diff --git a/.gitignore b/.gitignore
index 11e39a6..e652504 100644
--- a/.gitignore
+++ b/.gitignore
@@ -334,3 +334,4 @@ ASALocalRun/
# Local History for Visual Studio
.localhistory/
+.vscode
diff --git a/HookLib.sln b/HookLib.sln
index 053e6e8..50b60a1 100644
--- a/HookLib.sln
+++ b/HookLib.sln
@@ -1,7 +1,7 @@
Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.28701.123
+# Visual Studio Version 17
+VisualStudioVersion = 17.5.33627.172
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookLib", "HookLib\HookLib.vcxproj", "{9379F9BC-7829-45D8-B339-90F6504FDF2B}"
ProjectSection(ProjectDependencies) = postProject
@@ -18,74 +18,156 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Zydis", "HookLib\Zydis\msvc
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookLibDrvTests", "HookLibDrvTests\HookLibDrvTests.vcxproj", "{3E9752F7-9B84-4844-847E-08F6E2DE1D32}"
EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookSysDemo", "HookSysDemo\HookSysDemo.vcxproj", "{C437FE08-764D-4076-8E7D-C971C637A6CA}"
+EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug Kernel|ARM64 = Debug Kernel|ARM64
Debug Kernel|x64 = Debug Kernel|x64
Debug Kernel|x86 = Debug Kernel|x86
+ Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
+ Release Kernel|ARM64 = Release Kernel|ARM64
Release Kernel|x64 = Release Kernel|x64
Release Kernel|x86 = Release Kernel|x86
+ Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|ARM64.ActiveCfg = Debug Kernel|x64
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|ARM64.Build.0 = Debug Kernel|x64
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|ARM64.Deploy.0 = Debug Kernel|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|x64.ActiveCfg = Debug Kernel|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|x64.Build.0 = Debug Kernel|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|x86.ActiveCfg = Debug Kernel|Win32
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug Kernel|x86.Build.0 = Debug Kernel|Win32
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug|ARM64.ActiveCfg = Debug|x64
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug|ARM64.Build.0 = Debug|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug|x64.ActiveCfg = Debug|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug|x64.Build.0 = Debug|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug|x86.ActiveCfg = Debug|Win32
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Debug|x86.Build.0 = Debug|Win32
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|ARM64.ActiveCfg = Release Kernel|x64
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|ARM64.Build.0 = Release Kernel|x64
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|ARM64.Deploy.0 = Release Kernel|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|x64.ActiveCfg = Release Kernel|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|x64.Build.0 = Release Kernel|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|x86.ActiveCfg = Release Kernel|Win32
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release Kernel|x86.Build.0 = Release Kernel|Win32
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release|ARM64.ActiveCfg = Release|x64
+ {9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release|ARM64.Build.0 = Release|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release|x64.ActiveCfg = Release|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release|x64.Build.0 = Release|x64
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release|x86.ActiveCfg = Release|Win32
{9379F9BC-7829-45D8-B339-90F6504FDF2B}.Release|x86.Build.0 = Release|Win32
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug Kernel|ARM64.ActiveCfg = Debug|x64
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug Kernel|ARM64.Build.0 = Debug|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug Kernel|x64.ActiveCfg = Debug|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug Kernel|x86.ActiveCfg = Debug|Win32
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug|ARM64.ActiveCfg = Debug|x64
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug|ARM64.Build.0 = Debug|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug|x64.ActiveCfg = Debug|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug|x64.Build.0 = Debug|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug|x86.ActiveCfg = Debug|Win32
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Debug|x86.Build.0 = Debug|Win32
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release Kernel|ARM64.ActiveCfg = Release|x64
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release Kernel|ARM64.Build.0 = Release|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release Kernel|x64.ActiveCfg = Release|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release Kernel|x86.ActiveCfg = Release|Win32
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release|ARM64.ActiveCfg = Release|x64
+ {51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release|ARM64.Build.0 = Release|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release|x64.ActiveCfg = Release|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release|x64.Build.0 = Release|x64
