m417z/early-create-remote-thread-test.wh.cpp

## early-create-remote-thread-test.wh.cpp
// ==WindhawkMod==
// @id              early-create-remote-thread-test
// @name            Early CreateRemoteThread test
// @description     A test of CreateRemoteThread called right after NtCreateUserProcess
// @version         0.1
// @author          m417z
// @github          https://github.com/m417z
// @twitter         https://twitter.com/m417z
// @homepage        https://m417z.com/
// @include         cmd.exe
// ==/WindhawkMod==

#include <windhawk_utils.h>

using NtCreateUserProcess_t = NTSYSCALLAPI NTSTATUS
NTAPI (*)(_Out_ PHANDLE ProcessHandle,
          _Out_ PHANDLE ThreadHandle,
          _In_ ACCESS_MASK ProcessDesiredAccess,
          _In_ ACCESS_MASK ThreadDesiredAccess,
          _In_opt_ void* /*POBJECT_ATTRIBUTES*/ ProcessObjectAttributes,
          _In_opt_ void* /*POBJECT_ATTRIBUTES*/ ThreadObjectAttributes,
          _In_ ULONG ProcessFlags,           // PROCESS_CREATE_FLAGS_*
          _In_ ULONG ThreadFlags,            // THREAD_CREATE_FLAGS_*
          _In_opt_ PVOID ProcessParameters,  // PRTL_USER_PROCESS_PARAMETERS
          _Inout_ void* /*PPS_CREATE_INFO*/ CreateInfo,
          _In_opt_ void* /*PPS_ATTRIBUTE_LIST*/ AttributeList);
NtCreateUserProcess_t NtCreateUserProcess_Original;
NTSTATUS WINAPI
NtCreateUserProcess_Hook(PHANDLE ProcessHandle,
                         PHANDLE ThreadHandle,
                         ACCESS_MASK ProcessDesiredAccess,
                         ACCESS_MASK ThreadDesiredAccess,
                         void* /*POBJECT_ATTRIBUTES*/ ProcessObjectAttributes,
                         void* /*POBJECT_ATTRIBUTES*/ ThreadObjectAttributes,
                         ULONG ProcessFlags,
                         ULONG ThreadFlags,
                         PVOID ProcessParameters,
                         void* /*PPS_CREATE_INFO*/ CreateInfo,
                         void* /*PPS_ATTRIBUTE_LIST*/ AttributeList) {
    Wh_Log(L">");

    NTSTATUS ret = NtCreateUserProcess_Original(
        ProcessHandle, ThreadHandle, ProcessDesiredAccess, ThreadDesiredAccess,
        ProcessObjectAttributes, ThreadObjectAttributes, ProcessFlags,
        ThreadFlags, ProcessParameters, CreateInfo, AttributeList);
    if (ret != 0) {
        return ret;
    }

    Sleep(1000);
    Wh_Log(L">");

    DWORD dwThreadId;
    HANDLE hThread = CreateRemoteThread(*ProcessHandle, nullptr, 0,
                                        (LPTHREAD_START_ROUTINE)GetCommandLineW,
                                        nullptr, 0, &dwThreadId);
    if (hThread) {
        CloseHandle(hThread);
    }

    Sleep(1000);
    Wh_Log(L">");

    return ret;
}

using CreateProcessW_t = decltype(&CreateProcessW);
CreateProcessW_t CreateProcessW_Original;
BOOL WINAPI CreateProcessW_Hook(LPCWSTR lpApplicationName,
                                LPWSTR lpCommandLine,
                                LPSECURITY_ATTRIBUTES lpProcessAttributes,
                                LPSECURITY_ATTRIBUTES lpThreadAttributes,
                                WINBOOL bInheritHandles,
                                DWORD dwCreationFlags,
                                LPVOID lpEnvironment,
                                LPCWSTR lpCurrentDirectory,
                                LPSTARTUPINFOW lpStartupInfo,
                                LPPROCESS_INFORMATION lpProcessInformation) {
    Wh_Log(L">");

    BOOL ret = CreateProcessW_Original(
        lpApplicationName, lpCommandLine, lpProcessAttributes,
        lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment,
        lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

    Wh_Log(L"Result=%d", !!ret);

    return ret;
}

BOOL Wh_ModInit() {
    Wh_Log(L">");

    NtCreateUserProcess_t NtCreateUserProcess =
        (NtCreateUserProcess_t)GetProcAddress(GetModuleHandle(L"ntdll.dll"),
                                              "NtCreateUserProcess");

    WindhawkUtils::Wh_SetFunctionHookT(NtCreateUserProcess,
                                       NtCreateUserProcess_Hook,
                                       &NtCreateUserProcess_Original);

