Last active
March 4, 2016 19:51
-
-
Save jocopa3/256f5378b40a729b03fe to your computer and use it in GitHub Desktop.
Added extra check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <iostream> | |
| #include "MinHook.h" | |
| // Hooks a function at a given address given the hook function and trampoline function | |
| BOOL setHook(LPVOID* origAddress, LPVOID* hookFunction, LPVOID* trampFunction) | |
| { | |
| if (MH_CreateHook(origAddress, hookFunction, reinterpret_cast<LPVOID*>(trampFunction)) != MH_OK) | |
| { | |
| return FALSE; | |
| } | |
| if (MH_EnableHook(origAddress) != MH_OK) | |
| { | |
| return FALSE; | |
| } | |
| return TRUE; | |
| } | |
| // Attaches a hook on a function given the name of the owning module and the name of the function | |
| BOOL attach(LPWSTR wstrModule, LPCSTR strFunction, LPVOID* hook, LPVOID* original) | |
| { | |
| HMODULE hModule = GetModuleHandle(wstrModule); | |
| if (hModule == NULL) | |
| { | |
| return FALSE; | |
| } | |
| FARPROC hFunction = GetProcAddress(hModule, strFunction); | |
| if (hFunction == NULL) | |
| { | |
| return FALSE; | |
| } | |
| return setHook((LPVOID*)hFunction, hook, original); | |
| } | |
| // Store whether the process was suspended or not | |
| BOOL Suspended = FALSE; | |
| // Basic hook setup for CreateProcessW | |
| typedef BOOL(WINAPI *PfnCreateProcessW)(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); | |
| PfnCreateProcessW pfnCreateProcessW = NULL; | |
| BOOL WINAPI HfnCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) | |
| { | |
| // Flag the process to be suspended on creation | |
| dwCreationFlags |= CREATE_SUSPENDED; | |
| Suspended = (dwCreationFlags & CREATE_SUSPENDED) == CREATE_SUSPENDED; | |
| printf("CreateProcessW: %ws\n", lpApplicationName); | |
| return pfnCreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); | |
| } | |
| int main(int argc, char* argv[]) | |
| { | |
| MH_Initialize(); | |
| // Attach a hook on CreateProcessW | |
| BOOL hook = TRUE; | |
| hook &= attach(L"kernelbase.dll", "CreateProcessW", (LPVOID*)&HfnCreateProcessW, (LPVOID*)&pfnCreateProcessW); | |
| if (!hook) | |
| { | |
| std::cout << "Could not attach the hook" << std::endl; | |
| return FALSE; | |
| } | |
| PROCESS_INFORMATION ProcessInfo; | |
| STARTUPINFO StartupInfo; | |
| ZeroMemory(&StartupInfo, sizeof(StartupInfo)); | |
| StartupInfo.cb = sizeof StartupInfo; | |
| // CreateProcess example to show the hook worked | |
| if (CreateProcess(L"C:\\Windows\\Notepad.exe", NULL,NULL, NULL, FALSE, 0, NULL, NULL, &StartupInfo, &ProcessInfo)) | |
| { | |
| std::cout << "The process was created\n"; | |
| std::cout << "PID: (" << ProcessInfo.dwProcessId << ")\n"; | |
| std::cout << "Suspended: " << (Suspended ? "True" : "False") << std::endl; | |
| CloseHandle(ProcessInfo.hThread); | |
| CloseHandle(ProcessInfo.hProcess); | |
| } | |
| else | |
| { | |
| std::cout << "Failed to create the process" << std::endl; | |
| } | |
| system("PAUSE"); | |
| MH_Uninitialize(); | |
| return TRUE; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment