#include #include "cenk.h" #include "debug.h" #include "stringutils.h" #include #include #include #include "kernelmisc.h" // todo: change such that i can add hooks to a specific open handle // or do hook checking in CreateFile -> match on devname / devtype // #ifdef APIHOOK_EXPORTS #define APIHOOK_API extern "C" __declspec(dllexport) #else #define APIHOOK_API #endif int g_calls; #define DECLARE_HOOK(name, nparams, params) \ int name##_nparams= nparams; \ void name##_hook params #define HOOKAPI(ci, name, api) \ ci.hookapi(api, (PFNVOID)name##_hook, L#name, name##_nparams); #define HOOKAPISET(set, name, api) \ set.hookapis(api, (PFNVOID)name##_hook, L#name, name##_nparams); // ---- logging functions ---- #define NKvDbgPrintf (*(void (*)(const WCHAR*msg, const void *lpParms))0xF000FFA4) void NKDbgPrintf(const WCHAR *msg, ...) { va_list ap; va_start(ap, msg); NKvDbgPrintf(msg, ap); va_end(ap); } #ifdef _USE_LIST CRITICAL_SECTION g_lock; StringList g_list; void vapilogmsg(const WCHAR *fmt, va_list ap) { EnterCriticalSection(&g_lock); g_list.push_back(stringvformat(fmt, ap)) LeaveCriticalSection(&g_lock); } #endif void apilogmsg(const WCHAR *fmt, ...) { va_list ap; va_start(ap, fmt); #if defined(_USE_KLOG) NKvDbgPrintf(fmt, ap); #elif defined(_USE_LIST) vapilogmsg(fmt, ap); #else vwdebug(fmt, ap); #endif va_end(ap); } // ---------------------- class HookedApi { private: int apiset_; PFNVOID *methods_; const PFNVOID *origmethods_; CINFO *ci_; std::vector _stubs; public: HookedApi(int apiset) { apilogmsg(L"apihook:%08lx:%08lx HookedApi(%d) constructor\n", hCurProc, hCurThread, apiset); apiset_ = apiset; methods_= NULL; origmethods_= NULL; CINFO **apisets= (CINFO **)KData.aInfo[KINX_APISETS]; apilogmsg(L"apihook:%08lx:%08lx apisets=%08lx\n", hCurProc, hCurThread, apisets); ci_= apisets[apiset_]; apilogmsg(L"apihook:%08lx:%08lx api[%d]: %08lx %d methods, svr: %08lx\n", hCurProc, hCurThread, apiset_, ci_, ci_->cMethods, ci_->pServer); } std::string asstring() { std::string tag; tag += ci_->acName[0]; tag += ci_->acName[1]; tag += ci_->acName[2]; tag += ci_->acName[3]; return tag; } HookedApi(CINFO *ci) { apilogmsg(L"apihook:%08lx:%08lx HookedApi(%d/%08x) constructor\n", hCurProc, hCurThread, ci->type, ci->pServer); apiset_ = ci->type; methods_= NULL; origmethods_= NULL; ci_= ci; apilogmsg(L"apihook:%08lx:%08lx api[%d]: %08lx %d methods, svr: %08lx\n", hCurProc, hCurThread, apiset_, ci_, ci_->cMethods, ci_->pServer); } ~HookedApi() { apilogmsg(L"apihook:%08lx:%08lx HookedApi(%d) destructor\n", hCurProc, hCurThread, apiset_); if (isHooked()) { unhook(); } } bool isHooked() const { return methods_!=NULL; } bool isEnabled() const { return isHooked() && ci_->ppfnMethods==methods_; } bool hook() { if (isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - hook : already hooked\n", hCurProc, hCurThread, apiset_); return false; } methods_= (PFNVOID*)LocalAlloc(LPTR, sizeof(PFNVOID)*ci_->cMethods); if (methods_==NULL) { error("apihook: LocalAlloc(%d)", sizeof(PFNVOID)*ci_->cMethods); return false; } memcpy(methods_, ci_->ppfnMethods, sizeof(PFNVOID)*ci_->cMethods); origmethods_= ci_->ppfnMethods; apilogmsg(L"apihook:%08lx:%08lx new methods: %08lx\n", hCurProc, hCurThread, methods_); return true; } bool enable() { if (!isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - enable : not yet hooked\n", hCurProc, hCurThread, apiset_); return false; } apilogmsg(L"enabling: changing in cinfo[%08lx] %08lx to %08lx\n", ci_, ci_->ppfnMethods, methods_); ci_->ppfnMethods= (PFNVOID*)(DWORD(methods_)|ci_->pServer->dwVMBase); apilogmsg(L"apihook:%08lx:%08lx apiset %d - enabled\n", hCurProc, hCurThread, apiset_); return true; } bool disable() { if (!isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - disable : not yet hooked\n", hCurProc, hCurThread, apiset_); return false; } ci_->ppfnMethods= origmethods_; apilogmsg(L"apihook:%08lx:%08lx apiset %d - disabled\n", hCurProc, hCurThread, apiset_); return true; } bool unhook() { if (!isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - unhook : is not hooked\n", hCurProc, hCurThread, apiset_); return false; } if (!disable()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - unhook : could not disable\n", hCurProc, hCurThread, apiset_); return false; } LocalFree(methods_); methods_= NULL; origmethods_= NULL; apilogmsg(L"apihook:%08lx:%08lx apiset %d - unhooked\n", hCurProc, hCurThread, apiset_); return true; } PFNVOID create_stub(PFNVOID orig, PFNVOID hook, int nparams) { _stubs.resize(_stubs.size()+1); DwordVector &stub= _stubs.back(); stub.reserve(32); // create stub which - calls orig, then calls hook, with result, rest of params // ; stack: [R6=origsp+R5]?, argN, .. [origsp]arg4, LR, R7, R6,R5,R4,R3,R2,R1, [R7=newsp]R0, ...., SP: if (nparams>4) { stub.push_back(0xE92D40FF); // STMFD SP!, {R0-R7,LR} stub.push_back(0xE3A05000+(nparams-4)*4); // MOV R5, #nstkarg*4 stub.push_back(0xE28D6024);// ADD R6, SP, #sizeof(PUSH) ; -> R6 points to 1st stack arg stub.push_back(0xE0866005);// ADD R6, R6, R5 ; -> R6 points to before last stack arg stub.push_back(0xE24DD004);// SUB SP, SP, #4 ; -> space for return value stub.push_back(0xE28D7000);// ADD R7, SP, #0x0 ; -> R7 points to before new stack area stub.push_back(0xE04DD005);// SUB SP, SP, R5 ; -> SP points to 1st new stack arg // loop: stub.push_back(0xE5364004);// LDR R4, [R6,#-4]! stub.push_back(0xE5274004);// STR R4, [R7,#-4]! stub.push_back(0xE157000D);// CMP R7, SP stub.push_back(0x1AFFFFFB);// BNE loop ; end : R7 points to SP, R6 points to origsp stub.push_back(0xE59F402c);// LDR R4, [PC, #0x2c] ; get 'orig' stub.push_back(0xE1A0E00F);// MOV LR, PC stub.push_back(0xE12FFF14);// BX R4 stub.push_back(0xE58D0000+(nparams-4)*4);// STR R0, [SP, #nstkarg*4] ; save return value stub.push_back(0xE2466024);// SUB R6, R6, #sizeof(PUSH) stub.push_back(0xE896000F);// LDMFD R6, {R0-R3} stub.push_back(0xE59F4018);// LDR R4, [PC, #0x14] ; get 'hook' stub.push_back(0xE1A0E00F);// MOV LR, PC stub.push_back(0xE12FFF14);// BX R4 stub.push_back(0xE08DD005);// ADD SP, SP, R5 stub.push_back(0xE8BD0001);// LDMFD SP!, {R0} stub.push_back(0xE28DD010);// ADD SP, SP, #0x10 ; skip saved R0-R3 stub.push_back(0xE8BD80F0);// LDMFD SP!, {R4-R7,PC} stub.push_back((DWORD)orig); stub.push_back((DWORD)hook); } else if (nparams==4) { stub.push_back(0xE92D401F);// STMFD SP!, {R0-R4,LR} stub.push_back(0xE24DD004);// SUB SP, SP, #4 ; -> space for return value stub.push_back(0xE59F4028);// LDR R4, [PC, #0x2c] ; get 'orig' stub.push_back(0xE1A0E00F);// MOV LR, PC stub.push_back(0xE12FFF14);// BX R4 stub.push_back(0xE58D0000);// STR R0, [SP] ; save return value stub.push_back(0xE28D4004);// ADD R4, SP, #4 stub.push_back(0xE894000F);// LDMFD R4, {R0-R3} stub.push_back(0xE59F4014);// LDR R4, [PC, #0x14] ; get 'hook' stub.push_back(0xE1A0E00F);// MOV LR, PC stub.push_back(0xE12FFF14);// BX R4 stub.push_back(0xE8BD0001);// LDMFD SP!, {R0} stub.push_back(0xE28DD010);// ADD SP, SP, #0x10 ; skip saved R0-R3 stub.push_back(0xE8BD8010);// LDMFD SP!, {R4,PC} stub.push_back((DWORD)orig); stub.push_back((DWORD)hook); } else if (nparams<4) { DWORD regbits= (1< space for return value stub.push_back(0xE59F4020+(regbits?4:0)+(nparams?8:0));// LDR R4, [PC, #0x2c] ; get 'orig' stub.push_back(0xE1A0E00F);// MOV LR, PC stub.push_back(0xE12FFF14);// BX R4 stub.push_back(0xE58D0000);// STR R0, [SP] ; save return value if (nparams) stub.push_back(0xE1A00000+(nparams<<12));// MOV Rn, R0 stub.push_back(0xE28D4004);// ADD R4, SP, #4 if (regbits) stub.push_back(0xE8940000|regbits);// LDMFD R4, {R0-Rn} stub.push_back(0xE59F4010+(nparams?4:0));// LDR R4, [PC, #0x14] ; get 'hook' stub.push_back(0xE1A0E00F);// MOV LR, PC stub.push_back(0xE12FFF14);// BX R4 stub.push_back(0xE8BD0001);// LDMFD SP!, {R0} if (nparams) stub.push_back(0xE28DD000+4*nparams);// ADD SP, SP, #nparams*4; skip saved R0-R3 stub.push_back(0xE8BD8010);// LDMFD SP!, {R4,PC} stub.push_back((DWORD)orig); stub.push_back((DWORD)hook); } CacheRangeFlush(0, 0, CACHE_SYNC_ALL); return (PFNVOID)&stub.front(); } bool hookapi(int api, PFNVOID hook, const WCHAR*name, int nparams) { if (!isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - hookapi : not yet hooked\n", hCurProc, hCurThread, apiset_); return false; } if (api<0 || api >= ci_->cMethods) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - unhookapi : invalid apinr %d\n", hCurProc, hCurThread, apiset_, api); return false; } if (methods_[api]!=origmethods_[api]) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - hookapi(%d) : already hooked to %08lx\n", hCurProc, hCurThread, apiset_, api, methods_[api]); return false; } methods_[api]= create_stub(origmethods_[api], hook, nparams); apilogmsg(L"HOOKED %08lx->%08lx->%08lx %3d %s\n", origmethods_[api], methods_[api], hook, api, name); \ return true; } bool unhookapi(int api) { if (!isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - unhookapi : not yet hooked\n", hCurProc, hCurThread, apiset_); return false; } if (api<0 || api >= ci_->cMethods) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - unhookapi : invalid apinr %d\n", hCurProc, hCurThread, apiset_, api); return false; } if (methods_[api]==origmethods_[api]) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - unhookapi(%d) : already unhooked\n", hCurProc, hCurThread, apiset_, api); return false; } methods_[api] = origmethods_[api]; return true; } PFNVOID origapi(int api) const { if (!isHooked()) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - origapi : not yet hooked\n", hCurProc, hCurThread, apiset_); return NULL; } if (api<0 || api >= ci_->cMethods) { apilogmsg(L"apihook:%08lx:%08lx ERROR: apiset %d - origapi : invalid apinr %d\n", hCurProc, hCurThread, apiset_, api); return NULL; } return origmethods_[api]; } }; typedef std::vector CINFOPtr_list; typedef std::map API_map; API_map g_apimap; class HookedApiSet { typedef std::vector HookedApi_list; int _type; HookedApi_list _apis; bool _ishooked; bool _isenabled; public: HookedApiSet(int type) { _ishooked= false; _isenabled= false; _type= type; API_map::iterator i= g_apimap.find(type); if (i==g_apimap.end()) { apilogmsg(L"HookedApiSet(%d) -> none found\n", type); return; } CINFOPtr_list& apiset= (*i).second; for (int j= 0 ; jpServer->hProc==hCurProc) _apis.push_back(HookedApi(apiset[j])); else { apilogmsg(L"apihookset: not handling apiset %08x [hproc=%08x]\n", apiset[j], apiset[j]->pServer->hProc); } } } ~HookedApiSet() { apilogmsg(L"apihookset:%08lx:%08lx HookedApi(%d) destructor\n", hCurProc, hCurThread, _type); if (isHooked()) { unhook(); } } bool isHooked() const { return _ishooked; } bool isEnabled() const { return _isenabled; } bool hook() { bool ok= true; for (int j=0 ; j<_apis.size() ; j++) { if (!_apis[j].hook()) { apilogmsg(L"apihookset[%d] error hooking %hs\n", _type, _apis[j].asstring().c_str()); ok= false; } } _ishooked= true; return ok; } bool unhook() { bool ok= true; for (int j=0 ; j<_apis.size() ; j++) { if (!_apis[j].unhook()) { apilogmsg(L"apihookset[%d] error unhooking %hs\n", _type, _apis[j].asstring().c_str()); ok= false; } } _ishooked= false; return ok; } bool enable() { bool ok= true; for (int j=0 ; j<_apis.size() ; j++) { if (!_apis[j].enable()) { apilogmsg(L"apihookset[%d] error enabling %hs\n", _type, _apis[j].asstring().c_str()); ok= false; } } _isenabled= true; return ok; } bool disable() { bool ok= true; for (int j=0 ; j<_apis.size() ; j++) { if (!_apis[j].disable()) { apilogmsg(L"apihookset[%d] error disabling %hs\n", _type, _apis[j].asstring().c_str()); ok= false; } } _isenabled= false; return ok; } bool hookapis(int api, PFNVOID hook, const WCHAR*name, int nparams) { bool ok= true; for (int j=0 ; j<_apis.size() ; j++) { if (!_apis[j].hookapi(api, hook, name, nparams)) ok= false; } return ok; } }; class StaticInit { public: StaticInit() { #if !defined(_USE_KLOG) DebugSetLogfile("hook.log"); #endif apilogmsg(L"apihook:%08lx:%08lx static init\n", hCurProc, hCurThread); BOOL bMode = SetKMode(TRUE); DWORD dwPerm = SetProcPermissions(0xFFFFFFFF); } }; StaticInit _init_; #ifdef HOOKW32A HookedApi w32a(SH_FILESYS_APIS); // 20 #endif #ifdef HOOKGDI HookedApi gdi(SH_GDI); // 16 #endif #ifdef HOOKWMGR HookedApi wmgr(SH_WMGR); // 17 #endif #ifdef HOOKW32H HookedApiSet w32h(HT_FILE); // 7 #endif #ifdef HOOKDBOA HookedApiSet dboa(HT_DBFILE); // 9 #endif #ifdef HOOKW32S HookedApi w32s(SH_WIN32); // 0 #endif int nyble2hexchar(int n) { return n<0?'?':n<10?('0'+n) : n<16 ? (n-10+'a') : '?'; } int byte2hexchars(BYTE b, char *p) { p[0]= nyble2hexchar((b>>4)&0xf); p[1]= nyble2hexchar(b&0xf); return 2; } int word2hexchars(WORD w, char *p) { byte2hexchars(w>>8, p); byte2hexchars(w, p); return 4; } int dword2hexchars(DWORD d, char *p) { word2hexchars(d>>16, p); word2hexchars(d, p); return 8; } const char *decoderegistrydata(HRESULT result, const BYTE *pData, DWORD *pSize, DWORD *pType) { if (result!=0) return "[ERROR]"; if (pSize==0 || pData==0) return ""; DWORD size= *pSize; if (size==0) return ""; static char charbuf[256]; int ofs=0; while (ofs+8<256 && size) { if (ofs) charbuf[ofs++]=' '; ofs+= byte2hexchars(*pData++, charbuf+ofs); size--; } if (size) { charbuf[ofs++]='.'; charbuf[ofs++]='.'; charbuf[ofs++]='.'; } charbuf[ofs++]=0; return charbuf; } const char *decodepropidlist(CEPROPID *pid, int n) { static char charbuf[256]; int ofs=0; while (ofs+12<256 && n) { if (ofs) charbuf[ofs++]= ' '; ofs+= dword2hexchars(*pid++, charbuf+ofs); n--; } if (n) { charbuf[ofs++]= '.'; charbuf[ofs++]= '.'; charbuf[ofs++]= '.'; } charbuf[ofs++]= 0; return charbuf; } const char *decodepropdatabuf(BYTE *buf, int size) { static char charbuf[256]; int ofs=0; while (ofs+12<256 && size) { if (ofs) charbuf[ofs++]= ' '; ofs+= byte2hexchars(*buf++, charbuf+ofs); size--; } if (size) { charbuf[ofs++]= '.'; charbuf[ofs++]= '.'; charbuf[ofs++]= '.'; } charbuf[ofs++]= 0; return charbuf; } void ScanHandlesForAPIS() { HDATA *hi= cvHandle2HDataPtr((HANDLE)GetCurrentThreadId()); HDATA *ha; ha=hi; unsigned total=0; unsigned napis= 0; for ( ; total==0 || (ha!=hi && ha!=NULL) ; ha= (HDATA*)ha->linkage.fwd) { if ((DWORD(ha->hValue)&3)!=2) continue; if (ha->pci==NULL) continue; total++; if (memcmp(ha->pci->acName, "APIS", 4)!