📄 globalcdll.cpp
字号:
for(i=0; i < 1000 && ThreadsIn; i++) //no infinite cycle!
Sleep(10);
}
return(TRUE);
}
#define WAS_OVERWRITE 0xFEDC0000L
BOOL WINAPI NewCreateProcessInternalW(
LPVOID Unknown00,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
volatile DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
LPVOID Unknown2C
) {
InterlockedIncrement(&ThreadsIn);
DWORD WasCS = dwCreationFlags & CREATE_SUSPENDED;
dwCreationFlags |= CREATE_SUSPENDED;
BOOL Result = CallOrigFn(ApiHookChain[1].ModuleExport, ApiHookChain[1].ApiNameOrOrd, ApiHookChain[1].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[1].dwFlags, ApiHookChain[1].ModuleImport, ApiHookChain[1].UnhookAddresses, 12, &Unknown00);
if(Result && !LikeUnhooked)
HookProcess(lpProcessInformation->hProcess, lpProcessInformation->dwProcessId, lpCommandLine ? (LPCSTR)lpCommandLine : (LPCSTR)lpApplicationName, TRUE);
if(Result && !WasCS)
ResumeThread(lpProcessInformation->hThread);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
BOOL WINAPI NewCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
volatile DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
) {
InterlockedIncrement(&ThreadsIn);
DWORD WasCS = dwCreationFlags & CREATE_SUSPENDED;
dwCreationFlags |= CREATE_SUSPENDED;
BOOL Result = CallOrigFn(ApiHookChain[1].ModuleExport, ApiHookChain[1].ApiNameOrOrd, ApiHookChain[1].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[1].dwFlags, ApiHookChain[1].ModuleImport, ApiHookChain[1].UnhookAddresses, 10, &lpApplicationName);
if(Result && !LikeUnhooked)
HookProcess(lpProcessInformation->hProcess, lpProcessInformation->dwProcessId, lpCommandLine ? (LPCSTR)lpCommandLine : (LPCSTR)lpApplicationName, TRUE);
if(Result && !WasCS)
ResumeThread(lpProcessInformation->hThread);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
BOOL WINAPI NewCreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
volatile DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
) {
InterlockedIncrement(&ThreadsIn);
DWORD WasCS = dwCreationFlags & CREATE_SUSPENDED;
dwCreationFlags |= CREATE_SUSPENDED;
BOOL Result = CallOrigFn(ApiHookChain[2].ModuleExport, ApiHookChain[2].ApiNameOrOrd, ApiHookChain[2].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[2].dwFlags, ApiHookChain[2].ModuleImport, ApiHookChain[2].UnhookAddresses, 10, &lpApplicationName);
if(Result && !LikeUnhooked)
HookProcess(lpProcessInformation->hProcess, lpProcessInformation->dwProcessId, lpCommandLine ? lpCommandLine : lpApplicationName, FALSE);
if(Result && !WasCS)
ResumeThread(lpProcessInformation->hThread);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
UINT WINAPI NewWinExec(
LPCSTR lpCmdLine,
UINT uCmdShow
) {
InterlockedIncrement(&ThreadsIn);
UINT Result;
STARTUPINFOA stinfo = {sizeof(stinfo)};
PROCESS_INFORMATION prinfo;
stinfo.wShowWindow = uCmdShow;
DWORD CPAParams[10] = {NULL, (DWORD)lpCmdLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, (DWORD)&stinfo, (DWORD)&prinfo};
if(!LikeUnhooked && CallOrigFn(ApiHookChain[2].ModuleExport, ApiHookChain[2].ApiNameOrOrd, ApiHookChain[2].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[2].dwFlags, ApiHookChain[2].ModuleImport, ApiHookChain[2].UnhookAddresses, 10, CPAParams)) {
HookProcess(prinfo.hProcess, prinfo.dwProcessId, lpCmdLine, FALSE);
ResumeThread(prinfo.hThread);
CloseHandle(prinfo.hThread);
CloseHandle(prinfo.hProcess);
InterlockedDecrement(&ThreadsIn);
return(32);
}
else {
Result = CallOrigFn(ApiHookChain[3].ModuleExport, ApiHookChain[3].ApiNameOrOrd, ApiHookChain[3].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[3].dwFlags, ApiHookChain[3].ModuleImport, ApiHookChain[3].UnhookAddresses, 2, &lpCmdLine);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
}
DWORD WINAPI NewLoadModule(
LPCSTR lpModuleName,
LPVOID lpParameterBlock
) {
InterlockedIncrement(&ThreadsIn);
DWORD Result;
STARTUPINFOA stinfo = {sizeof(stinfo)};
PROCESS_INFORMATION prinfo;
int i;
char CString[MAX_PATH];
if(LikeUnhooked) {
Result = CallOrigFn(ApiHookChain[4].ModuleExport, ApiHookChain[4].ApiNameOrOrd, ApiHookChain[4].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[4].dwFlags, ApiHookChain[4].ModuleImport, ApiHookChain[4].UnhookAddresses, 2, &lpModuleName);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
if(((LPLOADPARMS32)lpParameterBlock)->dwReserved != 0) {
Result = CallOrigFn(ApiHookChain[4].ModuleExport, ApiHookChain[4].ApiNameOrOrd, ApiHookChain[4].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[4].dwFlags, ApiHookChain[4].ModuleImport, ApiHookChain[4].UnhookAddresses, 2, &lpModuleName);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
if(((LPLOADPARMS32)lpParameterBlock)->lpCmdShow)
if(((LPLOADPARMS32)lpParameterBlock)->lpCmdShow->MustBe2 != 2) {
Result = CallOrigFn(ApiHookChain[4].ModuleExport, ApiHookChain[4].ApiNameOrOrd, ApiHookChain[4].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[4].dwFlags, ApiHookChain[4].ModuleImport, ApiHookChain[4].UnhookAddresses, 2, &lpModuleName);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
else
stinfo.wShowWindow = ((LPLOADPARMS32)lpParameterBlock)->lpCmdShow->HowToShow;
if(((LPLOADPARMS32)lpParameterBlock)->lpCmdLine->Length != 0) {
for(i=1; i<=((LPLOADPARMS32)lpParameterBlock)->lpCmdLine->Length; i++)
CString[i-1] = ((LPLOADPARMS32)lpParameterBlock)->lpCmdLine->String[i];
CString[i] = '\0';
}
//todo: handle Environment here
DWORD CPAParams[10] = {(DWORD)lpModuleName,
((LPLOADPARMS32)lpParameterBlock)->lpCmdLine->Length !=0 ? (DWORD)CString : NULL,
NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, (DWORD)&stinfo, (DWORD)&prinfo};
if(CallOrigFn(ApiHookChain[2].ModuleExport, ApiHookChain[2].ApiNameOrOrd, ApiHookChain[2].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[2].dwFlags, ApiHookChain[2].ModuleImport, ApiHookChain[2].UnhookAddresses, 10, CPAParams)) {
HookProcess(prinfo.hProcess, prinfo.dwProcessId, lpModuleName, FALSE);
ResumeThread(prinfo.hThread);
CloseHandle(prinfo.hThread);
CloseHandle(prinfo.hProcess);
InterlockedDecrement(&ThreadsIn);
return(32);
}
else {
Result = CallOrigFn(ApiHookChain[4].ModuleExport, ApiHookChain[4].ApiNameOrOrd, ApiHookChain[4].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[4].dwFlags, ApiHookChain[4].ModuleImport, ApiHookChain[4].UnhookAddresses, 2, &lpModuleName);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
}
FARPROC WINAPI NewGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
InterlockedIncrement(&ThreadsIn);
FARPROC Result = (FARPROC)CallOrigFn(ApiHookChain[7].ModuleExport, ApiHookChain[7].ApiNameOrOrd, ApiHookChain[7].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[7].dwFlags, ApiHookChain[7].ModuleImport, ApiHookChain[7].UnhookAddresses, 2, &hModule);
if(!LikeUnhooked && ((DWORD)lpProcName >= 0x10000))
if(hModule == GetModuleHandle(TEXT("KERNEL32.DLL"))) {
if(!lstrcmpA(lpProcName, "CreateProcessA"))
Result = (FARPROC)NewCreateProcessA;
if(!lstrcmpA(lpProcName, "WinExec"))
Result = (FARPROC)NewWinExec;
if(!lstrcmpA(lpProcName, "LoadModule"))
Result = (FARPROC)NewLoadModule;
if(!lstrcmpA(lpProcName, "LoadLibraryA"))
Result = (FARPROC)NewLoadLibraryA;
if(!lstrcmpA(lpProcName, "LoadLibraryExA"))
Result = (FARPROC)NewLoadLibraryExA;
if(!lstrcmpA(lpProcName, "GetProcAddress"))
Result = (FARPROC)NewGetProcAddress;
}
InterlockedDecrement(&ThreadsIn);
return(Result);
}
VOID HookNewModule(
LPCSTR lpLibFileName
){
for(DWORD i=1; i<NHOOKS-1; i++)
if(ApiHookChain[i].dwFlags & (HOOK_BY_NAME | HOOK_BY_ADDRESS))
ApiHookChain[i].ModuleImport = lpLibFileName;
else
if(ApiHookChain[i].dwFlags & (HOOK_OVERWRITE | HOOK_RAW))
if(GetModuleHandleA(ApiHookChain[i].ModuleExport) == GetModuleHandleA(lpLibFileName)) {
LocalFree(*(HLOCAL*)ApiHookChain[i].ModuleImport);
ApiHookChain[i].UnhookAddresses->CurNoAddr = 0;
}
else
ApiHookChain[i].dwFlags = WAS_OVERWRITE; //zero overwrite/raw hooks -> avoid double hooking
EstablishApiHooks(NULL, (LPCTSTR)ApiHookChain, GetCurrentProcessId(), 0);
}
HINSTANCE WINAPI NewLoadLibraryA(
LPCSTR lpLibFileName
){
InterlockedIncrement(&ThreadsIn);
HANDLE hMod = GetModuleHandleA(lpLibFileName);
HINSTANCE Result = (HINSTANCE)CallOrigFn(ApiHookChain[5].ModuleExport, ApiHookChain[5].ApiNameOrOrd, ApiHookChain[5].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[5].dwFlags, ApiHookChain[5].ModuleImport, ApiHookChain[5].UnhookAddresses, 1, &lpLibFileName);
if(!LikeUnhooked && !hMod && Result)
HookNewModule(lpLibFileName);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
HINSTANCE WINAPI NewLoadLibraryExA(
LPCSTR lpLibFileName,
HANDLE hFile,
DWORD dwFlags
) {
InterlockedIncrement(&ThreadsIn);
HANDLE hMod = GetModuleHandleA(lpLibFileName);
HINSTANCE Result = (HINSTANCE)CallOrigFn(ApiHookChain[6].ModuleExport, ApiHookChain[6].ApiNameOrOrd, ApiHookChain[6].dwFlags == WAS_OVERWRITE ? HOOK_OVERWRITE : ApiHookChain[6].dwFlags, ApiHookChain[6].ModuleImport, ApiHookChain[6].UnhookAddresses, 3, &lpLibFileName);
if(!LikeUnhooked && !hMod && Result && (dwFlags != LOAD_LIBRARY_AS_DATAFILE))
HookNewModule(lpLibFileName);
InterlockedDecrement(&ThreadsIn);
return(Result);
}
__EXPORT DWORD HooksCanUnloadNow(VOID) {
DWORD i;
LikeUnhooked = TRUE;
DWORD ErrorUnload = ErrorUnloaded;
HANDLE ModuleExport;
while(ThreadsIn)
Sleep(127);
//UnhookApis requires AHChain as it was before any modification
//from NewAPIs (LLA, LLExA) -> return zeroed HOOK_OVERWRITE:
for(i=1; i<NHOOKS-1; i++)
if(ApiHookChain[i].dwFlags == WAS_OVERWRITE)
ApiHookChain[i].dwFlags = HOOK_OVERWRITE;
//Report unloading hazard:
//All OVERWRITE : unload possible
//Any EXPORT : unload very risky (here for illustration : EXPORT can't appear in AHChain)
//Any _BY_ : unload risky
for(i=0; i<NHOOKS-1; i++)
if((ApiHookChain[i].dwFlags & HOOK_EXPORT) &&
(ModuleExport = GetModuleHandle(ApiHookChain[i].ModuleExport))) {
if((bIsNT) ||
(ApiHookChain[i].dwFlags & HOOK_HARD) ||
((int)ModuleExport > 0)) {
ErrorUnload = ErrorUnloadVeryRisky;
break;
}
}
else
if(ApiHookChain[i].dwFlags & (HOOK_BY_ADDRESS | HOOK_BY_ADDRESS))
ErrorUnload = ErrorUnloadRisky;
if(!UnhookApis(ApiHookChain, WHOLE_AH_CHAIN))
return(ErrorOverHooked);
else {
//Free heap memory
for(i=1; i<NHOOKS-1; i++)
if((ApiHookChain[i].dwFlags & (HOOK_OVERWRITE | HOOK_RAW))
&& *(HLOCAL*)(ApiHookChain[i].ModuleImport))
*(HLOCAL*)(ApiHookChain[i].ModuleImport) = LocalFree(*(HLOCAL*)ApiHookChain[i].ModuleImport);
if(ThreadsIn)
return(ErrorThreadsIn);
return(ErrorUnload);
}
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -