Skip to content

Commit 6817d32

Browse files
MattiwattiMattiwatti
committed
Remove NtApiCollection.ini
- Get rid of NtApiLoader and replace it with a syscall lookup table (Windows XP through early 10) or win32u.dll addresses (later Windows 10 versions) - Remove NtApiTool/PDBReader project since the NtApiCollection.ini file it generates is no longer used - Rename BlockInput hook to NtUserBlockInput since they are the same function. The INI setting "BlockInputHook" is now also NtUserBlockInputHook - Merge ApplyUser32Hook and ApplyWin32uHook into ApplyUserHook
1 parent 1bd5c5c commit 6817d32

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

45 files changed

+1558
-717
lines changed

ConfigCollection/NtApiCollection.ini

Lines changed: 0 additions & 70 deletions
This file was deleted.

ConfigCollection/NtApiTool/x64/dbghelp.dll

-1.43 MB
Binary file not shown.

ConfigCollection/NtApiTool/x64/symsrv.dll

-124 KB
Binary file not shown.

ConfigCollection/NtApiTool/x86/dbghelp.dll

-1.19 MB
Binary file not shown.

ConfigCollection/NtApiTool/x86/symsrv.dll

-127 KB
Binary file not shown.

ConfigCollection/scylla_hide.ini

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
[SETTINGS]
22
CurrentProfile=VMProtect x86/x64
33
[VMProtect x86/x64]
4-
BlockInputHook=0
54
DLLNormal=1
65
DLLStealth=0
76
DLLUnload=0
@@ -42,6 +41,7 @@ SkipEPOutsideCode=1
4241
X64Fix=1
4342
WindowTitle=VMP
4443
NtSetInformationProcessHook=0
44+
NtUserBlockInputHook=0
4545
KillAntiAttach=0
4646
handleExceptionPrint=0
4747
handleExceptionRip=0
@@ -60,7 +60,6 @@ skipLoadDllDoLoad=0
6060
skipLoadDllDoNothing=0
6161
advancedInfobar=0
6262
[Obsidium x86]
63-
BlockInputHook=0
6463
DLLNormal=1
6564
DLLStealth=0
6665
DLLUnload=0
@@ -101,7 +100,6 @@ SkipEPOutsideCode=1
101100
X64Fix=1
102101
WindowTitle=Obsidium
103102
[Themida x86]
104-
BlockInputHook=0
105103
DLLNormal=1
106104
DLLStealth=0
107105
DLLUnload=0
@@ -123,6 +121,7 @@ NtSetContextThreadHook=0
123121
NtSetDebugFilterStateHook=0
124122
NtSetInformationThreadHook=0
125123
NtSetInformationProcessHook=0
124+
NtUserBlockInputHook=0
126125
NtUserBuildHwndListHook=1
127126
NtUserFindWindowExHook=1
128127
NtUserQueryWindowHook=1
@@ -143,7 +142,6 @@ SkipEPOutsideCode=1
143142
X64Fix=1
144143
WindowTitle=Themida
145144
[Armadillo x86]
146-
BlockInputHook=0
147145
DLLNormal=1
148146
DLLStealth=0
149147
DLLUnload=0
@@ -165,6 +163,7 @@ NtSetContextThreadHook=0
165163
NtSetDebugFilterStateHook=0
166164
NtSetInformationThreadHook=0
167165
NtSetInformationProcessHook=0
166+
NtUserBlockInputHook=0
168167
NtUserBuildHwndListHook=0
169168
NtUserFindWindowExHook=0
170169
NtUserQueryWindowHook=0
@@ -185,7 +184,6 @@ SkipEPOutsideCode=1
185184
X64Fix=1
186185
WindowTitle=Armadillo
187186
[Basic]
188-
BlockInputHook=0
189187
DLLNormal=1
190188
DLLStealth=0
191189
DLLUnload=0
@@ -244,7 +242,6 @@ skipLoadDllDoLoad=0
244242
skipLoadDllDoNothing=0
245243
advancedInfobar=0
246244
[Disabled]
247-
BlockInputHook=0
248245
DLLNormal=1
249246
DLLStealth=0
250247
DLLUnload=0
@@ -266,6 +263,7 @@ NtSetContextThreadHook=0
266263
NtSetDebugFilterStateHook=0
267264
NtSetInformationThreadHook=0
268265
NtSetInformationProcessHook=0
266+
NtUserBlockInputHook=0
269267
NtUserBuildHwndListHook=0
270268
NtUserFindWindowExHook=0
271269
NtUserQueryWindowHook=0

HookLibrary/Export.def

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
LIBRARY
22
EXPORTS
33
HookDllData
4-
HookedBlockInput
54
HookedGetLocalTime
65
HookedGetSystemTime
76
HookedGetTickCount

