Created
December 28, 2019 14:52
-
-
Save BelodedAleksey/4d548e47e018571cb932ac4b76dee66f to your computer and use it in GitHub Desktop.
Minhook NtQuerySystemInformation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "log" | |
| "syscall" | |
| "unsafe" | |
| "github.com/nanitefactory/gominhook" | |
| ) | |
| /* | |
| #include <Windows.h> | |
| #include <Winternl.h> | |
| // Put C prototypes here | |
| // Delegate type for calling original MessageBoxW. | |
| typedef int (WINAPI *MESSAGEBOXW)(HWND, LPCWSTR, LPCWSTR, UINT); | |
| typedef NTSTATUS (NTAPI *NTQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG); | |
| // (!) This way you can connect/convert a go function to a c function. | |
| int MessageBoxWOverrideHellYeah(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType); | |
| int NtQuerySystemInformationOver( | |
| ULONG SystemInformationClass, | |
| PVOID SystemInformation, | |
| ULONG SystemInformationLength, | |
| PULONG ReturnLength | |
| ); | |
| */ | |
| import "C" | |
| // Pointer for calling original MessageBoxW. | |
| var fpMessageBoxW C.MESSAGEBOXW | |
| var fpNtQuerySystemInformation C.NTQUERYSYSTEMINFORMATION | |
| // (!) This way you can connect/convert a go function to a c function. | |
| //export MessageBoxWOverrideHellYeah | |
| func MessageBoxWOverrideHellYeah(hWnd C.HWND, lpText C.LPCWSTR, lpCaption C.LPCWSTR, uType C.UINT) C.int { | |
| fmt.Println(" - MessageBoxW Override") | |
| foo() | |
| ret, _, _ := syscall.Syscall6( | |
| uintptr(unsafe.Pointer(fpMessageBoxW)), | |
| 4, | |
| uintptr(unsafe.Pointer(hWnd)), | |
| uintptr(unsafe.Pointer(lpText)), | |
| uintptr(unsafe.Pointer(lpCaption)), | |
| uintptr(uint(uType)), | |
| 0, 0, | |
| ) | |
| return C.int(ret) | |
| } | |
| //export NtQuerySystemInformationOver | |
| func NtQuerySystemInformationOver( | |
| SystemInformationClass C.ULONG, | |
| SystemInformation C.PVOID, | |
| SystemInformationLength C.ULONG, | |
| ReturnLength C.PULONG) C.int { | |
| fmt.Println(" - NtQuerySystemInformation Override") | |
| ret, _, err := syscall.Syscall6( | |
| uintptr(unsafe.Pointer(fpNtQuerySystemInformation)), | |
| 4, | |
| uintptr(uint32(SystemInformationClass)), | |
| uintptr(SystemInformation), | |
| uintptr(uint32(SystemInformationLength)), | |
| uintptr(unsafe.Pointer(ReturnLength)), | |
| 0, 0, | |
| ) | |
| fmt.Println(ret) | |
| fmt.Println(err) | |
| return C.int(ret) | |
| } | |
| func foo() { | |
| fmt.Println(" - I'm so hooked now.") | |
| } | |
| func main() { | |
| // Initialize minhook | |
| err := gominhook.Initialize() | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| defer gominhook.Uninitialize() | |
| // Get procedure user32.MessageBoxW | |
| procedure := syscall.NewLazyDLL("user32.dll").NewProc("MessageBoxW") | |
| proc := syscall.NewLazyDLL("Ntdll.dll").NewProc("NtQuerySystemInformation") | |
| /*fmt.Println("-- not hooked yet") | |
| procedure.Call( | |
| 0, | |
| uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("Hello1"))), | |
| uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("World1"))), | |
| 1, | |
| ) | |
| fmt.Println(fmt.Sprintf("0x%X", procedure.Addr()), fmt.Sprintf("0x%X", &fpMessageBoxW), fmt.Sprintf("0x%X", fpMessageBoxW)) | |
| fmt.Println()*/ | |
| // Create a hook for MessageBoxW. | |
| err = gominhook.CreateHook(procedure.Addr(), uintptr(C.MessageBoxWOverrideHellYeah), uintptr(unsafe.Pointer(&fpMessageBoxW))) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| // Create a hook for NtQuerySystemInformation. | |
| err = gominhook.CreateHook(proc.Addr(), uintptr(C.NtQuerySystemInformationOver), uintptr(unsafe.Pointer(&fpNtQuerySystemInformation))) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| // Enable the hook for MessageBoxW. | |
| err = gominhook.EnableHook(gominhook.AllHooks) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| // Calling our hooked procedure user32.MessageBoxW. | |
| /*fmt.Println("-- after hook") | |
| procedure.Call( | |
| 0, | |
| uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("Hello2"))), | |
| uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("World2"))), | |
| 1, | |
| ) | |
| fmt.Println(fmt.Sprintf("0x%X", procedure.Addr()), fmt.Sprintf("0x%X", &fpMessageBoxW), fmt.Sprintf("0x%X", fpMessageBoxW)) | |
| fmt.Println()*/ | |
| defer func() { | |
| // Disable the hook for MessageBoxW. | |
| err = gominhook.DisableHook(gominhook.AllHooks) | |
| if err != nil { | |
| log.Fatalln(err) | |
| } | |
| }() | |
| for { | |
| } | |
| // Calling our unhooked procedure user32.MessageBoxW. | |
| fmt.Println("-- after unhook") | |
| procedure.Call( | |
| 0, | |
| uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("Hello3"))), | |
| uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("World3"))), | |
| 1, | |
| ) | |
| fmt.Println(fmt.Sprintf("0x%X", procedure.Addr()), fmt.Sprintf("0x%X", &fpMessageBoxW), fmt.Sprintf("0x%X", fpMessageBoxW)) | |
| fmt.Println() | |
| } | |
| /* This outputs... | |
| -- not hooked yet | |
| 0x7FFE6CA4EE10 0x578180 0x0 | |
| -- after hook | |
| - MessageBoxW Override | |
| - I'm so hooked now. | |
| 0x7FFE6CA4EE10 0x578180 0x& | |
| -- after unhook | |
| 0x7FFE6CA4EE10 0x578180 0x& | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment