(WCHAR* OutPath, ULONG InMaxLength); 67 | 68 | #define RTL_SUCCESS(ntstatus) SUCCEEDED(ntstatus) 69 | 70 | HOOK_ACL* LhBarrierGetAcl(); 71 | void LhBarrierThreadDetach(); 72 | NTSTATUS LhBarrierProcessAttach(); 73 | void LhBarrierProcessDetach(); 74 | ULONGLONG LhBarrierIntro(LOCAL_HOOK_INFO* InHandle, void* InRetAddr, void** InAddrOfRetAddr); 75 | void* __stdcall LhBarrierOutro(LOCAL_HOOK_INFO* InHandle, void** InAddrOfRetAddr); 76 | 77 | LONG DbgRelocateRIPRelative( 78 | ULONGLONG InOffset, 79 | ULONGLONG InTargetOffset, 80 | BOOL* OutWasRelocated); 81 | 82 | EASYHOOK_NT_INTERNAL RhSetWakeUpThreadID(ULONG InThreadID); 83 | 84 | 85 | extern HMODULE hNtDll; 86 | extern HMODULE hKernel32; 87 | extern HMODULE hCurrentModule; 88 | extern HANDLE hEasyHookHeap; 89 | 90 | // this is just to make machine code management easier 91 | #define WRAP_ULONG64(Decl)\ 92 | union\ 93 | {\ 94 | ULONG64 UNUSED;\ 95 | Decl;\ 96 | }\ 97 | 98 | #define UNUSED2(y) __Unused_##y 99 | #define UNUSED1(y) UNUSED2(y) 100 | #define UNUSED UNUSED1(__COUNTER__) 101 | 102 | typedef struct _REMOTE_INFO_ 103 | { 104 | // will be the same for all processes 105 | WRAP_ULONG64(wchar_t* UserLibrary); // fixed 0 106 | WRAP_ULONG64(wchar_t* EasyHookPath); // fixed 8 107 | WRAP_ULONG64(wchar_t* PATH); // fixed 16 108 | WRAP_ULONG64(char* EasyHookEntry); // fixed 24 109 | WRAP_ULONG64(void* RemoteEntryPoint); // fixed 32 110 | WRAP_ULONG64(void* LoadLibraryW); // fixed; 40 111 | WRAP_ULONG64(void* FreeLibrary); // fixed; 48 112 | WRAP_ULONG64(void* GetProcAddress); // fixed; 56 113 | WRAP_ULONG64(void* VirtualFree); // fixed; 64 114 | WRAP_ULONG64(void* VirtualProtect); // fixed; 72 115 | WRAP_ULONG64(void* ExitThread); // fixed; 80 116 | WRAP_ULONG64(void* GetLastError); // fixed; 88 117 | 118 | BOOL IsManaged; 119 | HANDLE hRemoteSignal; 120 | DWORD HostProcess; 121 | DWORD Size; 122 | BYTE* UserData; 123 | DWORD UserDataSize; 124 | ULONG WakeUpThreadID; 125 | }REMOTE_INFO, *LPREMOTE_INFO; 126 | 127 | 128 | #ifdef __cplusplus 129 | } 130 | #endif 131 | 132 | #endif -------------------------------------------------------------------------------- /ExampleDll/ExampleDll.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/ExampleDll/ExampleDll.cpp -------------------------------------------------------------------------------- /ExampleDll/ExampleDll.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {71C41EEF-4A31-4CCE-82A4-8ED2CA129E3E} 15 | Win32Proj 16 | ExampleDll 17 | 8.1 18 | 19 | 20 | 21 | DynamicLibrary 22 | true 23 | v100 24 | Unicode 25 | 26 | 27 | DynamicLibrary 28 | false 29 | v100 30 | true 31 | Unicode 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | true 47 | $(SolutionDir)$(PlatformName)\$(Configuration)\ 48 | $(PlatformName)\$(Configuration)\$(ProjectName)\ 49 | 50 | 51 | false 52 | $(SolutionDir)$(PlatformName)\$(Configuration)\ 53 | $(PlatformName)\$(Configuration)\$(ProjectName)\ 54 | 55 | 56 | 57 | Use 58 | Level3 59 | Disabled 60 | WIN32;_DEBUG;_WINDOWS;_USRDLL;EXAMPLEDLL_EXPORTS;%(PreprocessorDefinitions) 61 | true 62 | $(SolutionDir)DriverShared;$(SolutionDir)Public;%(AdditionalIncludeDirectories) 63 | MultiThreadedDebug 