=0) continue; APISET *api= (APISET*)ha->pvObj; g_apimap[api->cinfo.type].push_back(&(api->cinfo)); napis++; } apilogmsg(L"found %d apis\n", napis); } //================================================================== // WIN32_FS_CALL apis 'W32A' SH_FILESYS_APIS = 20 DECLARE_HOOK(CreateDirectory, 2, (LPCWSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes, BOOL result)) { //apilogmsg(L"apihook:++CreateDirectory\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx CreateDirectory('%ls', %08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpPathName, lpSecurityAttributes, result); } DECLARE_HOOK(RemoveDirectory, 1, (LPCWSTR lpPathName, BOOL result)) { //apilogmsg(L"apihook:++RemoveDirectory\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RemoveDirectory('%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpPathName, result); } DECLARE_HOOK(MoveFile, 2, (LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, BOOL result)) { //apilogmsg(L"apihook:++MoveFile\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx MoveFile('%ls', '%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpExistingFileName, lpNewFileName, result); } DECLARE_HOOK(CopyFile, 3, (LPCTSTR lpszExistingFile, LPCTSTR lpszNewFile, BOOL fFailIfExists, BOOL result)) { //apilogmsg(L"apihook:++CopyFile\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx CopyFile('%ls', '%ls', %d)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpszExistingFile, lpszNewFile, fFailIfExists, result); } DECLARE_HOOK(DeleteFile, 1, (LPCWSTR lpFileName, BOOL result)) { //apilogmsg(L"apihook:++DeleteFile\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx DeleteFile('%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpFileName, result); } DECLARE_HOOK(CreateFile, 7, (LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile, HANDLE result)) { //apilogmsg(L"apihook:++CreateFile\n"); if (hCurProc!= GetCallerProcess()) apilogmsg(L"%08lx:apihook:%08lx->%08lx CreateFile('%ls', %08lx %08lx %08lx %08lx %08lx, %08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile, result); } DECLARE_HOOK(DeleteAndRenameFile, 2, (LPCWSTR lpszOldFile, LPCWSTR lpszNewFile, BOOL result)) { //apilogmsg(L"apihook:++DeleteAndRenameFile\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx DeleteAndRenameFile('%ls', '%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpszOldFile, lpszNewFile, result); } DECLARE_HOOK(RegCreateKeyEx, 9, (HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition, LONG result)) { //apilogmsg(L"apihook:++RegCreateKeyEx\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RegCreateKeyEx(%08lx, '%ls', %08lx, %08lx('%ls'), %08lx, %08lx, %08lx, %08lx=%08lx, %08lx=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpSubKey, Reserved, lpClass, lpClass?lpClass:L"", dwOptions, samDesired, lpSecurityAttributes, phkResult, phkResult?*phkResult:0, lpdwDisposition?*lpdwDisposition:0, result); } DECLARE_HOOK(RegDeleteKey, 2, (HKEY hKey, LPCWSTR lpSubKey, LONG result)) { //apilogmsg(L"apihook:++RegDeleteKey\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RegDeleteKey(%08lx, '%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpSubKey, result); } DECLARE_HOOK(RegDeleteValue, 2, (HKEY hKey, LPCWSTR lpValueName, LONG result)) { //apilogmsg(L"apihook:++RegDeleteValue\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RegDeleteValue(%08lx, '%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpValueName, result); } DECLARE_HOOK(RegEnumValue, 8, (HKEY hKey, DWORD dwIndex, LPWSTR lpValueName, LPDWORD lpcbValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData, LONG result)) { //apilogmsg(L"apihook:++RegEnumValue\n"); // caller curproc hkey index valname cbvalname res ---lptype-- data ---cbdata-- apilogmsg(L"%08lx:apihook:%08lx->%08lx RegEnumValue(%08lx, %08lx, '%ls', %08lx=%08lx, %08lx, %08lx=%08lx, %08lx[%hs], %08lx=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, dwIndex, result==ERROR_NO_MORE_ITEMS?L"__NOMOREITEMS__":result!=0?L"__ERROR__":lpValueName, lpcbValueName, lpcbValueName?*lpcbValueName:0, lpReserved, lpType, lpType?*lpType:0, lpData, decoderegistrydata(result, lpData, lpcbData, lpType), lpcbData, lpcbData?*lpcbData:0, result); } DECLARE_HOOK(RegEnumKeyEx, 8, (HKEY hKey, DWORD dwIndex, LPWSTR lpName, LPDWORD lpcbName, LPDWORD lpReserved, LPWSTR lpClass, LPDWORD lpcbClass, PFILETIME lpftLastWriteTime, LONG result)) { //apilogmsg(L"apihook:++RegEnumKeyEx\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RegEnumKeyEx(%08lx, %08lx, '%ls', %08lx=%08lx, %08lx, '%ls', %08lx=%08lx, pft=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, dwIndex, result==ERROR_NO_MORE_ITEMS?L"__NOMOREITEMS__":result!=0?L"__ERROR__":lpName, lpcbName, lpcbName?*lpcbName:0, lpReserved, lpClass, lpcbClass, lpcbClass?*lpcbClass:0, lpftLastWriteTime, result); } DECLARE_HOOK(RegOpenKeyEx, 5, (HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult, LONG result)) { //apilogmsg(L"apihook:++RegOpenKeyEx\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RegOpenKeyEx(%08lx, '%ls', %08lx, %08lx, %08lx=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpSubKey, ulOptions, samDesired, phkResult, phkResult?*phkResult:0, result); } DECLARE_HOOK(RegQueryInfoKey, 12, (HKEY hKey, LPWSTR lpClass, LPDWORD lpcbClass, LPDWORD lpReserved, LPDWORD lpcSubKeys, LPDWORD lpcbMaxSubKeyLen, LPDWORD lpcbMaxClassLen, LPDWORD lpcValues, LPDWORD lpcbMaxValueNameLen, LPDWORD lpcbMaxValueLen, LPDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime, LONG result)) { //apilogmsg(L"apihook:++RegQueryInfoKey\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx RegQueryInfoKey(%08lx, '%ls', %08lx=%08lx, %08lx, %08lx=%08lx, %08lx=%08lx, %08lx=%08lx, %08lx=%08lx, %08lx=%08lx, %08lx=%08lx, %08lx=%08lx, %08lx=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpClass, lpcbClass, lpcbClass?*lpcbClass:0, lpReserved, lpcSubKeys, lpcSubKeys?*lpcSubKeys:0, lpcbMaxSubKeyLen, lpcbMaxSubKeyLen?*lpcbMaxSubKeyLen:0, lpcbMaxClassLen, lpcbMaxClassLen?*lpcbMaxClassLen:0, lpcValues, lpcValues?*lpcValues:0, lpcbMaxValueNameLen, lpcbMaxValueNameLen?*lpcbMaxValueNameLen:0, lpcbMaxValueLen, lpcbMaxValueLen?*lpcbMaxValueLen:0, lpcbSecurityDescriptor, lpcbSecurityDescriptor?*lpcbSecurityDescriptor:0, lpftLastWriteTime, lpftLastWriteTime?lpftLastWriteTime->dwLowDateTime:0, result); } DECLARE_HOOK(RegQueryValueEx, 6, (HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData, LONG result)) { //apilogmsg(L"apihook:++RegQueryValueEx\n"); // caller curproc key valnam reserved type----- data ---cbsize-- result apilogmsg(L"%08lx:apihook:%08lx->%08lx RegQueryValueEx(%08lx, '%ls', %08lx('%ls'), %08lx=%08lx, %08lx[%hs]:%08lx=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpValueName, lpReserved, (IsBadReadPtr(lpReserved, 2)?L"":(LPCWSTR)lpReserved), lpType, lpType?*lpType:0, lpData, decoderegistrydata(result, lpData, lpcbData, lpType), lpcbData, lpcbData?*lpcbData:0, result); } DECLARE_HOOK(RegSetValueEx, 6, (HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, CONST BYTE* lpData, DWORD cbData, LONG result)) { //apilogmsg(L"apihook:++RegSetValueEx\n"); // caller curproc key valnam reserved type data cbsize result apilogmsg(L"%08lx:apihook:%08lx->%08lx RegSetValueEx(%08lx, '%ls', %08lx, %08lx, %08lx[%hs]:%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpValueName, Reserved, dwType, lpData, decoderegistrydata(0, lpData, &cbData, &dwType), cbData, result); } DECLARE_HOOK(RegCloseKey, 1, (HKEY hKey, LONG result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RegCloseKey(%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, result); } DECLARE_HOOK(RegCopyFile, 1, (LPCWSTR szFile, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RegCopyFile('%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, szFile, result); } DECLARE_HOOK(RegRestoreFile, 1, (LPCWSTR szFile, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RegRestoreFile('%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, szFile, result); } DECLARE_HOOK(RegFlushKey, 1, (HKEY hKey, LONG result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RegFlushKey(%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, result); } DECLARE_HOOK(RegSaveKey, 1, (HKEY hKey, LPCWSTR szFile, LONG result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RegSaveKey(%08lx, '%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, szFile, result); } DECLARE_HOOK(RegReplaceKey, 4, (HKEY hKey, LPCWSTR lpszSubKey, LPCWSTR lpszNewFile, LPCWSTR lpszOldFile, LONG result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RegReplaceKey(%08lx, '%ls', '%ls', '%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, lpszSubKey, lpszNewFile, lpszOldFile, result); } DECLARE_HOOK(CeFindFirstRegChange, 3, (HKEY hKey, BOOL bSubTree, DWORD dwFlags, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx CeFindFirstRegChange(%08lx, %x, %08x)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hKey, bSubTree, dwFlags, result); } DECLARE_HOOK(CeFindNextRegChange, 1, (HANDLE hNotify, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx CeFindNextRegChange(%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hNotify, result); } DECLARE_HOOK(CeFindCloseRegChange, 1, (HANDLE hNotify, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx CeFindCloseRegChange(%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hNotify, result); } DECLARE_HOOK(FindFirstFile, 2, (LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx FindFirstFile('%ls', %08x['%ls'])= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpFileName, lpFindFileData, lpFindFileData->cFileName, result); } DECLARE_HOOK(CheckPassword, 1, (LPWSTR lpszPassword, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx CheckPassword('%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpszPassword, result); } DECLARE_HOOK(FindFirstFileEx, 6, (LPCWSTR lpFileName, FINDEX_INFO_LEVELS fInfoLevelId, LPVOID lpFindFileData, FINDEX_SEARCH_OPS fSearchOp, LPVOID lpSearchFilter, DWORD dwAdditionalFlags, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx FindFirstFileEx('%ls', ...)