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release|x86.ActiveCfg = Release|Win32
{51822229-A0BE-4D4E-8025-F16A47ACC3EE}.Release|x86.Build.0 = Release|Win32
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|ARM64.ActiveCfg = Debug Kernel|x64
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|ARM64.Build.0 = Debug Kernel|x64
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|ARM64.Deploy.0 = Debug Kernel|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|x64.ActiveCfg = Debug Kernel|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|x64.Build.0 = Debug Kernel|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|x86.ActiveCfg = Debug Kernel|Win32
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug Kernel|x86.Build.0 = Debug Kernel|Win32
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Debug|ARM64.ActiveCfg = Debug MD DLL|x64
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Debug|ARM64.Build.0 = Debug MD DLL|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug|x64.ActiveCfg = Debug MT|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug|x64.Build.0 = Debug MT|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug|x86.ActiveCfg = Debug MT|Win32
{88A23124-5640-35A0-B890-311D7A67A7D2}.Debug|x86.Build.0 = Debug MT|Win32
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|ARM64.ActiveCfg = Release Kernel|x64
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|ARM64.Build.0 = Release Kernel|x64
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|ARM64.Deploy.0 = Release Kernel|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|x64.ActiveCfg = Release Kernel|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|x64.Build.0 = Release Kernel|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|x86.ActiveCfg = Release Kernel|Win32
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release Kernel|x86.Build.0 = Release Kernel|Win32
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Release|ARM64.ActiveCfg = Release MD DLL|x64
+ {88A23124-5640-35A0-B890-311D7A67A7D2}.Release|ARM64.Build.0 = Release MD DLL|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release|x64.ActiveCfg = Release MT|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release|x64.Build.0 = Release MT|x64
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release|x86.ActiveCfg = Release MT|Win32
{88A23124-5640-35A0-B890-311D7A67A7D2}.Release|x86.Build.0 = Release MT|Win32
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|ARM64.ActiveCfg = Debug|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|ARM64.Build.0 = Debug|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|ARM64.Deploy.0 = Debug|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|x64.ActiveCfg = Debug|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|x64.Build.0 = Debug|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|x86.ActiveCfg = Debug|Win32
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug Kernel|x86.Build.0 = Debug|Win32
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug|ARM64.ActiveCfg = Debug|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug|ARM64.Build.0 = Debug|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug|ARM64.Deploy.0 = Debug|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug|x64.ActiveCfg = Debug|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Debug|x86.ActiveCfg = Debug|Win32
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|ARM64.ActiveCfg = Release|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|ARM64.Build.0 = Release|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|ARM64.Deploy.0 = Release|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|x64.ActiveCfg = Release|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|x64.Build.0 = Release|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|x86.ActiveCfg = Release|Win32
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release Kernel|x86.Build.0 = Release|Win32
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release|ARM64.ActiveCfg = Release|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release|ARM64.Build.0 = Release|x64
+ {3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release|ARM64.Deploy.0 = Release|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release|x64.ActiveCfg = Release|x64
{3E9752F7-9B84-4844-847E-08F6E2DE1D32}.Release|x86.ActiveCfg = Release|Win32