64 | 65 | 66 | Windows 67 | true 68 | EasyHookLib.Lib;AUX_ULIB_x86.LIB;comsuppw.lib;Psapi.lib;%(AdditionalDependencies) 69 | 70 | 71 | 72 | 73 | Level3 74 | 75 | 76 | MaxSpeed 77 | true 78 | true 79 | WIN32;NDEBUG;_WINDOWS;_USRDLL;EXAMPLEDLL_EXPORTS;%(PreprocessorDefinitions) 80 | true 81 | $(SolutionDir)DriverShared;$(SolutionDir)Public;%(AdditionalIncludeDirectories) 82 | MultiThreaded 83 | false 84 | true 85 | 86 | 87 | Windows 88 | true 89 | true 90 | true 91 | $(SolutionDir)Win32\Release;$(SolutionDir)EasyHookDll;%(AdditionalLibraryDirectories) 92 | EasyHookLib.Lib;AUX_ULIB_x86.LIB;Psapi.lib;comsuppw.lib;%(AdditionalDependencies) 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | false 108 | 109 | 110 | false 111 | 112 | 113 | 114 | 115 | 116 | Create 117 | Create 118 | 119 | 120 | 121 | 122 | 123 | -------------------------------------------------------------------------------- /ExampleDll/ExampleDll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 头文件 23 | 24 | 25 | 头文件 26 | 27 | 28 | 头文件 29 | 30 | 31 | 32 | 33 | 源文件 34 | 35 | 36 | 源文件 37 | 38 | 39 | 源文件 40 | 41 | 42 | -------------------------------------------------------------------------------- /ExampleDll/ExampleDll64.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | {29EB511B-E76E-4720-B332-C41C0D59D6AE} 15 | Win32Proj 16 | ExampleDll 17 | 8.1 18 | 19 | 20 | 21 | DynamicLibrary 22 | true 23 | v100 24 | Unicode 25 | 26 | 27 | DynamicLibrary 28 | false 29 | v100 30 | true 31 | Unicode 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | true 47 | $(SolutionDir)$(PlatformName)\$(Configuration)\ 48 | $(PlatformName)\$(Configuration)\$(ProjectName)\ 49 | 50 | 51 | false 52 | $(SolutionDir)$(PlatformName)\$(Configuration)\ 53 | $(PlatformName)\$(Configuration)\$(ProjectName)\ 54 | 55 | 56 | 57 | Use 58 | Level3 59 | Disabled 60 | _DEBUG;_WINDOWS;_USRDLL;EXAMPLEDLL_EXPORTS;%(PreprocessorDefinitions) 61 | true 62 | $(SolutionDir)DriverShared;$(SolutionDir)Public;%(AdditionalIncludeDirectories) 63 | 64 | 65 | Windows 66 | true 67 | 68 | 69 | 70 | 71 | Level3 72 | Use 73 | MaxSpeed 74 | true 75 | true 76 | NDEBUG;_WINDOWS;_USRDLL;EXAMPLEDLL_EXPORTS;%(PreprocessorDefinitions) 77 | true 78 | $(SolutionDir)DriverShared;$(SolutionDir)Public;%(AdditionalIncludeDirectories) 79 | true 80 | false 81 | MultiThreaded 82 | 83 | 84 | Windows 85 | true 86 | true 87 | true 88 | EasyHookLib64.Lib;AUX_ULIB_x64.LIB;Psapi.lib;comsuppw.lib;%(AdditionalDependencies) 89 | $(SolutionDir)x64\Release;$(SolutionDir)EasyHookDll 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | false 102 | 103 | 104 | false 105 | 106 | 107 | 108 | 109 | 110 | Create 111 | Create 112 | 113 | 114 | 115 | 116 | 117 | -------------------------------------------------------------------------------- /ExampleDll/ExampleDll64.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 头文件 23 | 24 | 25 | 头文件 26 | 27 | 28 | 29 | 30 | 源文件 31 | 32 | 33 | 源文件 34 | 35 | 36 | 源文件 37 | 38 | 39 | -------------------------------------------------------------------------------- /ExampleDll/NtStructDef.