// HelloDLL.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include <stdio.h> //* Pour la gestion des fichiers.
#include <imagehlp.h>
#include <stdlib.h>
#include <intrin.h>

#pragma comment (lib,"imagehlp.lib")

HANDLE g_hModule = INVALID_HANDLE_VALUE;
PROC g_OriginalCopyFileW;

PROC *AddressOfFunction;

const char *szDllName = "Advapi32.dll";

/* subtitute's functions for API hook*/
int __stdcall HookFnOpen(HKEY, LPCTSTR, DWORD, REGSAM, PHKEY);
int __stdcall HookFnClose(HKEY);
int __stdcall HookFnQuery(HKEY, LPCTSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD );
int __stdcall HookFnCreate(HKEY, LPCTSTR, ULONG, LPTSTR, ULONG, ULONG, LPSECURITY_ATTRIBUTES, PHKEY, PULONG);
int __stdcall HookFnSet(HKEY, LPCTSTR, DWORD, DWORD, BYTE*, DWORD);

bool MakeHook(FILE*, bool, PROC, PROC);

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
    
	FILE *logfile;
	fopen_s(&logfile,"C:\\logfile.log", "a");
	
	//printf(TEXT(""));
	switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			fprintf(logfile, "DLL mapped");

			/* On lance les hooks */
			MakeHook(logfile, true, (PROC)RegQueryValueEx, (PROC)HookFnQuery);
			MakeHook(logfile, true, (PROC)RegCreateKey, (PROC)HookFnCreate);  
			MakeHook(logfile, true, (PROC)RegOpenKeyEx, (PROC)HookFnOpen);
			MakeHook(logfile, true, (PROC)RegCloseKey, (PROC)HookFnClose);

			break;
		case DLL_PROCESS_DETACH:
			fprintf(logfile, "DLL unmapped");
			break;
	}
	fclose(logfile); 
	return TRUE;
}

bool MakeHook(FILE *logFile, bool bToActive, PROC OldFunctionPointer, PROC FunctionHookPointer)
{
	if(bToActive)
	{
	   ULONG uSize;
	   HMODULE hModCaller = GetModuleHandle(NULL);	
	
	   fprintf(logFile, "\nhooked func.:\t%X\t", OldFunctionPointer);
	   fprintf(logFile, "remplace func.:\t%X\n\n", FunctionHookPointer);

	   fprintf(logFile, "Process handle:\t%X\n\n", hModCaller);


       PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
	   ImageDirectoryEntryToData(hModCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize);

	   if(!pImportDesc) return FALSE;

	   // Loop through all descriptors and find the 
	   // import descriptor containing references to callee’s functions
		while (pImportDesc->Name)
		{

			PSTR pszModName = (PSTR)((PBYTE) hModCaller + pImportDesc->Name);
			
			fprintf(logFile, "DLL :\t%s\n", (char *)pszModName);
			
			if(!_strcmpi((char *)pszModName, szDllName)){
				fprintf(logFile, "PIDescriptor trouvé:\t%X\n", pImportDesc);
				fprintf(logFile, "  Name:\t\t%s\n\n", (char *)pszModName);
				fprintf(logFile, "  FirstThunk:\t%X\n\n", pImportDesc->FirstThunk);
				fprintf(logFile, "  ForwarderChain:\t%X\n\n", pImportDesc->ForwarderChain);
				fprintf(logFile, "  Orig. First thunk:\t%X\n\n", pImportDesc->OriginalFirstThunk);
				break;//Found
			}
			pImportDesc++;
		}//while
		
		// Does this module have an import section ?
		if(!pImportDesc->Name) return false;
	
	   //Get caller’s IAT 
       PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE) hModCaller + pImportDesc->FirstThunk);
	
	   PROC pfnCurrent = OldFunctionPointer;

		// Replace current function address with new one
	   while(pThunk->u1.Function!=NULL)
	   {
			// Get the address of the function address
			PROC* ppfn = (PROC*) &pThunk->u1.Function;
			// Is this the function we are looking for?
			BOOL bFound = (*ppfn == pfnCurrent);	
		   
			if(bFound)
			{
				fprintf(logFile, "  Old function:\t%X\n\n", *ppfn);
				
				MEMORY_BASIC_INFORMATION mbi;
			
				::VirtualQuery(ppfn, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
				
				// In order to provide writable access to this part of the 
				// memory we need to change the memory protection

				if (!::VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect))
				{
					fprintf(logFile, "pas réussi à déverouiller \n");
					__debugbreak();
					return FALSE;
				}
				*ppfn = *FunctionHookPointer;
				
				
				fprintf(logFile, "  New function:\t%X\n\n", *ppfn);

				// Restore the protection back
				DWORD dwOldProtect;

				::VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&dwOldProtect);
				break;
			}//if

			pThunk++;
	   }//while
	}

	return TRUE;
}

int __stdcall HookFnCreate(HKEY hKey, LPCTSTR lpSubKey, DWORD Reserved, LPTSTR lpClass, DWORD dwOptions,
						   REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
						   PHKEY phkResult, LPDWORD lpdwDisposition)
{	
	FILE *logfile;
	fopen_s(&logfile,"C:\\logfile.log", "a");
	fprintf(logfile, "fonction HookFNCreate appelée");
	fclose(logfile);

	__debugbreak();
    return 0;
}

int __stdcall HookFnOpen(HKEY g, LPCTSTR lpSubKey, DWORD e, REGSAM z, PHKEY a)
{
	FILE *logfile;
	fopen_s(&logfile,"C:\\logfile.log", "a");
	fprintf(logfile, "fonction HookFNOpen appelée");
	fclose(logfile);

    return 0;
}

int __stdcall HookFnClose(HKEY g)
{
	FILE *logfile;
	fopen_s(&logfile,"C:\\logfile.log", "a");
	fprintf(logfile, "fonction HookFNClose appelée");
	fclose(logfile);

    return 0;
}

int _stdcall HookFnQuery(HKEY hKey, LPCTSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, 
						 LPBYTE lpData, LPDWORD lpcbData)
{
	FILE *logfile;
	fopen_s(&logfile,"C:\\logfile.log", "a");
	fprintf(logfile, "fonction HookFNQuery appelée");
	fclose(logfile);
	
    return 0;
}

int _stdcall HookFnSet(HKEY, LPCTSTR, DWORD, DWORD, BYTE*, DWORD)
{
	FILE *logfile;
	fopen_s(&logfile,"C:\\logfile.log", "a");
	fprintf(logfile, "fonction HookFNSet appelée");
	fclose(logfile);
	
    return 0;
}