Remove NtApiCollection.ini

- Get rid of NtApiLoader and replace it with a syscall lookup table (Windows XP through early 10) or win32u.dll addresses (later Windows 10 versions)
- Remove NtApiTool/PDBReader project since the NtApiCollection.ini file it generates is no longer used
- Rename BlockInput hook to NtUserBlockInput since they are the same function. The INI setting "BlockInputHook" is now also NtUserBlockInputHook
- Merge ApplyUser32Hook and ApplyWin32uHook into ApplyUserHook

ConfigCollection/scylla_hide.ini

@@ -1,7 +1,6 @@
 [SETTINGS]
 CurrentProfile=VMProtect x86/x64
 [VMProtect x86/x64]
-BlockInputHook=0
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -42,6 +41,7 @@ SkipEPOutsideCode=1
 X64Fix=1
 WindowTitle=VMP
 NtSetInformationProcessHook=0
+NtUserBlockInputHook=0
 KillAntiAttach=0
 handleExceptionPrint=0
 handleExceptionRip=0
@@ -60,7 +60,6 @@ skipLoadDllDoLoad=0
 skipLoadDllDoNothing=0
 advancedInfobar=0
 [Obsidium x86]
-BlockInputHook=0
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -101,7 +100,6 @@ SkipEPOutsideCode=1
 X64Fix=1
 WindowTitle=Obsidium
 [Themida x86]
-BlockInputHook=0
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -123,6 +121,7 @@ NtSetContextThreadHook=0
 NtSetDebugFilterStateHook=0
 NtSetInformationThreadHook=0
 NtSetInformationProcessHook=0
+NtUserBlockInputHook=0
 NtUserBuildHwndListHook=1
 NtUserFindWindowExHook=1
 NtUserQueryWindowHook=1
@@ -143,7 +142,6 @@ SkipEPOutsideCode=1
 X64Fix=1
 WindowTitle=Themida
 [Armadillo x86]
-BlockInputHook=0
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -165,6 +163,7 @@ NtSetContextThreadHook=0
 NtSetDebugFilterStateHook=0
 NtSetInformationThreadHook=0
 NtSetInformationProcessHook=0
+NtUserBlockInputHook=0
 NtUserBuildHwndListHook=0
 NtUserFindWindowExHook=0
 NtUserQueryWindowHook=0
@@ -185,7 +184,6 @@ SkipEPOutsideCode=1
 X64Fix=1
 WindowTitle=Armadillo
 [Basic]
-BlockInputHook=0
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -244,7 +242,6 @@ skipLoadDllDoLoad=0
 skipLoadDllDoNothing=0
 advancedInfobar=0
 [Disabled]
-BlockInputHook=0
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -266,6 +263,7 @@ NtSetContextThreadHook=0
 NtSetDebugFilterStateHook=0
 NtSetInformationThreadHook=0
 NtSetInformationProcessHook=0
+NtUserBlockInputHook=0
 NtUserBuildHwndListHook=0
 NtUserFindWindowExHook=0
 NtUserQueryWindowHook=0

HookLibrary/Export.def

@@ -1,7 +1,6 @@
 LIBRARY
 EXPORTS
 HookDllData
-HookedBlockInput
 HookedGetLocalTime
 HookedGetSystemTime
 HookedGetTickCount

HookLibrary/HookMain.h

@@ -12,7 +12,6 @@ typedef ULONGLONG(WINAPI * t_GetTickCount64)(void);
 typedef BOOL(WINAPI * t_QueryPerformanceCounter)(LARGE_INTEGER *lpPerformanceCount); //Kernel32.dll -> ntdll.RtlQueryPerformanceCounter -> NO NATIVE CALL
 typedef BOOL(WINAPI * t_QueryPerformanceFrequency)(LARGE_INTEGER *lpFrequency); //kernel32.dll -> ntdll.RtlQueryPerformanceFrequency -> ntdll.ZwQueryPerformanceCounter
 