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | 4 | typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY { 5 | ULONG Attribute; 6 | SIZE_T Size; 7 | ULONG_PTR Value; 8 | ULONG Unknown; 9 | } PROC_THREAD_ATTRIBUTE_ENTRY, *PPROC_THREAD_ATTRIBUTE_ENTRY; 10 | 11 | typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST { 12 | ULONG Length; 13 | PROC_THREAD_ATTRIBUTE_ENTRY Entry[1]; 14 | } NT_PROC_THREAD_ATTRIBUTE_LIST, *PNT_PROC_THREAD_ATTRIBUTE_LIST; 15 | -------------------------------------------------------------------------------- /ExampleDll/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | 动态链接库:ExampleDll 项目概述 3 | ======================================================================== 4 | 5 | 应用程序向导已为您创建了此 ExampleDll DLL。 6 | 7 | 本文件概要介绍组成 ExampleDll 应用程序的每个文件的内容。 8 | 9 | 10 | ExampleDll.vcxproj 11 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。 12 | 13 | ExampleDll.vcxproj.filters 14 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。 15 | 16 | ExampleDll.cpp 17 | 这是主 DLL 源文件。 18 | 19 | 此 DLL 在创建时不导出任何符号。因此,生成时不会产生 .lib 文件。如果希望此项目成为其他某个项目的项目依赖项,则需要添加代码以从 DLL 导出某些符号,以便产生一个导出库,或者,也可以在项目“属性页”对话框中的“链接器”文件夹中,将“常规”属性页上的“忽略输入库”属性设置为“是”。 20 | 21 | ///////////////////////////////////////////////////////////////////////////// 22 | 其他标准文件: 23 | 24 | StdAfx.h, StdAfx.cpp 25 | 这些文件用于生成名为 ExampleDll.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | 其他注释: 29 | 30 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。 31 | 32 | ///////////////////////////////////////////////////////////////////////////// 33 | -------------------------------------------------------------------------------- /ExampleDll/dllmain.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/ExampleDll/dllmain.cpp -------------------------------------------------------------------------------- /ExampleDll/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/ExampleDll/stdafx.cpp -------------------------------------------------------------------------------- /ExampleDll/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/ExampleDll/stdafx.h -------------------------------------------------------------------------------- /ExampleDll/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/ExampleDll/targetver.h -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2009 Christoph Husse & Copyright (c) 2012 Justin Stenning 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /Public/easyhook.h: -------------------------------------------------------------------------------- 1 | // EasyHook (File: EasyHookDll\easyhook.h) 2 | // 3 | // Copyright (c) 2009 Christoph Husse & Copyright (c) 2015 Justin Stenning 4 | // 5 | // Permission is hereby granted, free of charge, to any person obtaining a copy 6 | // of this software and associated documentation files (the "Software"), to deal 7 | // in the Software without restriction, including without limitation the rights 8 | // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | // copies of the Software, and to permit persons to whom the Software is 10 | // furnished to do so, subject to the following conditions: 11 | // 12 | // The above copyright notice and this permission notice shall be included in 13 | // all copies or substantial portions of the Software. 