HookDll realized, add MyZwSetInformationFile only now for test

Author: michaelchen1996

APIHOOK/HookDll/FileAPI.cpp

@@ -1,2 +1,37 @@
 #include "stdafx.h"
-#include "FileAPI.h"
+#include "FileAPI.h"
+
+
+NTSTATUS MyZwSetInformationFile(
+	_In_  HANDLE                 FileHandle,
+	_Out_ PIO_STATUS_BLOCK       IoStatusBlock,
+	_In_  PVOID                  FileInformation,
+	_In_  ULONG                  Length,
+	_In_  FILE_INFORMATION_CLASS FileInformationClass
+)
+{
+	NTSTATUS status = -1;
+	if (NULL == realZwSetInformationFile)
+	{
+		OutputDebugString(TEXT("realZwSetInformationFile NOT FOUND\n"));
+		return status;
+	}
+	else
+	{
+		if (10 == FileInformationClass)
+		{
+			SendLog(TEXT("MyZwSetInformationFile\r\n"));
+		}
+
+		status = realZwSetInformationFile(
+			FileHandle,
+			IoStatusBlock,
+			FileInformation,
+			Length,
+			FileInformationClass
+		);
+
+	}
+
+	return status;
+}

APIHOOK/HookDll/FileAPI.h

@@ -1,3 +1,30 @@
 #pragma once
 
-#include "SendLog.h"
+#include "SendLog.h"
+
+#ifndef __FILE_API__
+#define __FILE_API__
+
+
+NTSTATUS MyZwSetInformationFile(
+	_In_  HANDLE                 FileHandle,
+	_Out_ PIO_STATUS_BLOCK       IoStatusBlock,
+	_In_  PVOID                  FileInformation,
+	_In_  ULONG                  Length,
+	_In_  FILE_INFORMATION_CLASS FileInformationClass
+);
+
+typedef NTSTATUS(*ptrZwSetInformationFile)(
+	_In_  HANDLE                 FileHandle,
+	_Out_ PIO_STATUS_BLOCK       IoStatusBlock,
+	_In_  PVOID                  FileInformation,
+	_In_  ULONG                  Length,
+	_In_  FILE_INFORMATION_CLASS FileInformationClass
+	);
+
+extern ptrZwSetInformationFile realZwSetInformationFile;
+
+
+#endif // !__FILE_API__
+
+

APIHOOK/HookDll/HookDll.cpp

@@ -5,13 +5,99 @@
 #include "HookDll.h"
 
 
-void DoHook()
+TRACED_HOOK_HANDLE      hHookZwSetInformationFile = new HOOK_TRACE_INFO();
+ULONG                   HookZwSetInformationFile_ACLEntries[1] = { 0 };
+ptrZwSetInformationFile realZwSetInformationFile = NULL;
+
+
+void Prepare()
 {
+	hWriteMailslot = CreateFile(TEXT("\\\\*\\mailslot\\APIHOOK\\Monitor\\Log"),
+		GENERIC_WRITE,
+		FILE_SHARE_READ,
+		NULL,
+		OPEN_EXISTING,
+		FILE_ATTRIBUTE_NORMAL,
+		NULL);
+	if (INVALID_HANDLE_VALUE == hWriteMailslot)
+	{
+		OutputDebugString(TEXT("Create Mailslot ERROR\n"));
+		return;
+	}
+
+	realZwSetInformationFile = (ptrZwSetInformationFile)GetRealApiEntry(L"ntdll.dll", "ZwSetInformationFile");
+}
 
+
+void DoHook()
+{
+	NTSTATUS status = 0;
+	//hook MyZwSetInformationFile
+	status = LhInstallHook(
+		realZwSetInformationFile,
+		MyZwSetInformationFile,
+		NULL,
+		hHookZwSetInformationFile);
+	if (!SUCCEEDED(status))
+	{
+		OutputDebugString(L"LhInstallHook ERROR\n");
+	}
+	status = LhSetExclusiveACL(
+		HookZwSetInformationFile_ACLEntries,
+		1,
+		hHookZwSetInformationFile);
+	if (!SUCCEEDED(status))
+	{
+		OutputDebugString(L"LhSetExclusiveACL ERROR\n");
+	}
 }
 
 
 void DoUnHook()
 {
+	//LhUninstallAllHooks();
+	//OutputDebugString(L"LhUninstallAllHooks\n");
+
+	NTSTATUS status = 0;
+	status = LhUninstallHook(hHookZwSetInformationFile);
+	if (!SUCCEEDED(status))
+	{
+		OutputDebugString(L"LhUninstallHook ERROR\n");
+	}
+	delete hHookZwSetInformationFile;
+	hHookZwSetInformationFile = NULL;
+	status = LhWaitForPendingRemovals();
+	if (!SUCCEEDED(status))
+	{
+		OutputDebugString(L"LhWaitForPendingRemovals ERROR\n");
+	}
+}
 