-typedef BOOL(WINAPI * t_BlockInput)(BOOL fBlockIt); //user32.dll
 typedef DWORD(WINAPI * t_OutputDebugStringA)(LPCSTR lpOutputString); //Kernel32.dll
 typedef DWORD(WINAPI * t_OutputDebugStringW)(LPCWSTR lpOutputString); //Kernel32.dll
 //WIN 7 X64: OutputDebugStringW -> OutputDebugStringA
@@ -34,7 +33,6 @@ typedef struct _HOOK_DLL_DATA {
     BOOLEAN EnablePebNtGlobalFlag;
     BOOLEAN EnablePebStartupInfo;
 
-    BOOLEAN EnableBlockInputHook;
     BOOLEAN EnableOutputDebugStringHook;
 
     BOOLEAN EnableNtSetInformationThreadHook;
@@ -54,11 +52,13 @@ typedef struct _HOOK_DLL_DATA {
     BOOLEAN EnableNtContinueHook;
     BOOLEAN EnableKiUserExceptionDispatcherHook;
 
-    //Native User32.dll functions, not exported
-    DWORD NtUserQueryWindowRVA;
-    DWORD NtUserBuildHwndListRVA;
-    DWORD NtUserFindWindowExRVA;
+    //Native user32.dll/win32u.dll functions
+    ULONG_PTR NtUserBlockInputVA;
+    ULONG_PTR NtUserQueryWindowVA;
+    ULONG_PTR NtUserBuildHwndListVA;
+    ULONG_PTR NtUserFindWindowExVA;
 
+    BOOLEAN EnableNtUserBlockInputHook;
     BOOLEAN EnableNtUserQueryWindowHook;
     BOOLEAN EnableNtUserBuildHwndListHook;
     BOOLEAN EnableNtUserFindWindowExHook;
@@ -130,8 +130,6 @@ typedef struct _HOOK_DLL_DATA {
 
     t_OutputDebugStringA dOutputDebugStringA;
     DWORD OutputDebugStringABackupSize;
-    t_BlockInput dBlockInput;
-    DWORD BlockInputBackupSize;
 
     t_NtUserBlockInput dNtUserBlockInput;
     DWORD NtUserBlockInputBackupSize;
@@ -152,8 +150,7 @@ typedef struct _HOOK_DLL_DATA {
 
     BOOLEAN isNtdllHooked;
     BOOLEAN isKernel32Hooked;
-    BOOLEAN isUser32Hooked;
-    BOOLEAN isWin32uHooked;
+    BOOLEAN isUserDllHooked;
 
 #ifndef _WIN64
     HOOK_NATIVE_CALL32 HookNative[MAX_NATIVE_HOOKS];

HookLibrary/HookedFunctions.cpp

@@ -778,7 +778,7 @@ NTSTATUS NTAPI HookedNtQueryPerformanceCounter(PLARGE_INTEGER PerformanceCounter
 
 static BOOL isBlocked = FALSE;
 
-BOOL WINAPI HookedBlockInput(BOOL fBlockIt)
+BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt)
 {
     if (isBlocked == FALSE && fBlockIt != FALSE)
     {
@@ -794,11 +794,6 @@ BOOL WINAPI HookedBlockInput(BOOL fBlockIt)
     return FALSE;
 }
 
-NTSTATUS NTAPI HookedNtUserBlockInput(BOOL fBlockIt)
-{
-    return (NTSTATUS)HookedBlockInput(fBlockIt);
-}
-
 //GetLastError() function might not change if a  debugger is present (it has never been the case that it is always set to zero).
 DWORD WINAPI HookedOutputDebugStringA(LPCSTR lpOutputString) //Worst anti-debug ever
 {

HookLibrary/HookedFunctions.h

@@ -46,8 +46,7 @@ NTSTATUS NTAPI HookedNtUserBuildHwndList(HDESK hdesk, HWND hwndNext, BOOL fEnumC
 NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended);
 NTSTATUS NTAPI HookedNtCreateThreadEx(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PUSER_THREAD_START_ROUTINE StartRoutine,PVOID Argument,ULONG CreateFlags,ULONG_PTR ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,PPS_ATTRIBUTE_LIST AttributeList);
 HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo);
-
-BOOL WINAPI HookedBlockInput(BOOL fBlockIt);
+BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt);
 
 
 DWORD WINAPI HookedGetTickCount(void);