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpFileName, result); } DECLARE_HOOK(SignalStarted, 1, (DWORD id, LONG result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx SignalStarted(%d)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, id, result); } DECLARE_HOOK(CreateMsgQueue, 2, (LPCWSTR lpName, LPMSGQUEUEOPTIONS lpOptions, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx CreateMsgQueue('%ls', ...)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpName, result); } DECLARE_HOOK(OpenMsgQueue, 3, (HANDLE hSrcProc, HANDLE hMsgQ, LPMSGQUEUEOPTIONS lpOptions, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx OpenMsgQueue(%08x, %08x, ...)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hSrcProc, hMsgQ, result); } DECLARE_HOOK(FindFirstChangeNotification, 3, (LPCWSTR lpPath, BOOL bSubTree, DWORD dwFlags, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx FindFirstChangeNotification('%ls', %d, %08x)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpPath, bSubTree, dwFlags, result); } DECLARE_HOOK(FindNextChangeNotification, 1, (HANDLE hNotify, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx FindNextChangeNotification(%08x)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hNotify, result); } DECLARE_HOOK(FindCloseChangeNotification, 1, (HANDLE hNotify, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx FindCloseChangeNotification(%08x)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hNotify, result); } DECLARE_HOOK(CeGetFileNotificationInfo, 6, (HANDLE hNotify, DWORD dwFlags, LPVOID lpBuffer, DWORD nBufferLength, LPDWORD lpBytesReturned, LPDWORD lpBytesAvailable, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx CeGetFileNotificationInfo(%08x, %08x, ...)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hNotify, dwFlags, result); } DECLARE_HOOK(RequestDeviceNotifications, 3, (const GUID* devclass, HANDLE hMsgQ, BOOL fAll, HANDLE result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx RequestDeviceNotifications(%s, %08x, %d)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, GuidToString(devclass).c_str(), hMsgQ, fAll, result); } DECLARE_HOOK(StopDeviceNotifications, 1, (HANDLE h, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx StopDeviceNotifications(%08x)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, h, result); } DECLARE_HOOK(AdvertiseInterface, 4, (const GUID* devclass, LPCWSTR pszName, DWORD dwReserved, BOOL fAll, BOOL result)) { apilogmsg(L"%08lx:apihook:%08lx->%08lx AdvertiseInterface(%s, '%ls', %x, %x)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, GuidToString(devclass).c_str(), pszName, dwReserved, fAll, result); } // gdi hooks DECLARE_HOOK(DrawText, 5, (HDC hdc,LPCWSTR text,int i,RECT *r,UINT u, int result)) { //apilogmsg(L"apihook:++DrawText\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx DrawText('%ls',%d,[%d,%d,%d,%d],%u) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, text, i, r->left,r->top,r->right,r->bottom, u, result); } DECLARE_HOOK(ExtTextOut, 8, (HDC hdc,int i1,int i2,UINT u1,CONST RECT *r,LPCWSTR text,UINT u2,CONST INT *pi, BOOL result)) { //apilogmsg(L"apihook:++ExtTextOut\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx ExtTextOut(%d,%d,%u,[%d,%d,%d,%d],'%ls',%u) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, i1,i2,u1, r->left,r->top,r->right,r->bottom, text,u2, result); } DECLARE_HOOK(CreatePopupMenu, 0, (HMENU result)) { //apilogmsg(L"apihook:++CreatePopupMenu()\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx CreatePopupMenu() -> %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, result); } DECLARE_HOOK(TrackPopupMenuEx, 7, (HMENU hMenu, UINT uFlags, int x, int y, int nReserved, HWND hWnd, CONST RECT *prcRect, BOOL result)) { //apilogmsg(L"apihook:++TrackPopupMenuEx()\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx TrackPopupMenuEx(%08lx, %x,[%d,%d], %08lx, [%d,%d,%d,%d]) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hMenu, uFlags, x,y, hWnd, prcRect->left,prcRect->top,prcRect->right,prcRect->bottom, result); } DECLARE_HOOK(CreateMenu, 0, (HMENU result)) { //apilogmsg(L"apihook:++CreateMenu()\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx CreateMenu() -> %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, result); } DECLARE_HOOK(DrawMenuBar, 1, (HWND hWnd, BOOL