14 | // 15 | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | // THE SOFTWARE. 22 | // 23 | // Please visit https://easyhook.github.io for more information 24 | // about the project and latest updates. 25 | 26 | #ifndef _EASYHOOK_H_ 27 | #define _EASYHOOK_H_ 28 | 29 | #ifdef DRIVER 30 | 31 | #include 32 | #include 33 | 34 | typedef int BOOL; 35 | typedef void* HMODULE; 36 | 37 | #else 38 | 39 | #ifndef NTDDI_VERSION 40 | #define NTDDI_VERSION NTDDI_WIN2KSP4 41 | #endif 42 | #ifndef _WIN32_WINNT 43 | #define _WIN32_WINNT 0x500 44 | #endif 45 | #define _WIN32_IE_ _WIN32_IE_WIN2KSP4 46 | 47 | #include 48 | #include 49 | #include 50 | 51 | #endif 52 | 53 | 54 | #ifdef __cplusplus 55 | extern "C"{ 56 | #endif 57 | 58 | #define EASYHOOK_API __stdcall 59 | #define DRIVER_SHARED_API(type, decl) typedef type EASYHOOK_API PROC_##decl; EXTERN_C type EASYHOOK_API decl 60 | 61 | /* 62 | This is the typical sign that a defined method is exported... 63 | 64 | Methods marked with this attribute need special attention 65 | during parameter validation and documentation. 66 | */ 67 | #define EASYHOOK_NT_EXPORT EXTERN_C NTSTATUS EASYHOOK_API 68 | #define EASYHOOK_BOOL_EXPORT EXTERN_C BOOL EASYHOOK_API 69 | 70 | #define MAX_HOOK_COUNT 128 71 | #define MAX_ACE_COUNT 128 72 | #define MAX_THREAD_COUNT 128 73 | #define MAX_PASSTHRU_SIZE 1024 * 64 74 | 75 | typedef struct _LOCAL_HOOK_INFO_* PLOCAL_HOOK_INFO; 76 | 77 | typedef struct _HOOK_TRACE_INFO_ 78 | { 79 | PLOCAL_HOOK_INFO Link; 80 | }HOOK_TRACE_INFO, *TRACED_HOOK_HANDLE; 81 | 82 | DRIVER_SHARED_API(NTSTATUS, RtlGetLastError()); 83 | 84 | DRIVER_SHARED_API(PWCHAR, RtlGetLastErrorString()); 85 | 86 | #ifndef DRIVER 87 | DRIVER_SHARED_API(PWCHAR, RtlGetLastErrorStringCopy()); 88 | #endif 89 | 90 | DRIVER_SHARED_API(NTSTATUS, LhInstallHook( 91 | void* InEntryPoint, 92 | void* InHookProc, 93 | void* InCallback, 94 | TRACED_HOOK_HANDLE OutHandle)); 95 | 96 | DRIVER_SHARED_API(NTSTATUS, LhUninstallAllHooks()); 97 | 98 | DRIVER_SHARED_API(NTSTATUS, LhUninstallHook(TRACED_HOOK_HANDLE InHandle)); 99 | 100 | DRIVER_SHARED_API(NTSTATUS, LhWaitForPendingRemovals()); 101 | 102 | /* 103 | Setup the ACLs after hook installation. Please note that every 104 | hook starts suspended. You will have to set a proper ACL to 105 | make it active! 106 | */ 107 | #ifdef DRIVER 108 | 109 | DRIVER_SHARED_API(NTSTATUS, LhSetInclusiveACL( 110 | ULONG* InProcessIdList, 111 | ULONG InProcessCount, 112 | TRACED_HOOK_HANDLE InHandle)); 113 | 114 | DRIVER_SHARED_API(NTSTATUS, LhSetExclusiveACL( 115 | ULONG* InProcessIdList, 116 | ULONG InProcessCount, 117 | TRACED_HOOK_HANDLE InHandle)); 118 | 119 | DRIVER_SHARED_API(NTSTATUS, LhSetGlobalInclusiveACL( 120 | ULONG* InProcessIdList, 121 | ULONG InProcessCount)); 122 | 123 | DRIVER_SHARED_API(NTSTATUS, LhSetGlobalExclusiveACL( 124 | ULONG* InProcessIdList, 125 | ULONG InProcessCount)); 126 | 127 | DRIVER_SHARED_API(NTSTATUS, LhIsProcessIntercepted( 128 | TRACED_HOOK_HANDLE InHook, 129 | ULONG InProcessID, 130 | BOOL* OutResult)); 131 | 132 | #else 133 | 134 | EASYHOOK_NT_EXPORT LhSetInclusiveACL( 135 | ULONG* InThreadIdList, 136 | ULONG InThreadCount, 137 | TRACED_HOOK_HANDLE InHandle); 138 | 139 | EASYHOOK_NT_EXPORT LhSetExclusiveACL( 140 | ULONG* InThreadIdList, 141 | ULONG InThreadCount, 142 | TRACED_HOOK_HANDLE InHandle); 143 | 144 | EASYHOOK_NT_EXPORT LhSetGlobalInclusiveACL( 145 | ULONG* InThreadIdList, 146 | ULONG InThreadCount); 147 | 148 | EASYHOOK_NT_EXPORT LhSetGlobalExclusiveACL( 149 | ULONG* InThreadIdList, 150 | ULONG InThreadCount); 151 | 152 | EASYHOOK_NT_EXPORT LhIsThreadIntercepted( 153 | TRACED_HOOK_HANDLE InHook, 154 | ULONG InThreadID, 155 | BOOL* OutResult); 156 | 157 | #endif // !DRIVER 158 | 159 | /* 160 | The following barrier methods are meant to be used in hook handlers only! 161 | 162 | They will all fail with STATUS_NOT_SUPPORTED if called outside a 163 | valid hook handler... 164 | */ 165 | DRIVER_SHARED_API(NTSTATUS, LhBarrierGetCallback(PVOID* OutValue)); 166 | 167 | DRIVER_SHARED_API(NTSTATUS, LhBarrierGetReturnAddress(PVOID* OutValue)); 168 | 169 | DRIVER_SHARED_API(NTSTATUS, LhBarrierGetAddressOfReturnAddress(PVOID** OutValue)); 170 | 171 | DRIVER_SHARED_API(NTSTATUS, LhBarrierBeginStackTrace(PVOID* OutBackup)); 172 | 173 | DRIVER_SHARED_API(NTSTATUS, LhBarrierEndStackTrace(PVOID InBackup)); 174 | 175 | typedef struct _MODULE_INFORMATION_* PMODULE_INFORMATION; 176 | 177 | typedef struct _MODULE_INFORMATION_ 178 | { 179 | PMODULE_INFORMATION Next; 180 | UCHAR* BaseAddress; 181 | ULONG ImageSize; 182 | CHAR Path[256]; 183 | PCHAR ModuleName; 184 | }MODULE_INFORMATION; 185 | 186 | EASYHOOK_NT_EXPORT LhUpdateModuleInformation(); 187 | 188 | DRIVER_SHARED_API(NTSTATUS, LhBarrierPointerToModule( 189 | PVOID InPointer, 190 | MODULE_INFORMATION* OutModule)); 191 | 192 | DRIVER_SHARED_API(NTSTATUS, LhEnumModules( 193 | HMODULE* OutModuleArray, 194 | ULONG InMaxModuleCount, 195 | ULONG* OutModuleCount)); 196 | 197 | DRIVER_SHARED_API(NTSTATUS, LhBarrierGetCallingModule(MODULE_INFORMATION* OutModule)); 198 | 199 | DRIVER_SHARED_API(NTSTATUS, LhBarrierCallStackTrace( 200 | PVOID* OutMethodArray, 201 | ULONG InMaxMethodCount, 202 | ULONG* OutMethodCount)); 203 | 204 | #ifdef DRIVER 205 | 206 | #define DRIVER_EXPORT(proc) PROC_##proc * proc 207 | 208 | #define EASYHOOK_INTERFACE_v_1 0x0001 209 | 210 | #define EASYHOOK_WIN32_DEVICE_NAME L"\\\\.\\EasyHook" 211 | #define EASYHOOK_DEVICE_NAME L"\\Device\\EasyHook" 212 | #define EASYHOOK_DOS_DEVICE_NAME L"\\DosDevices\\EasyHook" 213 | #define FILE_DEVICE_EASYHOOK 0x893F 214 | 215 | typedef struct _EASYHOOK_INTERFACE_API_v_1_ 216 | { 217 | DRIVER_EXPORT(RtlGetLastError); 218 | DRIVER_EXPORT(RtlGetLastErrorString); 219 | DRIVER_EXPORT(LhInstallHook); 220 | DRIVER_EXPORT(LhUninstallHook); 221 | DRIVER_EXPORT(LhWaitForPendingRemovals); 222 | DRIVER_EXPORT(LhBarrierGetCallback); 223 | DRIVER_EXPORT(LhBarrierGetReturnAddress); 224 | DRIVER_EXPORT(LhBarrierGetAddressOfReturnAddress); 225 | DRIVER_EXPORT(LhBarrierBeginStackTrace); 226 | DRIVER_EXPORT(LhBarrierEndStackTrace); 227 | DRIVER_EXPORT(LhBarrierPointerToModule); 228 | DRIVER_EXPORT(LhBarrierGetCallingModule); 229 | DRIVER_EXPORT(LhBarrierCallStackTrace); 230 | DRIVER_EXPORT(LhSetGlobalExclusiveACL); 231 | DRIVER_EXPORT(LhSetGlobalInclusiveACL); 232 | DRIVER_EXPORT(LhSetExclusiveACL); 