|
|
// RegIntercept.cpp: implementation of the CRegIntercept class.
//
//////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <conio.h>
#include "RegIntercept.h"
CRegIntercept* CRegIntercept::pRegInterceptInstance=0;
CRegIntercept::CRegIntercept(){
}
CRegIntercept::~CRegIntercept(){
}
#define RESTORE_FUNCTION(x, y) {for(int i = 0; i < 2; ((DWORD *)x)[i] = y[i], i++);}
#define INTERCEPT_FUNCTION(x, y) {for(int i = 0; i < 2; ((DWORD *)x)[i] = y[i], i++);}
#define MYAPI NTAPI
/////////////////////////////////////////////////////////////////////
#define BEGIN_NEW_FUNC1(FuncName, t1, p1)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1);\\ LONG MYAPI New##FuncName(t1 p1);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1);
#define BEGIN_NEW_FUNC2(FuncName, t1, p1, t2, p2)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2);
#define BEGIN_NEW_FUNC3(FuncName, t1, p1, t2, p2, t3, p3)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3);
#define BEGIN_NEW_FUNC4(FuncName, t1, p1, t2, p2, t3, p3, t4, p4)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4);
#define BEGIN_NEW_FUNC5(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5);
#define BEGIN_NEW_FUNC6(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6);
#define BEGIN_NEW_FUNC7(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6, p7);
#define BEGIN_NEW_FUNC8(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6, p7, p8);
#define BEGIN_NEW_FUNC9(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9);
#define BEGIN_NEW_FUNC10(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10);
#define BEGIN_NEW_FUNC11(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10, t11, p11)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10, t11 p11);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10, t11 p11);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10, t11 p11) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11);
#define BEGIN_NEW_FUNC12(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10, t11, p11, t12, p12)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10, t11 p11, t12 p12);\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10, t11 p11, t12 p12);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1, t2 p2, t3 p3, t4 p4, t5 p5, t6 p6, t7 p7, t8 p8, t9 p9, t10 p10, t11 p11, t12 p12) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ \ gl_ResultOf##FuncName = gl_p##FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11, p12);
/////////////////////////////////////////////////////////////////////
#define OVERIDE_INST CRegIntercept::pRegInterceptInstance
#define OVR_FUNC1(FuncName, t1, p1) \
BEGIN_NEW_FUNC1(FuncName, t1, p1) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC2(FuncName, t1, p1, t2, p2) \
BEGIN_NEW_FUNC2(FuncName, t1, p1, t2, p2) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC3(FuncName, t1, p1, t2, p2, t3, p3) \
BEGIN_NEW_FUNC3(FuncName, t1, p1, t2, p2, t3, p3) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC4(FuncName, t1, p1, t2, p2, t3, p3, t4, p4) \
BEGIN_NEW_FUNC4(FuncName, t1, p1, t2, p2, t3, p3, t4, p4) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC5(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5) \
BEGIN_NEW_FUNC5(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC6(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6) \
BEGIN_NEW_FUNC6(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC7(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7) \
