forked from cuckoosandbox/cuckoomon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hooking.h
86 lines (67 loc) · 2.99 KB
/
hooking.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
/*
Cuckoo Sandbox - Automated Malware Analysis
Copyright (C) 2010-2012 Cuckoo Sandbox Developers
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
typedef struct _hook_t {
const wchar_t *library;
const char *funcname;
// instead of a library/funcname combination, an address can be given
// as well (this address has more priority than library/funcname)
void *addr;
// pointer to the new function
void *new_func;
// "function" which jumps over the trampoline and executes the original
// function call
void **old_func;
// allow hook recursion on this hook?
// (see comments @ hook_create_pre_gate)
int allow_hook_recursion;
// this hook has been performed
int is_hooked;
unsigned char gate[128];
unsigned char pre_gate[128];
unsigned char hook_data[32];
} hook_t;
int lde(void *addr);
int hook_create_callgate(unsigned char *addr, int len, unsigned char *gate);
int hook_api(hook_t *h, int type);
void hook_enable();
void hook_disable();
unsigned int hook_get_last_error();
void hook_set_last_error(unsigned int errcode);
#define HOOK_JMP_DIRECT 0
#define HOOK_NOP_JMP_DIRECT 1
#define HOOK_HOTPATCH_JMP_DIRECT 2
#define HOOK_PUSH_RETN 3
#define HOOK_JMP_INDIRECT 4
#define HOOK_PUSH_FPU_RETN 5
#define HOOK_MAXTYPE 6 // value to be used in modulo statements
#define HOOKDEF(return_value, calling_convention, apiname, ...) \
return_value (calling_convention *Old_##apiname)(__VA_ARGS__); \
return_value calling_convention New_##apiname(__VA_ARGS__)
#define HOOKDEF2(return_value, calling_convention, apiname, ...) \
return_value (calling_convention *Old2_##apiname)(__VA_ARGS__); \
return_value calling_convention New2_##apiname(__VA_ARGS__)
// each thread has a special 260-wchar counting unicode_string buffer in its
// thread information block, this is likely to be overwritten in certain
// functions, therefore we have this macro which copies it to the stack.
// (so we can use the unicode_string after executing the original function)
#define COPY_UNICODE_STRING(local_name, param_name) \
UNICODE_STRING local_name = {0}; wchar_t local_name##_buf[260]; \
local_name.Buffer = local_name##_buf; \
if(param_name != NULL && param_name->MaximumLength < 520) { \
local_name.Length = param_name->Length; \
local_name.MaximumLength = param_name->MaximumLength; \
memcpy(local_name.Buffer, param_name->Buffer, \
local_name.MaximumLength); \
}