// HelloDLL.cpp : Defines the entry point for the DLL application. // #include "stdafx.h" #include //* Pour la gestion des fichiers. #include #include #include #pragma comment (lib,"imagehlp.lib") HANDLE g_hModule = INVALID_HANDLE_VALUE; PROC g_OriginalCopyFileW; PROC *AddressOfFunction; const char *szDllName = "Advapi32.dll"; /* subtitute's functions for API hook*/ int __stdcall HookFnOpen(HKEY, LPCTSTR, DWORD, REGSAM, PHKEY); int __stdcall HookFnClose(HKEY); int __stdcall HookFnQuery(HKEY, LPCTSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD ); int __stdcall HookFnCreate(HKEY, LPCTSTR, ULONG, LPTSTR, ULONG, ULONG, LPSECURITY_ATTRIBUTES, PHKEY, PULONG); int __stdcall HookFnSet(HKEY, LPCTSTR, DWORD, DWORD, BYTE*, DWORD); bool MakeHook(FILE*, bool, PROC, PROC); BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { FILE *logfile; fopen_s(&logfile,"C:\\logfile.log", "a"); //printf(TEXT("")); switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: fprintf(logfile, "DLL mapped"); /* On lance les hooks */ MakeHook(logfile, true, (PROC)RegQueryValueEx, (PROC)HookFnQuery); MakeHook(logfile, true, (PROC)RegCreateKey, (PROC)HookFnCreate); MakeHook(logfile, true, (PROC)RegOpenKeyEx, (PROC)HookFnOpen); MakeHook(logfile, true, (PROC)RegCloseKey, (PROC)HookFnClose); break; case DLL_PROCESS_DETACH: fprintf(logfile, "DLL unmapped"); break; } fclose(logfile); return TRUE; } bool MakeHook(FILE *logFile, bool bToActive, PROC OldFunctionPointer, PROC FunctionHookPointer) { if(bToActive) { ULONG uSize; HMODULE hModCaller = GetModuleHandle(NULL); fprintf(logFile, "\nhooked func.:\t%X\t", OldFunctionPointer); fprintf(logFile, "remplace func.:\t%X\n\n", FunctionHookPointer); fprintf(logFile, "Process handle:\t%X\n\n", hModCaller); PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(hModCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize); if(!pImportDesc) return FALSE; // Loop through all descriptors and find the // import descriptor containing references to callee’s functions while (pImportDesc->Name) { PSTR pszModName = (PSTR)((PBYTE) hModCaller + pImportDesc->Name); fprintf(logFile, "DLL :\t%s\n", (char *)pszModName); if(!_strcmpi((char *)pszModName, szDllName)){ fprintf(logFile, "PIDescriptor trouvé:\t%X\n", pImportDesc); fprintf(logFile, " Name:\t\t%s\n\n", (char *)pszModName); fprintf(logFile, " FirstThunk:\t%X\n\n", pImportDesc->FirstThunk); fprintf(logFile, " ForwarderChain:\t%X\n\n", pImportDesc->ForwarderChain); fprintf(logFile, " Orig. First thunk:\t%X\n\n", pImportDesc->OriginalFirstThunk); break;//Found } pImportDesc++; }//while // Does this module have an import section ? if(!pImportDesc->Name) return false; //Get caller’s IAT PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE) hModCaller + pImportDesc->FirstThunk); PROC pfnCurrent = OldFunctionPointer; // Replace current function address with new one while(pThunk->u1.Function!=NULL) { // Get the address of the function address PROC* ppfn = (PROC*) &pThunk->u1.Function; // Is this the function we are looking for? BOOL bFound = (*ppfn == pfnCurrent); if(bFound) { fprintf(logFile, " Old function:\t%X\n\n", *ppfn); MEMORY_BASIC_INFORMATION mbi; ::VirtualQuery(ppfn, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); // In order to provide writable access to this part of the // memory we need to change the memory protection if (!::VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect)) { fprintf(logFile, "pas réussi à déverouiller \n"); __debugbreak(); return FALSE; } *ppfn = *FunctionHookPointer; fprintf(logFile, " New function:\t%X\n\n", *ppfn); // Restore the protection back DWORD dwOldProtect; ::VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&dwOldProtect); break; }//if pThunk++; }//while } return TRUE; } int __stdcall HookFnCreate(HKEY hKey, LPCTSTR lpSubKey, DWORD Reserved, LPTSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition) { FILE *logfile; fopen_s(&logfile,"C:\\logfile.log", "a"); fprintf(logfile, "fonction HookFNCreate appelée"); fclose(logfile); __debugbreak(); return 0; } int __stdcall HookFnOpen(HKEY g, LPCTSTR lpSubKey, DWORD e, REGSAM z, PHKEY a) { FILE *logfile; fopen_s(&logfile,"C:\\logfile.log", "a"); fprintf(logfile, "fonction HookFNOpen appelée"); fclose(logfile); return 0; } int __stdcall HookFnClose(HKEY g) { FILE *logfile; fopen_s(&logfile,"C:\\logfile.log", "a"); fprintf(logfile, "fonction HookFNClose appelée"); fclose(logfile); return 0; } int _stdcall HookFnQuery(HKEY hKey, LPCTSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData) { FILE *logfile; fopen_s(&logfile,"C:\\logfile.log", "a"); fprintf(logfile, "fonction HookFNQuery appelée"); fclose(logfile); return 0; } int _stdcall HookFnSet(HKEY, LPCTSTR, DWORD, DWORD, BYTE*, DWORD) { FILE *logfile; fopen_s(&logfile,"C:\\logfile.log", "a"); fprintf(logfile, "fonction HookFNSet appelée"); fclose(logfile); return 0; }