BEGIN_NEW_FUNC7(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6, p7); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC8(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8) \
BEGIN_NEW_FUNC8(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6, p7, p8); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC9(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9) \
BEGIN_NEW_FUNC9(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC10(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10) \
BEGIN_NEW_FUNC10(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC11(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10, t11, p11) \
BEGIN_NEW_FUNC11(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10, t11, p11) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11); \ END_NEW_FUNC(FuncName)
#define OVR_FUNC12(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10, t11, p11, t12, p12) \
BEGIN_NEW_FUNC12(FuncName, t1, p1, t2, p2, t3, p3, t4, p4, t5, p5, t6, p6, t7, p7, t8, p8, t9, p9, t10, p10, t11, p11, t12, p12) \ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11, p12); \ END_NEW_FUNC(FuncName)
#define END_NEW_FUNC(FuncName) \
INTERCEPT_FUNCTION(gl_p##FuncName, gl_Intercept##FuncName);\ return gl_ResultOf##FuncName;\ }
/////////////////////////////////////////////////////////////////////
#define INTERCEPT(FuncName) \
gl_p##FuncName = (INTERCEPTED_##FuncName)GetProcAddress(hKernel32, #FuncName);\ if(!gl_p##FuncName)\ return FALSE;\\ ::VirtualProtect(gl_p##FuncName, 10, PAGE_EXECUTE_READWRITE, &dwResult);\\ ((BYTE *)gl_Intercept##FuncName)[0] = 0xE9;\ ((DWORD *)(((BYTE *)gl_Intercept##FuncName) + 1))[0] = DWORD(New##FuncName) - (DWORD(gl_p##FuncName) + 5);\\ for(int i = 0; i < 2; gl_Backup##FuncName[i] = ((DWORD *)gl_p##FuncName)[i], \ ((DWORD *)gl_p##FuncName)[i] = gl_Intercept##FuncName[i], i++)
#define RESTORE(FuncName) RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName)
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
//Registry Access
////////////////////////////////////////////////////////////////////////////////
//NTSYSCALLAPI
NTSTATUSNTAPINtCreateKey( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG TitleIndex, IN PUNICODE_STRING Class OPTIONAL, IN ULONG CreateOptions, OUT PULONG Disposition OPTIONAL );
//NTSYSCALLAPI
NTSTATUSNTAPINtDeleteKey( IN HANDLE KeyHandle );
//NTSYSCALLAPI
NTSTATUSNTAPINtDeleteValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName );
//NTSYSCALLAPI
NTSTATUSNTAPINtEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength );
//NTSYSCALLAPI
NTSTATUSNTAPINtEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength );
//NTSYSCALLAPI
NTSTATUSNTAPINtOpenKey( OUT PHANDLE KeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
//NTSYSCALLAPI
NTSTATUSNTAPINtQueryKey( IN HANDLE KeyHandle, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength );
//NTSYSCALLAPI
NTSTATUSNTAPINtQueryValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength );
//NTSYSCALLAPI
NTSTATUSNTAPINtQueryMultipleValueKey( IN HANDLE KeyHandle, IN OUT PKEY_VALUE_ENTRY ValueEntries, IN ULONG EntryCount, OUT PVOID ValueBuffer, IN OUT PULONG BufferLength, OUT OPTIONAL PULONG RequiredBufferLength );
NTSTATUSNTAPINtSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize );
////////////////////////////////////////////////////////////////////////////////
//File System Access
////////////////////////////////////////////////////////////////////////////////
NTSTATUSNTAPINtDeleteFile( IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUSNTAPINtQueryAttributesFile( IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PFILE_BASIC_INFORMATION FileInformation );
NTSTATUSNTAPINtQueryFullAttributesFile( IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation );
NTSTATUSNTAPINtCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength );
NTSTATUSNTAPINtOpenFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions );
/*
NTSYSCALLAPINTSTATUSNTAPINtReadFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL );
*/
NTSTATUSNTAPINtQueryInformationFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass );
NTSTATUSNTAPINtSetInformationFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass );
////////////////////////////////////////////////////////////////////////////////
//Driver Related
////////////////////////////////////////////////////////////////////////////////
//NTSYSCALLAPI
NTSTATUSNTAPINtLoadDriver( IN PUNICODE_STRING DriverServiceName );/*
//NTSYSCALLAPI
NTSTATUSNTAPINtDeviceIoControlFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength );
//NTSYSCALLAPI
NTSTATUSNTAPINtFsControlFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG FsControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength );*/////////////////////////////////////////////////////////////////////////////////
//Misc System Functions
////////////////////////////////////////////////////////////////////////////////
/*
NtGetPlugPlayEvent NtPlugPlayControl*NtCreateDirectoryObject*NtCreateSymbolicLinkObject*NtOpenDirectoryObject*NtOpenSymbolicLinkObject*NtQueryObject
NtCreatePortNtCreateWaitablePortNtConnectPort.<a lot more of them>
NtCreateProcess*NtCreateProcessEx*NtCreateThread*NtOpenProcess*NtOpenThread*
NtQueryDefaultLocale*NtSetDefaultLocale*NtQuerySystemEnvironmentValue*NtSetSystemEnvironmentValue*
NtCreateTimer*NtOpenTimer*NtQuerySystemTime*NtSetSystemTime*NtGetTickCount
NtWaitForSingleObject*NtWaitForMultipleObjects*NtSignalAndWaitForSingleObject*
NtCreateSectionNtOpenSection
NtAllocateLocallyUniqueIdNtQuerySystemInformation*NtAllocateUuidsNtSetSystemInformation*
NtCreateJobObjectNtOpenJobObject*/
//
// Plug and Play user APIs
//
/*
NTSTATUSNTAPINtGetPlugPlayEvent( IN HANDLE EventHandle, IN PVOID Context OPTIONAL, OUT PPLUGPLAY_EVENT_BLOCK EventBlock, IN ULONG EventBufferLength );*/NTSTATUSNTAPINtPlugPlayControl( IN PLUGPLAY_CONTROL_CLASS PnPControlClass, IN OUT PVOID PnPControlData, IN ULONG PnPControlDataLength );
NTSYSCALLAPINTSTATUSNTAPINtCreateSymbolicLinkObject( OUT PHANDLE LinkHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PUNICODE_STRING LinkTarget );
NTSTATUSNTAPINtOpenSymbolicLinkObject( OUT PHANDLE LinkHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUSNTAPINtCreateDirectoryObject( OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUSNTAPINtOpenDirectoryObject( OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUSNTAPINtSignalAndWaitForSingleObject( IN HANDLE SignalHandle, IN HANDLE WaitHandle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL );
NTSTATUSNTAPINtWaitForSingleObject( IN HANDLE Handle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL );
NTSTATUSNTAPINtWaitForMultipleObjects( IN ULONG Count, IN HANDLE Handles[], IN WAIT_TYPE WaitType, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL );
NTSTATUSNTAPINtCreatePort( OUT PHANDLE PortHandle, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG MaxConnectionInfoLength, IN ULONG MaxMessageLength, IN ULONG MaxPoolUsage );
NTSTATUSNTAPINtCreateWaitablePort( OUT PHANDLE PortHandle, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG MaxConnectionInfoLength, IN ULONG MaxMessageLength, IN ULONG MaxPoolUsage );
NTSTATUSNTAPINtCreateThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended );
NTSTATUSNTAPINtOpenThread ( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL );
NTSTATUSNTAPINtCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL );
NTSTATUSNTAPINtCreateProcessEx( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN ULONG Flags, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN ULONG JobMemberLevel );
// begin_ntddk begin_ntifs
NTSTATUSNTAPINtOpenProcess ( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL );
NTSTATUSNTAPINtQueryDefaultLocale( IN BOOLEAN UserProfile, OUT PLCID DefaultLocaleId );
NTSTATUSNTAPINtSetDefaultLocale( IN BOOLEAN UserProfile, IN LCID DefaultLocaleId );
NTSTATUSNTAPINtQuerySystemEnvironmentValue ( IN PUNICODE_STRING VariableName, OUT PWSTR VariableValue, IN USHORT ValueLength, OUT PUSHORT ReturnLength OPTIONAL );
NTSTATUSNTAPINtSetSystemEnvironmentValue ( IN PUNICODE_STRING VariableName, IN PUNICODE_STRING VariableValue );
NTSTATUSNTAPINtQuerySystemEnvironmentValueEx ( IN PUNICODE_STRING VariableName, IN LPGUID VendorGuid, OUT PVOID Value, IN OUT PULONG ValueLength, OUT PULONG Attributes OPTIONAL );
NTSTATUSNTAPINtSetSystemEnvironmentValueEx ( IN PUNICODE_STRING VariableName, IN LPGUID VendorGuid, IN PVOID Value, IN ULONG ValueLength, IN ULONG Attributes );
NTSTATUSNTAPINtEnumerateSystemEnvironmentValuesEx ( IN ULONG InformationClass, OUT PVOID Buffer, IN OUT PULONG BufferLength );
NTSTATUSNTAPINtQuerySystemTime ( OUT PLARGE_INTEGER SystemTime );
NTSTATUSNTAPINtSetSystemTime ( IN PLARGE_INTEGER SystemTime, OUT PLARGE_INTEGER PreviousTime OPTIONAL );
NTSTATUSNTAPINtQuerySystemInformation ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
NTSTATUSNTAPINtSetSystemInformation ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength );
/*
NTSTATUSNTAPINtAddBootEntry ( IN PBOOT_ENTRY BootEntry, OUT PULONG Id OPTIONAL );
NTSTATUSNTAPINtDeleteBootEntry ( IN ULONG Id );
NTSTATUSNTAPINtEnumerateBootEntries ( OUT PVOID Buffer, IN OUT PULONG BufferLength );
NTSTATUSNTAPINtQueryBootEntryOrder ( OUT PULONG Ids, IN OUT PULONG Count );
NTSTATUSNTAPINtSetBootEntryOrder ( IN PULONG Ids, IN ULONG Count );
NTSTATUSNTAPINtQueryBootOptions ( OUT PBOOT_OPTIONS BootOptions, IN OUT PULONG BootOptionsLength );
NTSTATUSNTAPINtSetBootOptions ( IN PBOOT_OPTIONS BootOptions, IN ULONG FieldsToChange );
NTSTATUSNTAPINtAddDriverEntry ( IN PEFI_DRIVER_ENTRY DriverEntry, OUT PULONG Id OPTIONAL );
NTSTATUSNTAPINtDeleteDriverEntry ( IN ULONG Id );
NTSTATUSNTAPINtModifyDriverEntry ( IN PEFI_DRIVER_ENTRY DriverEntry );
NTSTATUSNTAPINtEnumerateDriverEntries ( OUT PVOID Buffer, IN OUT PULONG BufferLength );
NTSTATUSNTAPINtQueryDriverEntryOrder ( OUT PULONG Ids, IN OUT PULONG Count );
NTSTATUSNTAPINtSetDriverEntryOrder ( IN PULONG Ids, IN ULONG Count );
NTSTATUSNTAPINtCreateEvent ( OUT PHANDLE EventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN EVENT_TYPE EventType, IN BOOLEAN InitialState );
NTSTATUSNTAPINtOpenEvent ( OUT PHANDLE EventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUSNTAPINtCreateEventPair ( OUT PHANDLE EventPairHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL );
NTSTATUSNTAPINtOpenEventPair( OUT PHANDLE EventPairHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUSNTAPINtCreateMutant ( OUT PHANDLE MutantHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN BOOLEAN InitialOwner );
NTSTATUSNTAPINtOpenMutant ( OUT PHANDLE MutantHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
*/
////////////////////////////////////////////////////////////////////////////////
//Registry related
OVR_FUNC3(NtOpenKey, PHANDLE, KeyHandle, ACCESS_MASK, DesiredAccess, POBJECT_ATTRIBUTES, ObjectAttributes)OVR_FUNC7(NtCreateKey, PHANDLE, KeyHandle, ACCESS_MASK, DesiredAccess, POBJECT_ATTRIBUTES, ObjectAttributes, ULONG, TitleIndex, PUNICODE_STRING, Class, ULONG, CreateOptions, PULONG, Disposition)
OVR_FUNC2(NtDeleteValueKey, HANDLE, KeyHandle, PUNICODE_STRING, ValueName)
OVR_FUNC6(NtEnumerateKey, HANDLE, KeyHandle, ULONG, Index, KEY_INFORMATION_CLASS, KeyInformationClass, PVOID, KeyInformation, ULONG, Length, PULONG, ResultLength)OVR_FUNC6(NtEnumerateValueKey, HANDLE, KeyHandle, ULONG, Index, KEY_VALUE_INFORMATION_CLASS, KeyValueInformationClass, PVOID, KeyValueInformation, ULONG, Length, PULONG, ResultLength)
OVR_FUNC5(NtQueryKey, HANDLE, KeyHandle, KEY_INFORMATION_CLASS, KeyInformationClass, PVOID, KeyInformation, ULONG, Length, PULONG, ResultLength)OVR_FUNC6(NtQueryValueKey, HANDLE, KeyHandle, PUNICODE_STRING, ValueName, KEY_VALUE_INFORMATION_CLASS, KeyValueInformationClass, PVOID, KeyValueInformation, ULONG, Length, PULONG, ResultLength)OVR_FUNC6(NtQueryMultipleValueKey, HANDLE, KeyHandle, PKEY_VALUE_ENTRY, ValueEntries, ULONG, EntryCount, PVOID, ValueBuffer, PULONG, BufferLength, PULONG, RequiredBufferLength)
OVR_FUNC6(NtSetValueKey, HANDLE, KeyHandle, PUNICODE_STRING, ValueName, ULONG, TitleIndex,ULONG, Type, PVOID, Data, ULONG, DataSize)
#define PREFUNC1(FuncName, t1, p1)\
typedef LONG (MYAPI *INTERCEPTED_##FuncName)(t1 p1);\\ LONG MYAPI New##FuncName(t1 p1);\\ LONG gl_ResultOf##FuncName = NULL;\\ DWORD gl_Backup##FuncName[2] = {0, 0},\ gl_Intercept##FuncName[2] = {0, 0};\\ INTERCEPTED_##FuncName gl_p##FuncName = NULL; \\\ LONG MYAPI New##FuncName(t1 p1) \ {\ RESTORE_FUNCTION(gl_p##FuncName, gl_Backup##FuncName);\ if (OVERIDE_INST) \ OVERIDE_INST->FuncName(p1); \ gl_ResultOf##FuncName = gl_p##FuncName(p1);\\ INTERCEPT_FUNCTION(gl_p##FuncName, gl_Intercept##FuncName);\ return gl_ResultOf##FuncName;\ }
PREFUNC1(NtDeleteKey, HANDLE, KeyHandle)
////////////////////////////////////////////////////////////////////////////////
//File System Related
OVR_FUNC1(NtDeleteFile, POBJECT_ATTRIBUTES, ObjectAttributes)OVR_FUNC2(NtQueryAttributesFile, POBJECT_ATTRIBUTES, ObjectAttributes, PFILE_BASIC_INFORMATION, FileInformation)OVR_FUNC2(NtQueryFullAttributesFile, POBJECT_ATTRIBUTES, ObjectAttributes, PFILE_NETWORK_OPEN_INFORMATION, FileInformation)OVR_FUNC11(NtCreateFile, PHANDLE, FileHandle, ACCESS_MASK, DesiredAccess, POBJECT_ATTRIBUTES, ObjectAttributes, PIO_STATUS_BLOCK, IoStatusBlock, PLARGE_INTEGER, AllocationSize, ULONG, FileAttributes, ULONG, ShareAccess, ULONG, CreateDisposition, ULONG, CreateOptions, PVOID, EaBuffer, ULONG, EaLength)
OVR_FUNC6(NtOpenFile, PHANDLE, FileHandle, ACCESS_MASK, DesiredAccess, POBJECT_ATTRIBUTES, ObjectAttributes, PIO_STATUS_BLOCK, IoStatusBlock, ULONG, ShareAccess, ULONG, OpenOptions)
OVR_FUNC5(NtQueryInformationFile, IN HANDLE, FileHandle, OUT PIO_STATUS_BLOCK, IoStatusBlock, OUT PVOID, FileInformation, IN ULONG, Length, IN FILE_INFORMATION_CLASS, FileInformationClass)
OVR_FUNC5(NtSetInformationFile, IN HANDLE, FileHandle, OUT PIO_STATUS_BLOCK, IoStatusBlock, IN PVOID, FileInformation, IN ULONG, Length, IN FILE_INFORMATION_CLASS, FileInformationClass)
/*
NtSetInformationFile NtQueryInformationFileNtReadFileNtWriteFile */////////////////////////////////////////////////////////////////////////////////
//Driver Related
//