    WindhawkUtils::Wh_SetFunctionHookT(CreateProcessW, CreateProcessW_Hook,
                                       &CreateProcessW_Original);

    return TRUE;
}

void Wh_ModUninit() {
    Wh_Log(L">");
}

void Wh_ModSettingsChanged() {
    Wh_Log(L">");
}
	// ==WindhawkMod==
	// @id early-create-remote-thread-test
	// @name Early CreateRemoteThread test
	// @description A test of CreateRemoteThread called right after NtCreateUserProcess
	// @version 0.1
	// @author m417z
	// @github https://github.com/m417z
	// @twitter https://twitter.com/m417z
	// @homepage https://m417z.com/
	// @include cmd.exe
	// ==/WindhawkMod==

	#include <windhawk_utils.h>

	using NtCreateUserProcess_t = NTSYSCALLAPI NTSTATUS
	NTAPI (*)(_Out_ PHANDLE ProcessHandle,
	_Out_ PHANDLE ThreadHandle,
	_In_ ACCESS_MASK ProcessDesiredAccess,
	_In_ ACCESS_MASK ThreadDesiredAccess,
	_In_opt_ void* /POBJECT_ATTRIBUTES/ ProcessObjectAttributes,
	_In_opt_ void* /POBJECT_ATTRIBUTES/ ThreadObjectAttributes,
	_In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_*
	_In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_*
	_In_opt_ PVOID ProcessParameters, // PRTL_USER_PROCESS_PARAMETERS
	_Inout_ void* /PPS_CREATE_INFO/ CreateInfo,
	_In_opt_ void* /PPS_ATTRIBUTE_LIST/ AttributeList);
	NtCreateUserProcess_t NtCreateUserProcess_Original;
	NTSTATUS WINAPI
	NtCreateUserProcess_Hook(PHANDLE ProcessHandle,
	PHANDLE ThreadHandle,
	ACCESS_MASK ProcessDesiredAccess,
	ACCESS_MASK ThreadDesiredAccess,
	void* /POBJECT_ATTRIBUTES/ ProcessObjectAttributes,
	void* /POBJECT_ATTRIBUTES/ ThreadObjectAttributes,
	ULONG ProcessFlags,
	ULONG ThreadFlags,
	PVOID ProcessParameters,
	void* /PPS_CREATE_INFO/ CreateInfo,
	void* /PPS_ATTRIBUTE_LIST/ AttributeList) {
	Wh_Log(L">");

	NTSTATUS ret = NtCreateUserProcess_Original(
	ProcessHandle, ThreadHandle, ProcessDesiredAccess, ThreadDesiredAccess,
	ProcessObjectAttributes, ThreadObjectAttributes, ProcessFlags,
	ThreadFlags, ProcessParameters, CreateInfo, AttributeList);
	if (ret != 0) {
	return ret;
	}

	Sleep(1000);
	Wh_Log(L">");

	DWORD dwThreadId;
	HANDLE hThread = CreateRemoteThread(*ProcessHandle, nullptr, 0,
	(LPTHREAD_START_ROUTINE)GetCommandLineW,
	nullptr, 0, &dwThreadId);
	if (hThread) {
	CloseHandle(hThread);
	}

	Sleep(1000);
	Wh_Log(L">");

	return ret;
	}

	using CreateProcessW_t = decltype(&CreateProcessW);
	CreateProcessW_t CreateProcessW_Original;
	BOOL WINAPI CreateProcessW_Hook(LPCWSTR lpApplicationName,
	LPWSTR lpCommandLine,
	LPSECURITY_ATTRIBUTES lpProcessAttributes,
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	WINBOOL bInheritHandles,
	DWORD dwCreationFlags,
	LPVOID lpEnvironment,
	LPCWSTR lpCurrentDirectory,
	LPSTARTUPINFOW lpStartupInfo,
	LPPROCESS_INFORMATION lpProcessInformation) {
	Wh_Log(L">");

	BOOL ret = CreateProcessW_Original(
	lpApplicationName, lpCommandLine, lpProcessAttributes,
	lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment,
	lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

	Wh_Log(L"Result=%d", !!ret);

	return ret;
	}

	BOOL Wh_ModInit() {
	Wh_Log(L">");

	NtCreateUserProcess_t NtCreateUserProcess =
	(NtCreateUserProcess_t)GetProcAddress(GetModuleHandle(L"ntdll.dll"),
	"NtCreateUserProcess");

	WindhawkUtils::Wh_SetFunctionHookT(NtCreateUserProcess,
	NtCreateUserProcess_Hook,
	&NtCreateUserProcess_Original);

	WindhawkUtils::Wh_SetFunctionHookT(CreateProcessW, CreateProcessW_Hook,
	&CreateProcessW_Original);

	return TRUE;
	}

	void Wh_ModUninit() {
	Wh_Log(L">");
	}

	void Wh_ModSettingsChanged() {
	Wh_Log(L">");
	}