Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Functions | Variables
hook.cpp File Reference
#include "hook.hpp"
#include "detours\detours.h"

Go to the source code of this file.

Functions

NTSTATUS NTAPI Hooked_NtWriteVirtualMemory (HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten)
 The Hooked_NtWriteVirtualMemory function is a function that hooks the NtWriteVirtualMemory function.
 
NTSTATUS Hooked_NtModifyBootEntry (PBOOT_ENTRY BootEntry)
 The Hooked_NtModifyBootEntry function is a function that hooks the NtModifyBootEntry function.
 
NTSTATUS Hooked_NtMapViewOfSectionEx (_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount)
 The Hooked_NtMapViewOfSectionEx function is a function that hooks the NtMapViewOfSectionEx function.
 
VOID PlaceHooks ()
 The PlaceHooks function places the trampoline hooks on several NTDLL functions.
 
VOID UnHook ()
 The UnHook function removes the trampoline hooks from the NTDLL functions.
 

Variables

pNtWriteVirtualMemory pOriginal_NtWriteVirtualMemory = NULL
 
pNtModifyBootEntry pOriginal_NtModifyBootEntry = NULL
 
pNtMapViewOfSectionEx pOriginal_NtMapViewOfSectionEx = NULL
 

Function Documentation

◆ Hooked_NtMapViewOfSectionEx()

NTSTATUS Hooked_NtMapViewOfSectionEx ( _In_ HANDLE  SectionHandle,
_In_ HANDLE  ProcessHandle,
_Inout_ _At_(*, *ViewSize _Writable_bytes_ *ViewSize _Post_readable_byte_size_ *  ViewSize 
)

The Hooked_NtMapViewOfSectionEx function is a function that hooks the NtMapViewOfSectionEx function.

Parameters
SectionHandleThe handle to the section.
ProcessHandleThe handle to the process.
BaseAddressThe base address of the memory to map.
SectionOffsetThe offset of the section.
ViewSizeThe size of the view.
AllocationTypeThe allocation type.
PageProtectionThe page protection.
ExtendedParametersThe extended parameters.
ExtendedParameterCountThe number of extended parameters.
Returns
The status of the function.

Definition at line 52 of file hook.cpp.

61{
62 NTSTATUS status = pOriginal_NtMapViewOfSectionEx(SectionHandle,ProcessHandle,BaseAddress,
63 SectionOffset, ViewSize, AllocationType,PageProtection,ExtendedParameters,
64 ExtendedParameterCount);
65
66 return status;
67}
pOriginal_NtMapViewOfSectionEx
pNtMapViewOfSectionEx pOriginal_NtMapViewOfSectionEx
Definition hook.cpp:8

References pOriginal_NtMapViewOfSectionEx.

Referenced by PlaceHooks(), and UnHook().

◆ Hooked_NtModifyBootEntry()

NTSTATUS Hooked_NtModifyBootEntry ( PBOOT_ENTRY  BootEntry)

The Hooked_NtModifyBootEntry function is a function that hooks the NtModifyBootEntry function.

Parameters
BootEntryThe boot entry to modify.
Returns
The status of the function.

Definition at line 35 of file hook.cpp.

35 {
36 NTSTATUS status = pOriginal_NtModifyBootEntry(BootEntry);
37 return status;
38}
pOriginal_NtModifyBootEntry
pNtModifyBootEntry pOriginal_NtModifyBootEntry
Definition hook.cpp:7

References pOriginal_NtModifyBootEntry.

Referenced by PlaceHooks(), and UnHook().

◆ Hooked_NtWriteVirtualMemory()

NTSTATUS NTAPI Hooked_NtWriteVirtualMemory ( HANDLE  ProcessHandle,
PVOID  BaseAddress,
PVOID  Buffer,
SIZE_T  NumberOfBytesToWrite,
PSIZE_T  NumberOfBytesWritten 
)

The Hooked_NtWriteVirtualMemory function is a function that hooks the NtWriteVirtualMemory function.

Parameters
ProcessHandleThe handle to the process.
BaseAddressThe base address of the memory to write to.
BufferThe buffer to write to the memory.
NumberOfBytesToWriteThe number of bytes to write to the memory.
NumberOfBytesWrittenThe number of bytes written to the memory.
Returns
The status of the function.

Definition at line 18 of file hook.cpp.

25{
26 NTSTATUS status = pOriginal_NtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten);
27
28 return status;
29}
pOriginal_NtWriteVirtualMemory
pNtWriteVirtualMemory pOriginal_NtWriteVirtualMemory
Definition hook.cpp:6

References pOriginal_NtWriteVirtualMemory.

Referenced by PlaceHooks(), and UnHook().

◆ PlaceHooks()

VOID PlaceHooks ( )

The PlaceHooks function places the trampoline hooks on several NTDLL functions.

The PlaceHooks function places the hooks on the NTDLL functions.

Definition at line 72 of file hook.cpp.