233 | DRIVER_EXPORT(LhSetInclusiveACL); 234 | DRIVER_EXPORT(LhIsProcessIntercepted); 235 | }EASYHOOK_INTERFACE_API_v_1, *PEASYHOOK_INTERFACE_API_v_1; 236 | 237 | typedef struct _EASYHOOK_DEVICE_EXTENSION_ 238 | { 239 | ULONG MaxVersion; 240 | // enumeration of APIs 241 | EASYHOOK_INTERFACE_API_v_1 API_v_1; 242 | }EASYHOOK_DEVICE_EXTENSION, *PEASYHOOK_DEVICE_EXTENSION; 243 | 244 | static NTSTATUS EasyHookQueryInterface( 245 | ULONG InInterfaceVersion, 246 | PVOID OutInterface, 247 | PFILE_OBJECT* OutEasyHookDrv) 248 | { 249 | /* 250 | Description: 251 | 252 | Provides a convenient way to load the desired EasyHook interface. 253 | The method will only work if the EasyHook support driver is loaded, of course. 254 | If you don't need the interface anymore, you have to release the 255 | file object with ObDereferenceObject(). 256 | 257 | Parameters: 258 | 259 | - InInterfaceVersion 260 | 261 | The desired interface version. Any future EasyHook driver will ALWAYS 262 | be backward compatible. This is the reason why I provide such a flexible 263 | interface mechanism. 264 | 265 | - OutInterface 266 | 267 | A pointer to the interface structure to be filled with data. If you specify 268 | EASYHOOK_INTERFACE_v_1 as InInterfaceVersion, you will have to provide a 269 | pointer to a EASYHOOK_INTERFACE_API_v_1 structure, for example... 270 | 271 | - OutEasyHookDrv 272 | 273 | A reference to the EasyHook driver. Make sure that you dereference it if 274 | you don't need the interface any longer! As long as you keep this handle, 275 | the EasyHook driver CAN'T be unloaded... 276 | 277 | */ 278 | UNICODE_STRING DeviceName; 279 | PDEVICE_OBJECT hEasyHookDrv = NULL; 280 | NTSTATUS NtStatus = STATUS_INTERNAL_ERROR; 281 | EASYHOOK_DEVICE_EXTENSION* DevExt; 282 | 283 | /* 284 | Open log file... 285 | */ 286 | RtlInitUnicodeString(&DeviceName, EASYHOOK_DEVICE_NAME); 287 | 288 | if(!NT_SUCCESS(NtStatus = IoGetDeviceObjectPointer(&DeviceName, FILE_READ_DATA, OutEasyHookDrv, &hEasyHookDrv))) 289 | return NtStatus; 290 | 291 | __try 292 | { 293 | DevExt = (EASYHOOK_DEVICE_EXTENSION*)hEasyHookDrv->DeviceExtension; 294 | 295 | if(DevExt->MaxVersion < InInterfaceVersion) 296 | return STATUS_NOT_SUPPORTED; 297 | 298 | switch(InInterfaceVersion) 299 | { 300 | case EASYHOOK_INTERFACE_v_1: memcpy(OutInterface, &DevExt->API_v_1, sizeof(DevExt->API_v_1)); break; 301 | default: 302 | return STATUS_INVALID_PARAMETER_1; 303 | } 304 | 305 | return STATUS_SUCCESS; 306 | } 307 | __except(EXCEPTION_EXECUTE_HANDLER) 308 | { 309 | ObDereferenceObject(*OutEasyHookDrv); 310 | 311 | return NtStatus; 312 | } 313 | } 314 | 315 | 316 | #endif // DRIVER 317 | 318 | #ifndef DRIVER 319 | /* 320 | Debug helper API. 321 | */ 322 | EASYHOOK_BOOL_EXPORT DbgIsAvailable(); 323 | 324 | EASYHOOK_BOOL_EXPORT DbgIsEnabled(); 325 | 326 | EASYHOOK_NT_EXPORT DbgAttachDebugger(); 327 | 328 | EASYHOOK_NT_EXPORT DbgDetachDebugger(); 329 | 330 | EASYHOOK_NT_EXPORT DbgGetThreadIdByHandle( 331 | HANDLE InThreadHandle, 332 | ULONG* OutThreadId); 333 | 334 | EASYHOOK_NT_EXPORT DbgGetProcessIdByHandle( 335 | HANDLE InProcessHandle, 336 | ULONG* OutProcessId); 337 | 338 | EASYHOOK_NT_EXPORT DbgHandleToObjectName( 339 | HANDLE InNamedHandle, 340 | UNICODE_STRING* OutNameBuffer, 341 | ULONG InBufferSize, 342 | ULONG* OutRequiredSize); 343 | /* 344 | Test API 345 | */ 346 | typedef struct _TEST_FUNC_HOOKS_OPTIONS 347 | { 348 | LPSTR Filename; 349 | LPSTR FilterByName; 350 | } TEST_FUNC_HOOKS_OPTIONS; 351 | 352 | typedef struct _TEST_FUNC_HOOKS_RESULT 353 | { 354 | LPSTR FnName; 355 | LPSTR ModuleRedirect; 356 | LPSTR FnRedirect; 357 | void* FnAddress; 358 | void* RelocAddress; 359 | LPSTR EntryDisasm; 360 | LPSTR RelocDisasm; 361 | LPSTR Error; 362 | } TEST_FUNC_HOOKS_RESULT; 363 | 364 | EASYHOOK_NT_EXPORT TestFuncHooks(ULONG pId, 365 | PCHAR module, 366 | TEST_FUNC_HOOKS_OPTIONS options, 367 | TEST_FUNC_HOOKS_RESULT** outResults, 368 | int* resultCount); 369 | 370 | EASYHOOK_NT_EXPORT ReleaseTestFuncHookResults(TEST_FUNC_HOOKS_RESULT* results, int count); 371 | /* 372 | Injection support API. 373 | */ 374 | typedef struct _REMOTE_ENTRY_INFO_ 375 | { 376 | ULONG HostPID; 377 | UCHAR* UserData; 378 | ULONG UserDataSize; 379 | }REMOTE_ENTRY_INFO; 380 | 381 | typedef void __stdcall REMOTE_ENTRY_POINT(REMOTE_ENTRY_INFO* InRemoteInfo); 382 | 383 | #define EASYHOOK_INJECT_DEFAULT 0x00000000 384 | #define EASYHOOK_INJECT_STEALTH 0x10000000 // (experimental) 385 | #define EASYHOOK_INJECT_NET_DEFIBRILLATOR 0x20000000 // USE THIS ONLY IN UNMANAGED CODE AND ONLY WITH CreateAndInject() FOR MANAGED PROCESSES!! 386 | 387 | EASYHOOK_NT_EXPORT RhCreateStealthRemoteThread( 388 | ULONG InTargetPID, 389 | LPTHREAD_START_ROUTINE InRemoteRoutine, 390 | PVOID InRemoteParam, 391 | HANDLE* OutRemoteThread); 392 | 393 | EASYHOOK_NT_EXPORT RhInjectLibrary( 394 | ULONG InTargetPID, 395 | ULONG InWakeUpTID, 396 | ULONG InInjectionOptions, 397 | WCHAR* InLibraryPath_x86, 398 | WCHAR* InLibraryPath_x64, 399 | PVOID InPassThruBuffer, 400 | ULONG InPassThruSize); 401 | 402 | EASYHOOK_NT_EXPORT RhCreateAndInject( 403 | WCHAR* InEXEPath, 404 | WCHAR* InCommandLine, 405 | ULONG InProcessCreationFlags, 406 | ULONG InInjectionOptions, 407 | WCHAR* InLibraryPath_x86, 408 | WCHAR* InLibraryPath_x64, 409 | PVOID InPassThruBuffer, 410 | ULONG InPassThruSize, 411 | ULONG* OutProcessId); 412 | 413 | EASYHOOK_BOOL_EXPORT RhIsX64System(); 414 | 415 | EASYHOOK_NT_EXPORT RhIsX64Process( 416 | ULONG InProcessId, 417 | BOOL* OutResult); 418 | 419 | EASYHOOK_BOOL_EXPORT RhIsAdministrator(); 420 | 421 | EASYHOOK_NT_EXPORT RhWakeUpProcess(); 422 | 423 | EASYHOOK_NT_EXPORT RhInstallSupportDriver(); 424 | 425 | EASYHOOK_NT_EXPORT RhInstallDriver( 426 | WCHAR* InDriverPath, 427 | WCHAR* InDriverName); 428 | 429 | typedef struct _GACUTIL_INFO_* HGACUTIL; 430 | 431 | 432 | #endif // !DRIVER 433 | 434 | #ifdef __cplusplus 435 | }; 436 | #endif 437 | 438 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nmgwddj/EasyHook/137268eedd926500306b60c8f00d58eaa8efa1ef/README.md -------------------------------------------------------------------------------- /Version.txt: -------------------------------------------------------------------------------- 1 | 2.7.0.0 --------------------------------------------------------------------------------