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|ARM64.ActiveCfg = Debug|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|ARM64.Build.0 = Debug|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|ARM64.Deploy.0 = Debug|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|x64.ActiveCfg = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|x64.Build.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|x64.Deploy.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|x86.ActiveCfg = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|x86.Build.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug Kernel|x86.Deploy.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|ARM64.ActiveCfg = Debug|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|ARM64.Build.0 = Debug|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|ARM64.Deploy.0 = Debug|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|x64.ActiveCfg = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|x64.Build.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|x64.Deploy.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|x86.ActiveCfg = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|x86.Build.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Debug|x86.Deploy.0 = Debug|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|ARM64.ActiveCfg = Release|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|ARM64.Build.0 = Release|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|ARM64.Deploy.0 = Release|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|x64.ActiveCfg = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|x64.Build.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|x64.Deploy.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|x86.ActiveCfg = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|x86.Build.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release Kernel|x86.Deploy.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|ARM64.ActiveCfg = Release|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|ARM64.Build.0 = Release|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|ARM64.Deploy.0 = Release|ARM64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|x64.ActiveCfg = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|x64.Build.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|x64.Deploy.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|x86.ActiveCfg = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|x86.Build.0 = Release|x64
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}.Release|x86.Deploy.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
diff --git a/HookLib/HookLib.vcxproj b/HookLib/HookLib.vcxproj
index 1a8749e..f5715e2 100644
--- a/HookLib/HookLib.vcxproj
+++ b/HookLib/HookLib.vcxproj
@@ -267,6 +267,7 @@
true
MultiThreadedDebug
true
+ ProgramDatabase
Windows
diff --git a/HookLib/Zydis b/HookLib/Zydis
index 5488b7c..d4c37ae 160000
--- a/HookLib/Zydis
+++ b/HookLib/Zydis
@@ -1 +1 @@
-Subproject commit 5488b7caba739a89febe3b1a83cc86d6ec136cbb
+Subproject commit d4c37ae7a9db989495eb66636a65d8d4ff69eb35
diff --git a/HookSysDemo/HookSysDemo.vcxproj b/HookSysDemo/HookSysDemo.vcxproj
new file mode 100644
index 0000000..4ff0994
--- /dev/null
+++ b/HookSysDemo/HookSysDemo.vcxproj
@@ -0,0 +1,116 @@
+
+
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+ Debug
+ ARM64
+
+
+ Release
+ ARM64
+
+
+
+ {C437FE08-764D-4076-8E7D-C971C637A6CA}
+ {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
+ v4.5
+ 12.0
+ Debug
+ x64
+ HookSysDemo
+ $(LatestTargetPlatformVersion)
+
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+
+
+
+
+
+
+
+
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+
+ sha256
+
+
+ Level1
+ stdcpplatest
+ C:\Users\frendguo\source\repos\driver\HookLib\HookLib;%(AdditionalIncludeDirectories)
+
+
+ %(AdditionalLibraryDirectories)
+
+
+
+
+ sha256
+
+
+
+
+
+
+
+ {9379f9bc-7829-45d8-b339-90f6504fdf2b}
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/HookSysDemo/HookSysDemo.vcxproj.filters b/HookSysDemo/HookSysDemo.vcxproj.filters
new file mode 100644
index 0000000..eced4c1
--- /dev/null
+++ b/HookSysDemo/HookSysDemo.vcxproj.filters
@@ -0,0 +1,34 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+ {8E41214B-6785-4CFE-B992-037D68949A14}
+ inf;inv;inx;mof;mc;
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+
+
+ Source Files
+
+
+
\ No newline at end of file
diff --git a/HookSysDemo/main.cpp b/HookSysDemo/main.cpp
new file mode 100644
index 0000000..29e2fd4
--- /dev/null
+++ b/HookSysDemo/main.cpp
@@ -0,0 +1,50 @@
+#include
+
+#include "main.h"
+#include "HookLib.h"
+
+static UNICODE_STRING StringNtCreateUserProcess = RTL_CONSTANT_STRING(L"NtCreateUserProcess");
+static NtCreateUserProcess_t OriginalNtCreateProcess = NULL;
+
+extern "C"
+NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING) {
+ OriginalNtCreateProcess = (NtCreateUserProcess_t)MmGetSystemRoutineAddress(&StringNtCreateUserProcess);
+ if (!OriginalNtCreateProcess) {
+ KdPrint(("[-] infinityhook: Failed to locate export: %wZ.\n", StringNtCreateUserProcess));
+ return STATUS_ENTRYPOINT_NOT_FOUND;
+ }
+
+ OriginalNtCreateProcess = (NtCreateUserProcess_t)hook(OriginalNtCreateProcess, DetourNtCreateUserProcess);
+
+ DriverObject->DriverUnload = [](PDRIVER_OBJECT DriverObject) {
+ UNREFERENCED_PARAMETER(DriverObject);
+ if (OriginalNtCreateProcess) {
+ unhook(OriginalNtCreateProcess);
+ }
+ };
+
+ return STATUS_SUCCESS;
+}
+
+NTSTATUS DetourNtCreateUserProcess
+(
+ _Out_ PHANDLE ProcessHandle,
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK ProcessDesiredAccess,