OVR_FUNC1(NtLoadDriver, PUNICODE_STRING, DriverServiceName)/*
OVR_FUNC10(NtDeviceIoControlFile, HANDLE, FileHandle, HANDLE, Event, PIO_APC_ROUTINE, ApcRoutine, PVOID, ApcContext, PIO_STATUS_BLOCK, IoStatusBlock, ULONG, IoControlCode, PVOID, InputBuffer, ULONG, InputBufferLength, PVOID, OutputBuffer, ULONG, OutputBufferLength)
OVR_FUNC10(NtFsControlFile, HANDLE, FileHandle, HANDLE, Event, PIO_APC_ROUTINE, ApcRoutine, PVOID, ApcContext, PIO_STATUS_BLOCK, IoStatusBlock, ULONG, FsControlCode, PVOID, InputBuffer, ULONG, InputBufferLength, PVOID, OutputBuffer, ULONG, OutputBufferLength)
*/////////////////////////////////////////////////////////////////////////////////
// Misc System Functions
/*
OVR_FUNC5(NtWaitForMultipleObjects, IN ULONG, Count, IN HANDLE, Handles[], IN WAIT_TYPE, WaitType, IN BOOLEAN, Alertable, IN PLARGE_INTEGER, Timeout)*/
OVR_FUNC3(NtPlugPlayControl, IN PLUGPLAY_CONTROL_CLASS, PnPControlClass, IN OUT PVOID, PnPControlData, IN ULONG,PnPControlDataLength)
OVR_FUNC4(NtCreateSymbolicLinkObject, OUT PHANDLE, LinkHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes, IN PUNICODE_STRING, LinkTarget)
OVR_FUNC3(NtOpenSymbolicLinkObject, OUT PHANDLE, LinkHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes)
OVR_FUNC3(NtCreateDirectoryObject, OUT PHANDLE, DirectoryHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes)
OVR_FUNC3(NtOpenDirectoryObject, OUT PHANDLE, DirectoryHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes)
OVR_FUNC4(NtSignalAndWaitForSingleObject, IN HANDLE, SignalHandle, IN HANDLE, WaitHandle, IN BOOLEAN, Alertable, IN PLARGE_INTEGER, Timeout)
OVR_FUNC3(NtWaitForSingleObject, IN HANDLE, Handle, IN BOOLEAN, Alertable, IN PLARGE_INTEGER, Timeout)
OVR_FUNC5(NtWaitForMultipleObjects, IN ULONG, Count, IN HANDLE*, Handles, IN WAIT_TYPE, WaitType, IN BOOLEAN, Alertable, IN PLARGE_INTEGER, Timeout)
OVR_FUNC5(NtCreatePort, OUT PHANDLE, PortHandle, IN POBJECT_ATTRIBUTES, ObjectAttributes, IN ULONG, MaxConnectionInfoLength, IN ULONG, MaxMessageLength, IN ULONG, MaxPoolUsage)
OVR_FUNC5(NtCreateWaitablePort, OUT PHANDLE, PortHandle, IN POBJECT_ATTRIBUTES, ObjectAttributes, IN ULONG, MaxConnectionInfoLength, IN ULONG, MaxMessageLength, IN ULONG, MaxPoolUsage)
OVR_FUNC8(NtCreateThread, OUT PHANDLE, ThreadHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes OPTIONAL, IN HANDLE, ProcessHandle, OUT PCLIENT_ID, ClientId, IN PCONTEXT, ThreadContext, IN PINITIAL_TEB, InitialTeb, IN BOOLEAN, CreateSuspended)
OVR_FUNC4(NtOpenThread, OUT PHANDLE, ThreadHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes, IN PCLIENT_ID, ClientId)
OVR_FUNC8(NtCreateProcess, OUT PHANDLE, ProcessHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes OPTIONAL, IN HANDLE, ParentProcess, IN BOOLEAN, InheritObjectTable, IN HANDLE, SectionHandle OPTIONAL, IN HANDLE, DebugPort OPTIONAL, IN HANDLE, ExceptionPort OPTIONAL)
OVR_FUNC9(NtCreateProcessEx, OUT PHANDLE, ProcessHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes OPTIONAL, IN HANDLE, ParentProcess, IN ULONG, Flags, IN HANDLE, SectionHandle OPTIONAL, IN HANDLE ,DebugPort OPTIONAL, IN HANDLE, ExceptionPort OPTIONAL, IN ULONG, JobMemberLevel)
OVR_FUNC4(NtOpenProcess, OUT PHANDLE, ProcessHandle, IN ACCESS_MASK, DesiredAccess, IN POBJECT_ATTRIBUTES, ObjectAttributes, IN PCLIENT_ID, ClientId OPTIONAL)
OVR_FUNC2(NtQueryDefaultLocale, IN BOOLEAN, UserProfile, OUT PLCID, DefaultLocaleId)
OVR_FUNC2(NtSetDefaultLocale, IN BOOLEAN, UserProfile, IN LCID, DefaultLocaleId)