result)) { //apilogmsg(L"apihook:++DrawMenuBar()\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx DrawMenuBar(%08lx) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hWnd, result); } DECLARE_HOOK(SetAssociatedMenu, 2, (HWND hWnd, HMENU hMenu, BOOL result)) { //apilogmsg(L"apihook:++SetAssociatedMenu()\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx SetAssociatedMenu(%08lx,%08lx) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hWnd, hMenu, result); } // wmgr hooks DECLARE_HOOK(SetWindowText, 2, (HWND hwnd, LPCWSTR text, BOOL result)) { //apilogmsg(L"apihook:++SetWindowText\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx SetWindowText(%08lx, '%ls') -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hwnd, text, result); } DECLARE_HOOK(SetDlgItemText, 2, (HWND hDlg, int nIDDlgItem, LPCWSTR lpString, BOOL result)) { //apilogmsg(L"apihook:++SetDlgItemText\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx SetDlgItemText(%08lx, %04x, '%ls') -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hDlg, nIDDlgItem,lpString, result); } DECLARE_HOOK(PostMessage, 2, (HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, BOOL result)) { //apilogmsg(L"apihook:++PostMessage\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx PostMessage(%08lx, %08x, %08x, %08x) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hWnd, Msg, wParam, lParam, result); } DECLARE_HOOK(SendMessage, 2, (HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, LRESULT result)) { //apilogmsg(L"apihook:++SendMessage\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx SendMessage(%08lx, %08x, %08x, %08x) -> %08x\n", GetTickCount(), GetCallerProcess(), hCurProc, hWnd, Msg, wParam, lParam, result); } DECLARE_HOOK(SetForegroundWindow, 1, (HWND hWnd, BOOL result)) { //apilogmsg(L"apihook:++SetForegroundWindow\n"); apilogmsg(L"%08lx:apihook:%08lx-%08lx SetForegroundWindow(%08lx) -> %d\n", GetTickCount(), GetCallerProcess(), hCurProc, hWnd, result); } //================================================================== // WIN32_FILE_CALL apis 'W32H' HT_FILE = 7 //; DECLARE_HOOK(DeviceIoControl, 8, (HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuf, DWORD nInBufSize, LPVOID lpOutBuf, DWORD nOutBufSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped, BOOL result)) { //apilogmsg(L"apihook:++DeviceIoControl\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx DeviceIoControl(%08lx, %08lx, %08lx:%08lx, %08lx:%08lx -> %08lx=%08lx, %08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hDevice, dwIoControlCode, lpInBuf, nInBufSize, lpOutBuf, nOutBufSize, lpBytesReturned, lpBytesReturned?*lpBytesReturned:0, lpOverlapped, result); } //================================================================== // WIN32_DBFILE_CALL apis 'DBOA' HT_DBFILE = 9 //; DECLARE_HOOK(CeReadRecordPropsEx, 7, (HANDLE hDbase, DWORD dwFlags, LPWORD lpcPropID, CEPROPID *rgPropID, LPBYTE *lplpBuffer, LPDWORD lpcbBuffer, HANDLE hHeap, CEOID result)) { //apilogmsg(L"apihook:++CeReadRecordPropsEx\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx CeReadRecordPropsEx(%08lx, %08lx, %08lx:%08lx, %08lx:%08lx -> %08lx:%08lx, %08lx:%08lx, %08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, hDbase, dwFlags, lpcPropID, lpcPropID?*lpcPropID:0, rgPropID, rgPropID?*rgPropID:0, lplpBuffer, lplpBuffer?*lplpBuffer:0, lpcbBuffer, lpcbBuffer?*lpcbBuffer:0, hHeap, result); if (lpcPropID && *lpcPropID && rgPropID) apilogmsg(L" propids: %s\n", decodepropidlist(rgPropID, *lpcPropID)); if (lpcbBuffer && *lpcbBuffer && lplpBuffer && *lplpBuffer) apilogmsg(L" propdat: %s\n", decodepropdatabuf(*lplpBuffer, *lpcbBuffer)); } //================================================================== // WIN32_CALL apis 'Wn32' SH_WIN32 = 0 //HOOKAPI(wn32, KernelIoControl, 99); DECLARE_HOOK(KernelIoControl, 6, (DWORD dwIoControlCode, LPVOID lpInBuf, DWORD nInBufSize, LPVOID lpOutBuf, DWORD nOutBufSize, LPDWORD lpBytesReturned, BOOL result)) { //apilogmsg(L"apihook:++KernelIoControl\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx KernelIoControl(%08lx, %08lx:%08lx, %08lx:%08lx -> %08lx=%08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, dwIoControlCode, lpInBuf, nInBufSize, lpOutBuf, nOutBufSize, lpBytesReturned, lpBytesReturned?