-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdllmain.cpp
More file actions
139 lines (120 loc) · 4.05 KB
/
dllmain.cpp
File metadata and controls
139 lines (120 loc) · 4.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#include "pch.h"
#include <iostream>
#include <windows.h>
#include <objbase.h>
#include <oaidl.h>
#include "./detours/detours.h"
#pragma comment(lib,"./detours/detours.lib")
#pragma comment(lib,"rpcrt4.lib")
#include <winternl.h>
#include "common.h"
#include <rpcasync.h>
int DebugPrintfA(LPCSTR ptzFormat, ...)
{
int iRet = 0;
va_list vlArgs;
CHAR tzText[1024];
va_start(vlArgs, ptzFormat);
iRet = _vsnprintf_s(tzText, 1024, ptzFormat, vlArgs);
if (iRet < 0)
{
tzText[1023] = '\0';
}
strcat_s(tzText, 1024, "\n");
OutputDebugStringA(tzText);
va_end(vlArgs);
return iRet;
}
void PrintLog(CONST char* FuncName)
{
DebugPrintfA("[TestMacro]%s failed,error=0x08%x\n", FuncName, GetLastError());
}
NTSTATUS
typedef (NTAPI *PtrNtAlpcSendWaitReceivePort)(
_In_ HANDLE PortHandle,
_In_ ULONG Flags,
_In_reads_bytes_opt_(SendMessage->u1.s1.TotalLength) PPORT_MESSAGE SendMessage,
_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes,
_Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage,
_Inout_opt_ PSIZE_T BufferLength,
_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes,
_In_opt_ PLARGE_INTEGER Timeout
);
PtrNtAlpcSendWaitReceivePort OriginalNtAlpcSendWaitReceivePort = NULL;
NTSTATUS NTAPI MyNtAlpcSendWaitReceivePort(
_In_ HANDLE PortHandle,
_In_ ULONG Flags,
_In_reads_bytes_opt_(SendMessageBuf->u1.s1.TotalLength) PPORT_MESSAGE SendMessageBuf,
_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes,
_Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage,
_Inout_opt_ PSIZE_T BufferLength,
_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes,
_In_opt_ PLARGE_INTEGER Timeout
)
{
// https://docs.microsoft.com/en-us/windows/win32/api/rpcasync/ns-rpcasync-rpc_call_attributes_v2_a
RPC_CALL_ATTRIBUTES_V2_A CallAttributes; // this maps to RPC_CALL_ATTRIBUTES_V1
memset(&CallAttributes, 0, sizeof(CallAttributes));
CallAttributes.Version = 2; // maps to 1
CallAttributes.Flags = 0;
RPC_STATUS Status = RpcServerInqCallAttributesA(0, &CallAttributes);
if (Status == RPC_S_OK)
{
WCHAR* wsInterface = NULL;
StringFromCLSID(CallAttributes.InterfaceUuid, &wsInterface);
DebugPrintfA("IsClientLocal:%d OpNum=%d InterfaceId:%ws\n",
CallAttributes.IsClientLocal,
CallAttributes.OpNum,
wsInterface
);
CoTaskMemFree(wsInterface);
}
return OriginalNtAlpcSendWaitReceivePort(PortHandle, Flags, SendMessageBuf, SendMessageAttributes, ReceiveMessage, BufferLength, ReceiveMessageAttributes, Timeout);
}
// install
void install_hook()
{
if (OriginalNtAlpcSendWaitReceivePort == NULL)
{
HMODULE hModule = LoadLibraryA("ntdll.dll");
OriginalNtAlpcSendWaitReceivePort = (PtrNtAlpcSendWaitReceivePort)GetProcAddress(hModule, "NtAlpcSendWaitReceivePort");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)OriginalNtAlpcSendWaitReceivePort, MyNtAlpcSendWaitReceivePort);
if (DetourTransactionCommit() == NO_ERROR)
{
OutputDebugStringW(L"[install_hook] detoured successfully\n");
}
}
}
// uninstall
void uninstall_hook()
{
if (OriginalNtAlpcSendWaitReceivePort)
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)OriginalNtAlpcSendWaitReceivePort, MyNtAlpcSendWaitReceivePort);
if (DetourTransactionCommit() == NO_ERROR)
{
OutputDebugStringW(L"[install_hook] uninstall detoure successfully\n");
}
}
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
install_hook();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
uninstall_hook();
break;
}
return TRUE;
}