-}
+
+void Finish()
+{
+	CloseHandle(hWriteMailslot);
+	hWriteMailslot = NULL;
+
+}
+
+
+FARPROC GetRealApiEntry(LPCWSTR lpModuleName, LPCSTR lpProcName)
+{
+	HMODULE hModule = NULL;
+	FARPROC realProc = NULL;
+	OutputDebugString(L"PrepareRealApiEntry()\n");
+
+	hModule = GetModuleHandleW(lpModuleName);
+	if (NULL == hModule)
+	{
+		OutputDebugString(L"GetModuleHandleW ERROR\n");
+	}
+	realProc = GetProcAddress(hModule, lpProcName);
+	if (NULL == realProc)
+	{
+		OutputDebugString(L"GetProcAddress ERROR\n");
+	}
+	return realProc;
+	//CloseHandle(hModule);
+}

APIHOOK/HookDll/HookDll.h

@@ -2,5 +2,15 @@
 
 #include "FileAPI.h"
 
+#ifndef __HOOK_DLL__
+#define __HOOK_DLL__
+
+
+void Prepare();
 void DoHook();
-void DoUnHook();
+void DoUnHook();
+void Finish();
+FARPROC GetRealApiEntry(LPCWSTR lpModuleName, LPCSTR lpProcName);
+
+
+#endif // !__HOOK_DLL__

APIHOOK/HookDll/SendLog.cpp

@@ -1,7 +1,25 @@
 #include "stdafx.h"
 #include "SendLog.h"
 
-void SendLog()
+
+HANDLE hWriteMailslot = NULL;
+
+
+void SendLog(LPCTSTR szLogMessage)
 {
+	OutputDebugString(szLogMessage);
+	
+	SIZE_T dwLogLength;
+	DWORD dwMailslotWritten;
 
+	StringCbLength(szLogMessage, MAX_LOG_SIZE, &dwLogLength);
+	if (dwLogLength > MAX_LOG_SIZE)
+	{
+		dwLogLength = MAX_LOG_SIZE;
+	}
+	WriteFile(hWriteMailslot, szLogMessage, dwLogLength, &dwMailslotWritten, NULL);
+	if (dwLogLength != dwMailslotWritten)
+	{
+		OutputDebugString(TEXT("Write Log Mailslot ERROR\n"));
+	}
 }

APIHOOK/HookDll/SendLog.h

@@ -1,3 +1,14 @@
 #pragma once
 
-void SendLog()
+#ifndef __SEND_LOG__
+#define __SEND_LOG__
+
+#define MAX_LOG_SIZE 260
+
+extern HANDLE hWriteMailslot;
+
+void SendLog(LPCTSTR szLogMessage);
+
+
+#endif // !__SEND_LOG__
+

APIHOOK/HookDll/dllmain.cpp

@@ -12,25 +12,37 @@ BOOL APIENTRY DllMain( HMODULE hModule,
     {
     case DLL_PROCESS_ATTACH:
 	{
-		OutputDebugString(L"DllMain: DLL_PROCESS_ATTACH\n");
-		printf("%s", "DllMain: DLL_PROCESS_ATTACH\n");
+		OutputDebugString(L"HookDll DllMain: DLL_PROCESS_ATTACH\n");	
+
+		Prepare();
+		DoHook();
+		
+		break;
 	}
-    case DLL_THREAD_ATTACH:
+
+	case DLL_THREAD_ATTACH:
 	{
-		OutputDebugString(L"DllMain: DLL_THREAD_ATTACH\n");
-		printf("%s", "DllMain: DLL_THREAD_ATTACH\n");
+		OutputDebugString(L"HookDll DllMain: DLL_THREAD_ATTACH\n");
+		
+		break;
 	}
-    case DLL_THREAD_DETACH:
+    
+	case DLL_THREAD_DETACH:
 	{
-		OutputDebugString(L"DllMain: DLL_THREAD_DETACH\n");
-		printf("%s", "DllMain: DLL_THREAD_DETACH\n");
+		OutputDebugString(L"HookDll DllMain: DLL_THREAD_DETACH\n");
+	
+		break;
 	}
-    case DLL_PROCESS_DETACH:
+    
+	case DLL_PROCESS_DETACH:
 	{
-		OutputDebugString(L"DllMain: DLL_PROCESS_DETACH\n");
-		printf("%s", "DllMain: DLL_PROCESS_DETACH\n");
+		OutputDebugString(L"HookDll DllMain: DLL_PROCESS_DETACH\n");
+	
+		DoUnHook();
+		Finish();
+	
+		break;
 	}
-        break;
     }
     return TRUE;
 }

APIHOOK/HookDll/stdafx.h

@@ -5,12 +5,17 @@
 
 #pragma once
 
+#pragma comment(lib, "EasyHook64.lib")  
+
 #include "targetver.h"
 
 #define WIN32_LEAN_AND_MEAN             // 从 Windows 头中排除极少使用的资料
 // Windows 头文件: 
 #include <windows.h>
 #include <stdio.h>
+#include <strsafe.h>
+
+#include "easyhook.h"