OVR_FUNC4(NtQuerySystemEnvironmentValue, IN PUNICODE_STRING, VariableName, OUT PWSTR, VariableValue, IN USHORT, ValueLength, OUT PUSHORT, ReturnLength OPTIONAL)
OVR_FUNC2(NtSetSystemEnvironmentValue, IN PUNICODE_STRING, VariableName, IN PUNICODE_STRING, VariableValue)
OVR_FUNC5(NtQuerySystemEnvironmentValueEx, IN PUNICODE_STRING, VariableName, IN LPGUID, VendorGuid, OUT PVOID, Value, IN OUT PULONG, ValueLength, OUT PULONG, Attributes OPTIONAL)
OVR_FUNC5(NtSetSystemEnvironmentValueEx, IN PUNICODE_STRING, VariableName, IN LPGUID, VendorGuid, IN PVOID, Value, IN ULONG, ValueLength, IN ULONG, Attributes)
OVR_FUNC3(NtEnumerateSystemEnvironmentValuesEx, IN ULONG, InformationClass, OUT PVOID, Buffer, IN OUT PULONG, BufferLength)
OVR_FUNC1(NtQuerySystemTime, OUT PLARGE_INTEGER, SystemTime) OVR_FUNC2(NtSetSystemTime, IN PLARGE_INTEGER, SystemTime, OUT PLARGE_INTEGER, PreviousTime OPTIONAL)
OVR_FUNC4(NtQuerySystemInformation, IN SYSTEM_INFORMATION_CLASS, SystemInformationClass, OUT PVOID, SystemInformation, IN ULONG, SystemInformationLength, OUT PULONG, ReturnLength OPTIONAL)
OVR_FUNC3(NtSetSystemInformation, IN SYSTEM_INFORMATION_CLASS, SystemInformationClass, IN PVOID, SystemInformation, IN ULONG, SystemInformationLength)
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
BOOL CRegIntercept::InterceptRegistryAPI(CRegIntercept* pRegInterceptInstance){ DWORD dwResult; HINSTANCE hKernel32;
hKernel32 = LoadLibrary(TEXT("ntdll.DLL"));
//Registry
INTERCEPT(NtOpenKey); INTERCEPT(NtCreateKey); INTERCEPT(NtDeleteKey); INTERCEPT(NtDeleteValueKey); INTERCEPT(NtEnumerateKey); INTERCEPT(NtEnumerateValueKey); INTERCEPT(NtQueryKey); INTERCEPT(NtQueryValueKey); INTERCEPT(NtQueryMultipleValueKey); INTERCEPT(NtSetValueKey);
//File System
INTERCEPT(NtDeleteFile); INTERCEPT(NtQueryAttributesFile); INTERCEPT(NtQueryFullAttributesFile); INTERCEPT(NtCreateFile); INTERCEPT(NtOpenFile); INTERCEPT(NtSetInformationFile); INTERCEPT(NtQueryInformationFile);
//Driver
INTERCEPT(NtLoadDriver);// INTERCEPT(NtDeviceIoControlFile);
// INTERCEPT(NtFsControlFile);
//Misc
INTERCEPT(NtPlugPlayControl); INTERCEPT(NtCreateSymbolicLinkObject); INTERCEPT(NtOpenSymbolicLinkObject); INTERCEPT(NtCreateDirectoryObject); INTERCEPT(NtOpenDirectoryObject); INTERCEPT(NtSignalAndWaitForSingleObject); INTERCEPT(NtWaitForSingleObject); INTERCEPT(NtWaitForMultipleObjects); INTERCEPT(NtCreatePort); INTERCEPT(NtCreateWaitablePort); INTERCEPT(NtCreateThread); INTERCEPT(NtOpenThread); INTERCEPT(NtCreateProcess); INTERCEPT(NtCreateProcessEx); INTERCEPT(NtOpenProcess); INTERCEPT(NtQueryDefaultLocale); INTERCEPT(NtSetDefaultLocale); INTERCEPT(NtQuerySystemEnvironmentValue); INTERCEPT(NtSetSystemEnvironmentValue); INTERCEPT(NtQuerySystemEnvironmentValueEx); INTERCEPT(NtSetSystemEnvironmentValueEx); INTERCEPT(NtEnumerateSystemEnvironmentValuesEx); INTERCEPT(NtQuerySystemTime); INTERCEPT(NtSetSystemTime); INTERCEPT(NtQuerySystemInformation); INTERCEPT(NtSetSystemInformation);
CRegIntercept::pRegInterceptInstance = pRegInterceptInstance; return TRUE;}
void CRegIntercept::RestoreRegistryAPI(){
//Registry
RESTORE(NtOpenKey); RESTORE(NtCreateKey); RESTORE(NtDeleteKey); RESTORE(NtDeleteValueKey); RESTORE(NtEnumerateKey); RESTORE(NtEnumerateValueKey); RESTORE(NtQueryKey); RESTORE(NtQueryValueKey); RESTORE(NtQueryMultipleValueKey); RESTORE(NtSetValueKey);
//File System
RESTORE(NtDeleteFile); RESTORE(NtQueryAttributesFile); RESTORE(NtQueryFullAttributesFile); RESTORE(NtCreateFile); RESTORE(NtOpenFile); RESTORE(NtSetInformationFile); RESTORE(NtQueryInformationFile);
//Driver