*lpBytesReturned:0, result); } DECLARE_HOOK(CreateProcess, 10, (LPCWSTR lpszImageName, LPCWSTR lpszCommandLine, LPSECURITY_ATTRIBUTES lpsaProcess, LPSECURITY_ATTRIBUTES lpsaThread, BOOL fInheritHandles, DWORD fdwCreate, LPVOID lpvEnvironment, LPWSTR lpszCurDir, LPSTARTUPINFO lpsiStartInfo, LPPROCESS_INFORMATION lppiProcInfo, BOOL result)) { //apilogmsg(L"apihook:++CreateProcess\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx CreateProcess('%ls', '%ls' -> %08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpszImageName, lpszCommandLine, lppiProcInfo?lppiProcInfo->hProcess:0, result); } DECLARE_HOOK(LoadLibrary, 1, (LPCSTR lpLibFileName, HINSTANCE result)) { //apilogmsg(L"apihook:++LoadLibrary\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx LoadLibrary('%ls')= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpLibFileName, result); } DECLARE_HOOK(LoadLibraryEx, 3, (LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags, HMODULE result)) { //apilogmsg(L"apihook:++LoadLibraryEx\n"); apilogmsg(L"%08lx:apihook:%08lx->%08lx LoadLibraryEx('%ls', %08lx, %08lx)= %08lx\n", GetTickCount(), GetCallerProcess(), hCurProc, lpLibFileName, hFile, dwFlags, result); } bool load_hooks() { apilogmsg(L"apihook:%08lx:%08lx loading hooks\n", hCurProc, hCurThread); #ifdef HOOKW32A w32a.hook(); HOOKAPI(w32a, RegOpenKeyEx, 23); HOOKAPI(w32a, RegQueryValueEx, 25); HOOKAPI(w32a, CreateFile, 9); HOOKAPI(w32a, CreateDirectory, 2); HOOKAPI(w32a, RemoveDirectory, 3); HOOKAPI(w32a, MoveFile, 4); HOOKAPI(w32a, CopyFile, 5); HOOKAPI(w32a, DeleteFile, 6); HOOKAPI(w32a, DeleteAndRenameFile, 43); HOOKAPI(w32a, RegCreateKeyEx, 18); HOOKAPI(w32a, RegDeleteKey, 19); HOOKAPI(w32a, RegDeleteValue, 20); HOOKAPI(w32a, RegEnumValue, 21); HOOKAPI(w32a, RegEnumKeyEx, 22); HOOKAPI(w32a, RegQueryInfoKey, 24); HOOKAPI(w32a, RegSetValueEx, 26); HOOKAPI(w32a, RegCloseKey, 17); HOOKAPI(w32a, RegCopyFile, 41); HOOKAPI(w32a, RegRestoreFile, 44); HOOKAPI(w32a, RegFlushKey, 49); HOOKAPI(w32a, RegSaveKey, 64); HOOKAPI(w32a, RegReplaceKey, 65); HOOKAPI(w32a, CeFindFirstRegChange, 104); HOOKAPI(w32a, CeFindNextRegChange , 105); HOOKAPI(w32a, CeFindCloseRegChange, 106); HOOKAPI(w32a, FindFirstFile, 8); HOOKAPI(w32a, CheckPassword, 29); HOOKAPI(w32a, FindFirstFileEx, 63); HOOKAPI(w32a, SignalStarted, 66); HOOKAPI(w32a, CreateMsgQueue, 79); HOOKAPI(w32a, OpenMsgQueue, 80); HOOKAPI(w32a, FindFirstChangeNotification, 88); HOOKAPI(w32a, FindNextChangeNotification, 89); HOOKAPI(w32a, FindCloseChangeNotification, 90); HOOKAPI(w32a, CeGetFileNotificationInfo, 91); HOOKAPI(w32a, RequestDeviceNotifications, 92); HOOKAPI(w32a, StopDeviceNotifications, 93); HOOKAPI(w32a, AdvertiseInterface, 94); #endif #ifdef HOOKGDI gdi.hook(); HOOKAPI(gdi, DrawText, 16); HOOKAPI(gdi, ExtTextOut, 21); HOOKAPI(gdi, CreatePopupMenu, 58); HOOKAPI(gdi, TrackPopupMenuEx, 63); HOOKAPI(gdi, CreateMenu, 133); HOOKAPI(gdi, DrawMenuBar, 223); HOOKAPI(gdi, SetAssociatedMenu, 221); #endif #ifdef HOOKWMGR wmgr.hook(); HOOKAPI(wmgr, SetWindowText, 34); HOOKAPI(wmgr, SetDlgItemText, 231); HOOKAPI(wmgr, PostMessage, 5); HOOKAPI(wmgr, SendMessage, 7); #endif #ifdef HOOKW32H w32h.hook(); HOOKAPISET(w32h, DeviceIoControl, 11); #endif #ifdef HOOKDBOA dboa.hook(); HOOKAPISET(dboa, CeReadRecordPropsEx, 4); #endif #ifdef HOOKW32S // note: kernel hooking is really done in 'stackdumper.cpp' w32s.hook(); HOOKAPI(w32s, CreateProcess, 53); HOOKAPI(w32s, LoadLibrary, 8); HOOKAPI(w32s, LoadLibraryEx, 148); #endif apilogmsg(L"apihook:%08lx:%08lx enabling hooks\n", hCurProc, hCurThread); #ifdef HOOKW32A w32a.enable(); #endif #ifdef HOOKGDI gdi.enable(); #endif #ifdef HOOKWMGR wmgr.enable(); #endif #ifdef HOOKW32H w32h.enable(); #endif #ifdef HOOKDBOA dboa.enable(); #endif #ifdef HOOKW32S w32s.enable(); #endif return true; } bool unload_hooks() { #ifdef HOOKW32A w32a.disable(); #endif #ifdef HOOKGDI gdi.disable(); #endif #ifdef HOOKWMGR wmgr.disable(); #endif #ifdef HOOKW32H w32h.disable(); #endif #ifdef HOOKDBOA dboa.disable(); #endif #ifdef HOOKW32S w32s.disable(); #endif return true; } bool hooked() { return 0 #ifdef HOOKW32A || w32a.isEnabled() #endif #ifdef HOOKGDI || gdi.isEnabled() #endif #ifdef HOOKWMGR || wmgr.isEnabled() #endif #ifdef HOOKW32H || w32h.isEnabled() #endif #ifdef HOOKDBOA || dboa.isEnabled() #endif #ifdef HOOKW32S || w32s.isEnabled() #endif ; } APIHOOK_API int callcount() { return g_calls; } APIHOOK_API int starthook() { if (!hooked()) { #ifdef _USE_LIST InitializeCriticalSection(&g_lock); #endif ScanHandlesForAPIS(); load_hooks(); return hooked()?1:2; } else { return 0; } } APIHOOK_API int endhook() { if (hooked()) { unload_hooks(); #ifdef _USE_LIST DeleteCriticalSection(&g_lock); for (StringList::iterator i=g_list.begin() ; i!=g_list.end() ; ++i) apilogmsg(L"apihook:%s", (*i).c_str()); #endif return hooked()?1:2; } else { return 0; } } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { #if !defined(_USE_KLOG) DebugSetLogfile("hook.log"); #endif //apilogmsg(L"apihook:%08lx:%08lx started\n", hCurProc, hCurThread); //apilogmsg(L"apihook:%08lx:%08lx hmod=%08lx reason=%d ptr=%08lx\n", hCurProc, hCurThread, hModule, ul_reason_for_call, lpReserved); BOOL bMode = SetKMode(TRUE); DWORD dwPerm = SetProcPermissions(0xFFFFFFFF); return TRUE; }