Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
hook.cpp
Go to the documentation of this file.
1#include "hook.hpp"
2#include "detours\detours.h"
3
4#pragma region Hooked Functions
5
6pNtWriteVirtualMemory pOriginal_NtWriteVirtualMemory = NULL;
7pNtModifyBootEntry pOriginal_NtModifyBootEntry = NULL;
8pNtMapViewOfSectionEx pOriginal_NtMapViewOfSectionEx = NULL;
9
18NTSTATUS NTAPI Hooked_NtWriteVirtualMemory(
19 HANDLE ProcessHandle,
20 PVOID BaseAddress,
21 PVOID Buffer,
22 SIZE_T NumberOfBytesToWrite,
23 PSIZE_T NumberOfBytesWritten
24)
25{
26 NTSTATUS status = pOriginal_NtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten);
27
28 return status;
29}
30
35NTSTATUS Hooked_NtModifyBootEntry(PBOOT_ENTRY BootEntry) {
36 NTSTATUS status = pOriginal_NtModifyBootEntry(BootEntry);
37 return status;
38}
39
52NTSTATUS Hooked_NtMapViewOfSectionEx(_In_ HANDLE SectionHandle,
53 _In_ HANDLE ProcessHandle,
54 _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID* BaseAddress,
55 _Inout_opt_ PLARGE_INTEGER SectionOffset,
56 _Inout_ PSIZE_T ViewSize,
57 _In_ ULONG AllocationType,
58 _In_ ULONG PageProtection,
59 _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
60 _In_ ULONG ExtendedParameterCount)
61{
62 NTSTATUS status = pOriginal_NtMapViewOfSectionEx(SectionHandle,ProcessHandle,BaseAddress,
63 SectionOffset, ViewSize, AllocationType,PageProtection,ExtendedParameters,
64 ExtendedParameterCount);
65
66 return status;
67}
68
69#pragma endregion
70
72VOID PlaceHooks() {
73 DetourTransactionBegin();
74 DetourUpdateThread(GetCurrentThread());
75
76 pOriginal_NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWriteVirtualMemory");
77 if (pOriginal_NtWriteVirtualMemory)
78 {
79 DetourAttach((PVOID*)&pOriginal_NtWriteVirtualMemory, (PVOID)Hooked_NtWriteVirtualMemory);
80 }
81
82 pOriginal_NtModifyBootEntry = (pNtModifyBootEntry)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtModifyBootEntry");
83 if (pOriginal_NtModifyBootEntry) {
84 DetourAttach((PVOID*)&pOriginal_NtModifyBootEntry, (PVOID)Hooked_NtModifyBootEntry);
85 }
86
87 pOriginal_NtMapViewOfSectionEx = (pNtMapViewOfSectionEx)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtMapViewOfSectionEx");
88 if (pOriginal_NtMapViewOfSectionEx) {
89 DetourAttach((PVOID*)&pOriginal_NtMapViewOfSectionEx, (PVOID)Hooked_NtMapViewOfSectionEx);
90 }
91
92 DetourTransactionCommit();
93 return;
94}
95
97VOID UnHook() {
98 DetourTransactionBegin();
99 DetourUpdateThread(GetCurrentThread());
100
101 if (pOriginal_NtWriteVirtualMemory) {
102 DetourDetach((PVOID*)&pOriginal_NtWriteVirtualMemory, (PVOID)Hooked_NtWriteVirtualMemory);
103 }
104
105 if (pOriginal_NtModifyBootEntry) {
106 DetourDetach((PVOID*)&pOriginal_NtModifyBootEntry, (PVOID)Hooked_NtModifyBootEntry);
107 }
108
109 if (pOriginal_NtMapViewOfSectionEx) {
110 DetourDetach((PVOID*)&pOriginal_NtMapViewOfSectionEx, (PVOID)Hooked_NtMapViewOfSectionEx);
111 }
112
113 DetourTransactionCommit();
114 return;
115}
pNtWriteVirtualMemory
NTSTATUS(NTAPI * pNtWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten)
The NtWriteVirtualMemory function writes memory to a specified process.
Definition def.h:20
pNtModifyBootEntry
NTSTATUS(NTAPI * pNtModifyBootEntry)(PBOOT_ENTRY BootEntry)
The NtModifyBootEntry function modifies a boot entry in the boot configuration database.
Definition def.h:29
pNtMapViewOfSectionEx
NTSTATUS(NTAPI * pNtMapViewOfSectionEx)(_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount)
The NtMapViewOfSectionEx function maps a view of a section into the address space of a process.
Definition def.h:35
pOriginal_NtModifyBootEntry
pNtModifyBootEntry pOriginal_NtModifyBootEntry
Definition hook.cpp:7
UnHook
VOID UnHook()
The UnHook function removes the trampoline hooks from the NTDLL functions.
Definition hook.cpp:97
Hooked_NtWriteVirtualMemory
NTSTATUS NTAPI Hooked_NtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten)
The Hooked_NtWriteVirtualMemory function is a function that hooks the NtWriteVirtualMemory function.
Definition hook.cpp:18
Hooked_NtModifyBootEntry
NTSTATUS Hooked_NtModifyBootEntry(PBOOT_ENTRY BootEntry)
The Hooked_NtModifyBootEntry function is a function that hooks the NtModifyBootEntry function.
Definition hook.cpp:35
PlaceHooks
VOID PlaceHooks()
The PlaceHooks function places the trampoline hooks on several NTDLL functions.
Definition hook.cpp:72
Hooked_NtMapViewOfSectionEx
NTSTATUS Hooked_NtMapViewOfSectionEx(_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ ULONG AllocationType, _In_ ULONG PageProtection, _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount)
The Hooked_NtMapViewOfSectionEx function is a function that hooks the NtMapViewOfSectionEx function.
Definition hook.cpp:52
pOriginal_NtMapViewOfSectionEx
pNtMapViewOfSectionEx pOriginal_NtMapViewOfSectionEx
Definition hook.cpp:8
pOriginal_NtWriteVirtualMemory
pNtWriteVirtualMemory pOriginal_NtWriteVirtualMemory
Definition hook.cpp:6
_BOOT_ENTRY
The BOOT_ENTRY structure represents a boot entry in the boot configuration database....
Definition def.h:7
Generated by doxygen 1.9.8