HookLibrary/HookMain.h

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@ typedef ULONGLONG(WINAPI * t_GetTickCount64)(void);
1212
typedef BOOL(WINAPI * t_QueryPerformanceCounter)(LARGE_INTEGER *lpPerformanceCount); //Kernel32.dll -> ntdll.RtlQueryPerformanceCounter -> NO NATIVE CALL
1313
typedef BOOL(WINAPI * t_QueryPerformanceFrequency)(LARGE_INTEGER *lpFrequency); //kernel32.dll -> ntdll.RtlQueryPerformanceFrequency -> ntdll.ZwQueryPerformanceCounter
1414

15-
typedef BOOL(WINAPI * t_BlockInput)(BOOL fBlockIt); //user32.dll
1615
typedef DWORD(WINAPI * t_OutputDebugStringA)(LPCSTR lpOutputString); //Kernel32.dll
1716
typedef DWORD(WINAPI * t_OutputDebugStringW)(LPCWSTR lpOutputString); //Kernel32.dll
1817
//WIN 7 X64: OutputDebugStringW -> OutputDebugStringA
@@ -34,7 +33,6 @@ typedef struct _HOOK_DLL_DATA {
3433
BOOLEAN EnablePebNtGlobalFlag;
3534
BOOLEAN EnablePebStartupInfo;
3635

37-
BOOLEAN EnableBlockInputHook;
3836
BOOLEAN EnableOutputDebugStringHook;
3937

4038
BOOLEAN EnableNtSetInformationThreadHook;
@@ -54,11 +52,13 @@ typedef struct _HOOK_DLL_DATA {
5452
BOOLEAN EnableNtContinueHook;
5553
BOOLEAN EnableKiUserExceptionDispatcherHook;
5654

57-
//Native User32.dll functions, not exported
58-
DWORD NtUserQueryWindowRVA;
59-
DWORD NtUserBuildHwndListRVA;
60-
DWORD NtUserFindWindowExRVA;
55+
//Native user32.dll/win32u.dll functions
56+
ULONG_PTR NtUserBlockInputVA;
57+
ULONG_PTR NtUserQueryWindowVA;
58+
ULONG_PTR NtUserBuildHwndListVA;
59+
ULONG_PTR NtUserFindWindowExVA;
6160

61+
BOOLEAN EnableNtUserBlockInputHook;
6262
BOOLEAN EnableNtUserQueryWindowHook;
6363
BOOLEAN EnableNtUserBuildHwndListHook;
6464
BOOLEAN EnableNtUserFindWindowExHook;
@@ -130,8 +130,6 @@ typedef struct _HOOK_DLL_DATA {
130130

131131
t_OutputDebugStringA dOutputDebugStringA;
132132
DWORD OutputDebugStringABackupSize;
133-
t_BlockInput dBlockInput;
134-
DWORD BlockInputBackupSize;
135133

136134
t_NtUserBlockInput dNtUserBlockInput;
137135
DWORD NtUserBlockInputBackupSize;
@@ -152,8 +150,7 @@ typedef struct _HOOK_DLL_DATA {
152150

153151
BOOLEAN isNtdllHooked;
154152
BOOLEAN isKernel32Hooked;
155-
BOOLEAN isUser32Hooked;
156-
BOOLEAN isWin32uHooked;
153+
BOOLEAN isUserDllHooked;
157154

158155
#ifndef _WIN64
159156
HOOK_NATIVE_CALL32 HookNative[MAX_NATIVE_HOOKS];

HookLibrary/HookedFunctions.cpp

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -778,7 +778,7 @@ NTSTATUS NTAPI HookedNtQueryPerformanceCounter(PLARGE_INTEGER PerformanceCounter
778778

779779
static BOOL isBlocked = FALSE;
780780

781-
BOOL WINAPI HookedBlockInput(BOOL fBlockIt)
781+
BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt)
782782
{
783783
if (isBlocked == FALSE && fBlockIt != FALSE)
784784
{
@@ -794,11 +794,6 @@ BOOL WINAPI HookedBlockInput(BOOL fBlockIt)
794794
return FALSE;
795795
}
796796

797-
NTSTATUS NTAPI HookedNtUserBlockInput(BOOL fBlockIt)
798-
{
799-
return (NTSTATUS)HookedBlockInput(fBlockIt);
800-
}
801-
802797
//GetLastError() function might not change if a debugger is present (it has never been the case that it is always set to zero).
803798
DWORD WINAPI HookedOutputDebugStringA(LPCSTR lpOutputString) //Worst anti-debug ever
804799
{

HookLibrary/HookedFunctions.h

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,7 @@ NTSTATUS NTAPI HookedNtUserBuildHwndList(HDESK hdesk, HWND hwndNext, BOOL fEnumC
4646
NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended);
4747
NTSTATUS NTAPI HookedNtCreateThreadEx(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PUSER_THREAD_START_ROUTINE StartRoutine,PVOID Argument,ULONG CreateFlags,ULONG_PTR ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,PPS_ATTRIBUTE_LIST AttributeList);
4848
HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo);
49-
50-
BOOL WINAPI HookedBlockInput(BOOL fBlockIt);
49+
BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt);
5150

5251

5352
DWORD WINAPI HookedGetTickCount(void);

0 commit comments

Comments
 (0)