RESTORE(NtLoadDriver);// RESTORE(NtDeviceIoControlFile);
// RESTORE(NtFsControlFile);
//Misc
RESTORE(NtPlugPlayControl); RESTORE(NtCreateSymbolicLinkObject); RESTORE(NtOpenSymbolicLinkObject); RESTORE(NtCreateDirectoryObject); RESTORE(NtOpenDirectoryObject); RESTORE(NtSignalAndWaitForSingleObject); RESTORE(NtWaitForSingleObject); RESTORE(NtWaitForMultipleObjects); RESTORE(NtCreatePort); RESTORE(NtCreateWaitablePort); RESTORE(NtCreateThread); RESTORE(NtOpenThread); RESTORE(NtCreateProcess); RESTORE(NtCreateProcessEx); RESTORE(NtOpenProcess); RESTORE(NtQueryDefaultLocale); RESTORE(NtSetDefaultLocale); RESTORE(NtQuerySystemEnvironmentValue); RESTORE(NtSetSystemEnvironmentValue); RESTORE(NtQuerySystemEnvironmentValueEx); RESTORE(NtSetSystemEnvironmentValueEx); RESTORE(NtEnumerateSystemEnvironmentValuesEx); RESTORE(NtQuerySystemTime); RESTORE(NtSetSystemTime); RESTORE(NtQuerySystemInformation); RESTORE(NtSetSystemInformation);}
typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectTypesInformation, ObjectHandleFlagInformation,} OBJECT_INFORMATION_CLASS;
typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; ULONG Reserved[ 3 ]; ULONG NameInfoSize; ULONG TypeInfoSize; ULONG SecurityDescriptorSize; LARGE_INTEGER CreationTime;} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
typedef struct _OBJECT_NAME_INFORMATION { // ntddk wdm nthal
UNICODE_STRING Name; // ntddk wdm nthal
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; // ntddk wdm nthal
typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING TypeName; ULONG TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG TotalPagedPoolUsage; ULONG TotalNonPagedPoolUsage; ULONG TotalNamePoolUsage; ULONG TotalHandleTableUsage; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles; ULONG HighWaterPagedPoolUsage; ULONG HighWaterNonPagedPoolUsage; ULONG HighWaterNamePoolUsage; ULONG HighWaterHandleTableUsage; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; ULONG PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge;} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_TYPES_INFORMATION { ULONG NumberOfTypes; // OBJECT_TYPE_INFORMATION TypeInformation;
} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
typedef struct _OBJECT_HANDLE_FLAG_INFORMATION { BOOLEAN Inherit; BOOLEAN ProtectFromClose;} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;/*
//NTSYSCALLAPI
NTSTATUSNTAPINtQueryObject( IN HANDLE Handle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG Length, OUT PULONG ReturnLength OPTIONAL );*/typedef LONG (NTAPI* NtQueryObjectT) (HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG);NtQueryObjectT NtQueryObject=0;
bool CRegIntercept::GetHandleName(HANDLE handle, TCHAR *buf, bool bAppendBackslash){ if (buf == NULL) return false;
buf[0] = NULL;
if ((handle == 0) || (handle == INVALID_HANDLE_VALUE)) return true;
DWORD rc; char Buffer[1024]; POBJECT_NAME_INFORMATION pObjectNameInfo=(POBJECT_NAME_INFORMATION)Buffer;
rc=NtQueryObject( handle, ObjectNameInformation, Buffer, sizeof(Buffer), NULL);
if (rc==0) { _tcscpy(buf, pObjectNameInfo->Name.Buffer);
if (bAppendBackslash) { AppendBackSlash(buf); }
return true; } else return false;
}
bool CRegIntercept::Init(){ HMODULE hLibrary = NULL; hLibrary = LoadLibrary (L"ntdll.dll");
if (hLibrary) { NtQueryObject = (NtQueryObjectT) GetProcAddress (hLibrary, "NtQueryObject"); return (NtQueryObject != 0); }
return false;}
void CRegIntercept::AppendBackSlash(TCHAR *buf){ int len = _tcslen(buf); if (buf[len-1] != L'\\') { buf[len] = L'\\'; buf[len+1] = NULL; }}
|