+ _In_ ACCESS_MASK ThreadDesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
+ _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
+ _In_ ULONG ProcessFlags,
+ _In_ ULONG ThreadFlags,
+ _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
+ _Inout_ PPS_CREATE_INFO CreateInfo,
+ _In_ PPS_ATTRIBUTE_LIST AttributeList
+) {
+ ProcessHandle, ThreadHandle, ProcessDesiredAccess, ThreadDesiredAccess, ProcessObjectAttributes, ThreadObjectAttributes;
+ ProcessFlags, ThreadFlags, ProcessParameters, CreateInfo, AttributeList;
+
+ KdPrint(("----CreateUserProcess hook-------\n"));
+ OriginalNtCreateProcess(ProcessHandle, ThreadHandle, ProcessDesiredAccess, ThreadDesiredAccess, ProcessObjectAttributes, ThreadObjectAttributes, ProcessFlags, ThreadFlags, ProcessParameters, CreateInfo, AttributeList);
+
+ return STATUS_SUCCESS;
+}
\ No newline at end of file
diff --git a/HookSysDemo/main.h b/HookSysDemo/main.h
new file mode 100644
index 0000000..30bbaef
--- /dev/null
+++ b/HookSysDemo/main.h
@@ -0,0 +1,166 @@
+#pragma once
+#include
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+ USHORT Flags;
+ USHORT Length;
+ ULONG TimeStamp;
+ UNICODE_STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS {
+ ULONG MaximumLength;
+ ULONG Length;
+ ULONG Flags;
+ ULONG DebugFlags;
+ PVOID ConsoleHandle;
+ ULONG ConsoleFlags;
+ HANDLE StdInputHandle;
+ HANDLE StdOutputHandle;
+ HANDLE StdErrorHandle;
+ UNICODE_STRING CurrentDirectoryPath;
+ HANDLE CurrentDirectoryHandle;
+ UNICODE_STRING DllPath;
+ UNICODE_STRING ImagePathName;
+ UNICODE_STRING CommandLine;
+ PVOID Environment;
+ ULONG EnvironmentSize;
+ ULONG StartingPositionLeft;
+ ULONG StartingPositionTop;
+ ULONG Width;
+ ULONG Height;
+ ULONG CharWidth;
+ ULONG CharHeight;
+ ULONG ConsoleTextAttributes;
+ ULONG WindowFlags;
+ ULONG ShowWindowFlags;
+ UNICODE_STRING WindowTitle;
+ UNICODE_STRING DesktopName;
+ UNICODE_STRING ShellInfo;
+ UNICODE_STRING RuntimeData;
+ RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
+} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
+
+typedef enum _PS_CREATE_STATE {
+ PsCreateInitialState,
+ PsCreateFailOnFileOpen,
+ PsCreateFailOnSectionCreate,
+ PsCreateFailExeFormat,
+ PsCreateFailMachineMismatch,
+ PsCreateFailExeName, // Debugger specified
+ PsCreateSuccess,
+ PsCreateMaximumStates
+} PS_CREATE_STATE;
+
+typedef struct _PS_ATTRIBUTE
+{
+ ULONG_PTR Attribute;
+ SIZE_T Size;
+ union
+ {
+ ULONG_PTR Value;
+ PVOID ValuePtr;
+ };
+ PSIZE_T ReturnLength;
+} PS_ATTRIBUTE, * PPS_ATTRIBUTE;
+
+typedef struct _PS_ATTRIBUTE_LIST
+{
+ SIZE_T TotalLength;
+ PS_ATTRIBUTE Attributes[1];
+} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;
+
+typedef struct _PS_CREATE_INFO {
+ SIZE_T Size;
+ PS_CREATE_STATE State;
+ union {
+ // PsCreateInitialState
+ struct {
+ union {
+ ULONG InitFlags;
+ struct {
+ UCHAR WriteOutputOnExit : 1;
+ UCHAR DetectManifest : 1;
+ UCHAR IFEOSkipDebugger : 1;
+ UCHAR IFEODoNotPropagateKeyState : 1;
+ UCHAR SpareBits1 : 4;
+ UCHAR SpareBits2 : 8;
+ USHORT ProhibitedImageCharacteristics : 16;
+ };
+ };
+ ACCESS_MASK AdditionalFileAccess;
+ } InitState;
+
+ // PsCreateFailOnSectionCreate
+ struct {
+ HANDLE FileHandle;
+ } FailSection;
+
+ // PsCreateFailExeFormat
+ struct {
+ USHORT DllCharacteristics;
+ } ExeFormat;
+
+ // PsCreateFailExeName
+ struct {
+ HANDLE IFEOKey;
+ } ExeName;
+
+ // PsCreateSuccess
+ struct {
+ union {
+ ULONG OutputFlags;
+ struct {
+ UCHAR ProtectedProcess : 1;
+ UCHAR AddressSpaceOverride : 1;
+ UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
+ UCHAR ManifestDetected : 1;
+ UCHAR ProtectedProcessLight : 1;
+ UCHAR SpareBits1 : 3;
+ UCHAR SpareBits2 : 8;
+ USHORT SpareBits3 : 16;
+ };
+ };
+ HANDLE FileHandle;
+ HANDLE SectionHandle;
+ ULONGLONG UserProcessParametersNative;
+ ULONG UserProcessParametersWow64;
+ ULONG CurrentParameterFlags;
+ ULONGLONG PebAddressNative;
+ ULONG PebAddressWow64;
+ ULONGLONG ManifestAddress;
+ ULONG ManifestSize;
+ } SuccessState;
+ };
+} PS_CREATE_INFO, * PPS_CREATE_INFO;
+
+typedef NTSTATUS(*NtCreateUserProcess_t)
+(
+ _Out_ PHANDLE ProcessHandle,
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK ProcessDesiredAccess,
+ _In_ ACCESS_MASK ThreadDesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
+ _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
+ _In_ ULONG ProcessFlags,
+ _In_ ULONG ThreadFlags,
+ _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
+ _Inout_ PPS_CREATE_INFO CreateInfo,
+ _In_ PPS_ATTRIBUTE_LIST AttributeList
+ );
+
+NTSTATUS DetourNtCreateUserProcess
+(
+ _Out_ PHANDLE ProcessHandle,
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK ProcessDesiredAccess,
+ _In_ ACCESS_MASK ThreadDesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
+ _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
+ _In_ ULONG ProcessFlags,
+ _In_ ULONG ThreadFlags,
+ _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
+ _Inout_ PPS_CREATE_INFO CreateInfo,
+ _In_ PPS_ATTRIBUTE_LIST AttributeList
+);
\ No newline at end of file