72 {
73 DetourTransactionBegin();
74 DetourUpdateThread(GetCurrentThread());
75
76 pOriginal_NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWriteVirtualMemory");
77 if (pOriginal_NtWriteVirtualMemory)
78 {
79 DetourAttach((PVOID*)&pOriginal_NtWriteVirtualMemory, (PVOID)Hooked_NtWriteVirtualMemory);
80 }
81
82 pOriginal_NtModifyBootEntry = (pNtModifyBootEntry)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtModifyBootEntry");
83 if (pOriginal_NtModifyBootEntry) {
84 DetourAttach((PVOID*)&pOriginal_NtModifyBootEntry, (PVOID)Hooked_NtModifyBootEntry);
85 }
86
87 pOriginal_NtMapViewOfSectionEx = (pNtMapViewOfSectionEx)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtMapViewOfSectionEx");
88 if (pOriginal_NtMapViewOfSectionEx) {
89 DetourAttach((PVOID*)&pOriginal_NtMapViewOfSectionEx, (PVOID)Hooked_NtMapViewOfSectionEx);
90 }
91
92 DetourTransactionCommit();
93 return;
94}
pNtWriteVirtualMemory
NTSTATUS(NTAPI * pNtWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten)
The NtWriteVirtualMemory function writes memory to a specified process.
Definition def.h:20
pNtModifyBootEntry
NTSTATUS(NTAPI * pNtModifyBootEntry)(PBOOT_ENTRY BootEntry)
The NtModifyBootEntry function modifies a boot entry in the boot configuration database.
Definition def.h:29
pNtMapViewOfSectionEx
NTSTATUS(NTAPI * pNtMapViewOfSectionEx)(_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount)
The NtMapViewOfSectionEx function maps a view of a section into the address space of a process.
Definition def.h:35
Hooked_NtWriteVirtualMemory
NTSTATUS NTAPI Hooked_NtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten)
The Hooked_NtWriteVirtualMemory function is a function that hooks the NtWriteVirtualMemory function.
Definition hook.cpp:18
Hooked_NtModifyBootEntry
NTSTATUS Hooked_NtModifyBootEntry(PBOOT_ENTRY BootEntry)
The Hooked_NtModifyBootEntry function is a function that hooks the NtModifyBootEntry function.
Definition hook.cpp:35
Hooked_NtMapViewOfSectionEx
NTSTATUS Hooked_NtMapViewOfSectionEx(_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount)
The Hooked_NtMapViewOfSectionEx function is a function that hooks the NtMapViewOfSectionEx function.
Definition hook.cpp:52

References Hooked_NtMapViewOfSectionEx(), Hooked_NtModifyBootEntry(), Hooked_NtWriteVirtualMemory(), pOriginal_NtMapViewOfSectionEx, pOriginal_NtModifyBootEntry, and pOriginal_NtWriteVirtualMemory.

Referenced by DllMain().

◆ UnHook()

VOID UnHook ( )

The UnHook function removes the trampoline hooks from the NTDLL functions.

The UnHook function removes the hooks from the NTDLL functions.

Definition at line 97 of file hook.cpp.

97 {
98 DetourTransactionBegin();
99 DetourUpdateThread(GetCurrentThread());
100
101 if (pOriginal_NtWriteVirtualMemory) {
102 DetourDetach((PVOID*)&pOriginal_NtWriteVirtualMemory, (PVOID)Hooked_NtWriteVirtualMemory);
103 }
104
105 if (pOriginal_NtModifyBootEntry) {
106 DetourDetach((PVOID*)&pOriginal_NtModifyBootEntry, (PVOID)Hooked_NtModifyBootEntry);
107 }
108
109 if (pOriginal_NtMapViewOfSectionEx) {
110 DetourDetach((PVOID*)&pOriginal_NtMapViewOfSectionEx, (PVOID)Hooked_NtMapViewOfSectionEx);
111 }
112
113 DetourTransactionCommit();
114 return;
115}

References Hooked_NtMapViewOfSectionEx(), Hooked_NtModifyBootEntry(), Hooked_NtWriteVirtualMemory(), pOriginal_NtMapViewOfSectionEx, pOriginal_NtModifyBootEntry, and pOriginal_NtWriteVirtualMemory.

Referenced by DllMain().

Variable Documentation

◆ pOriginal_NtMapViewOfSectionEx

pNtMapViewOfSectionEx pOriginal_NtMapViewOfSectionEx = NULL

Definition at line 8 of file hook.cpp.

Referenced by Hooked_NtMapViewOfSectionEx(), PlaceHooks(), and UnHook().

◆ pOriginal_NtModifyBootEntry

pNtModifyBootEntry pOriginal_NtModifyBootEntry = NULL

Definition at line 7 of file hook.cpp.

Referenced by Hooked_NtModifyBootEntry(), PlaceHooks(), and UnHook().

◆ pOriginal_NtWriteVirtualMemory

pNtWriteVirtualMemory pOriginal_NtWriteVirtualMemory = NULL

Definition at line 6 of file hook.cpp.

Referenced by Hooked_NtWriteVirtualMemory(), PlaceHooks(), and UnHook().

Generated by doxygen 1.9.8