#include <Windows.h>
#include "def.h"
#include <detours/detours.h>

Functions
NTSTATUS NTAPI	Hooked_NtWriteVirtualMemory (HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten)
	The Hooked_NtWriteVirtualMemory function is a function that hooks the NtWriteVirtualMemory function.

NTSTATUS NTAPI	Hooked_NtModifyBootEntry (PBOOT_ENTRY BootEntry)
	The Hooked_NtModifyBootEntry function is a function that hooks the NtModifyBootEntry function.

NTSTATUS NTAPI	Hooked_NtMapViewOfSectionEx (HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, ULONG AllocationType, ULONG PageProtection, PMEM_EXTENDED_PARAMETER ExtendedParameters, ULONG ExtendedParameterCount)
	The Hooked_NtMapViewOfSectionEx function is a function that hooks the NtMapViewOfSectionEx function.

VOID	PlaceHooks ()
	The PlaceHooks function places the hooks on the NTDLL functions.

VOID	UnHook ()
	The UnHook function removes the hooks from the NTDLL functions.

Function Documentation

◆ Hooked_NtMapViewOfSectionEx()

NTSTATUS NTAPI Hooked_NtMapViewOfSectionEx	(	HANDLE	SectionHandle,
		HANDLE	ProcessHandle,
		PVOID *	BaseAddress,
		PLARGE_INTEGER	SectionOffset,
		PSIZE_T	ViewSize,
		ULONG	AllocationType,
		ULONG	PageProtection,
		PMEM_EXTENDED_PARAMETER	ExtendedParameters,
		ULONG	ExtendedParameterCount
	)

The Hooked_NtMapViewOfSectionEx function is a function that hooks the NtMapViewOfSectionEx function.

Parameters

SectionHandle	The handle to the section.
ProcessHandle	The handle to the process.
BaseAddress	The base address of the memory to map.
SectionOffset	The offset of the section.
ViewSize	The size of the view.
AllocationType	The type of allocation.
PageProtection	The protection of the page.
ExtendedParameters	The extended parameters.
ExtendedParameterCount	The number of extended parameters.

Returns: The status of the function.

◆ Hooked_NtModifyBootEntry()

NTSTATUS NTAPI Hooked_NtModifyBootEntry ( PBOOT_ENTRY BootEntry )

The Hooked_NtModifyBootEntry function is a function that hooks the NtModifyBootEntry function.

Parameters

BootEntry The boot entry to modify.

Returns: The status of the function.

Definition at line 35 of file hook.cpp.

                                                         {
    NTSTATUS status = pOriginal_NtModifyBootEntry(BootEntry);
    return status;
}

References pOriginal_NtModifyBootEntry.

Referenced by PlaceHooks(), and UnHook().

◆ Hooked_NtWriteVirtualMemory()

NTSTATUS NTAPI Hooked_NtWriteVirtualMemory	(	HANDLE	ProcessHandle,
		PVOID	BaseAddress,
		PVOID	Buffer,
		SIZE_T	NumberOfBytesToWrite,
		PSIZE_T	NumberOfBytesWritten
	)

The Hooked_NtWriteVirtualMemory function is a function that hooks the NtWriteVirtualMemory function.

Parameters

ProcessHandle	The handle to the process.
BaseAddress	The base address of the memory to write to.
Buffer	The buffer to write to the memory.
NumberOfBytesToWrite	The number of bytes to write to the memory.
ProcessHandle	The handle to the process.
BaseAddress	The base address of the memory to write to.
Buffer	The buffer to write to the memory.
NumberOfBytesToWrite	The number of bytes to write to the memory.
NumberOfBytesWritten	The number of bytes written to the memory.

Returns: The status of the function.

Definition at line 18 of file hook.cpp.

{
    NTSTATUS status = pOriginal_NtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten);
 
    return status;
}

References pOriginal_NtWriteVirtualMemory.

Referenced by PlaceHooks(), and UnHook().

◆ PlaceHooks()

VOID PlaceHooks ( )

The PlaceHooks function places the hooks on the NTDLL functions.

Definition at line 72 of file hook.cpp.

                  {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
 
    pOriginal_NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWriteVirtualMemory");
    if (pOriginal_NtWriteVirtualMemory)
    {
        DetourAttach((PVOID*)&pOriginal_NtWriteVirtualMemory, (PVOID)Hooked_NtWriteVirtualMemory);
    }
 
    pOriginal_NtModifyBootEntry = (pNtModifyBootEntry)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtModifyBootEntry");
    if (pOriginal_NtModifyBootEntry) {
        DetourAttach((PVOID*)&pOriginal_NtModifyBootEntry, (PVOID)Hooked_NtModifyBootEntry);
    }
 
    pOriginal_NtMapViewOfSectionEx = (pNtMapViewOfSectionEx)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtMapViewOfSectionEx");
    if (pOriginal_NtMapViewOfSectionEx) {
        DetourAttach((PVOID*)&pOriginal_NtMapViewOfSectionEx, (PVOID)Hooked_NtMapViewOfSectionEx);
    }
 
    DetourTransactionCommit();
    return;
}

References Hooked_NtMapViewOfSectionEx(), Hooked_NtModifyBootEntry(), Hooked_NtWriteVirtualMemory(), pOriginal_NtMapViewOfSectionEx, pOriginal_NtModifyBootEntry, and pOriginal_NtWriteVirtualMemory.

Referenced by DllMain().

◆ UnHook()

VOID UnHook ( )

The UnHook function removes the hooks from the NTDLL functions.

Definition at line 97 of file hook.cpp.

              {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
 
    if (pOriginal_NtWriteVirtualMemory) {
        DetourDetach((PVOID*)&pOriginal_NtWriteVirtualMemory, (PVOID)Hooked_NtWriteVirtualMemory);
    }
 
    if (pOriginal_NtModifyBootEntry) {
        DetourDetach((PVOID*)&pOriginal_NtModifyBootEntry, (PVOID)Hooked_NtModifyBootEntry);
    }
 
    if (pOriginal_NtMapViewOfSectionEx) {
        DetourDetach((PVOID*)&pOriginal_NtMapViewOfSectionEx, (PVOID)Hooked_NtMapViewOfSectionEx);
    }
 
    DetourTransactionCommit();
    return;
}

References Hooked_NtMapViewOfSectionEx(), Hooked_NtModifyBootEntry(), Hooked_NtWriteVirtualMemory(), pOriginal_NtMapViewOfSectionEx, pOriginal_NtModifyBootEntry, and pOriginal_NtWriteVirtualMemory.

Referenced by DllMain().

Functions

Function Documentation

◆ Hooked_NtMapViewOfSectionEx()

◆ Hooked_NtModifyBootEntry()

◆ Hooked_NtWriteVirtualMemory()

◆ PlaceHooks()

◆ UnHook()