2023-09-13 21:54:40 +00:00
|
|
|
#include <windows.h>
|
|
|
|
|
|
|
|
#include <assert.h>
|
|
|
|
#include <stdbool.h>
|
|
|
|
#include <stdint.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include "hook/table.h"
|
|
|
|
|
2023-09-14 00:23:40 +00:00
|
|
|
#include "hooklib/createprocess.h"
|
|
|
|
|
2023-09-13 23:57:10 +00:00
|
|
|
#include "util/dprintf.h"
|
|
|
|
|
|
|
|
void createprocess_hook_init();
|
2023-09-13 21:54:40 +00:00
|
|
|
static BOOL WINAPI my_CreateProcessA(
|
|
|
|
LPCSTR lpApplicationName,
|
|
|
|
LPSTR lpCommandLine,
|
|
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
|
|
BOOL bInheritHandles,
|
|
|
|
DWORD dwCreationFlags,
|
|
|
|
LPVOID lpEnvironment,
|
|
|
|
LPCSTR lpCurrentDirectory,
|
|
|
|
LPSTARTUPINFOA lpStartupInfo,
|
|
|
|
LPPROCESS_INFORMATION lpProcessInformation
|
|
|
|
);
|
|
|
|
BOOL my_CreateProcessW(
|
|
|
|
LPCWSTR lpApplicationName,
|
|
|
|
LPWSTR lpCommandLine,
|
|
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
|
|
BOOL bInheritHandles,
|
|
|
|
DWORD dwCreationFlags,
|
|
|
|
LPVOID lpEnvironment,
|
|
|
|
LPCWSTR lpCurrentDirectory,
|
|
|
|
LPSTARTUPINFOW lpStartupInfo,
|
|
|
|
LPPROCESS_INFORMATION lpProcessInformation
|
|
|
|
);
|
|
|
|
|
|
|
|
static BOOL (WINAPI *next_CreateProcessA)(
|
|
|
|
LPCSTR lpApplicationName,
|
|
|
|
LPSTR lpCommandLine,
|
|
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
|
|
BOOL bInheritHandles,
|
|
|
|
DWORD dwCreationFlags,
|
|
|
|
LPVOID lpEnvironment,
|
|
|
|
LPCSTR lpCurrentDirectory,
|
|
|
|
LPSTARTUPINFOA lpStartupInfo,
|
|
|
|
LPPROCESS_INFORMATION lpProcessInformation
|
|
|
|
);
|
|
|
|
|
|
|
|
static BOOL (WINAPI *next_CreateProcessW)(
|
|
|
|
LPCWSTR lpApplicationName,
|
|
|
|
LPWSTR lpCommandLine,
|
|
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
|
|
BOOL bInheritHandles,
|
|
|
|
DWORD dwCreationFlags,
|
|
|
|
LPVOID lpEnvironment,
|
|
|
|
LPCWSTR lpCurrentDirectory,
|
|
|
|
LPSTARTUPINFOW lpStartupInfo,
|
|
|
|
LPPROCESS_INFORMATION lpProcessInformation
|
|
|
|
);
|
|
|
|
|
|
|
|
static const struct hook_symbol win32_hooks[] = {
|
|
|
|
{
|
|
|
|
.name = "CreateProcessA",
|
|
|
|
.patch = my_CreateProcessA,
|
|
|
|
.link = (void **) &next_CreateProcessA
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = "CreateProcessW",
|
|
|
|
.patch = my_CreateProcessW,
|
|
|
|
.link = (void **) &next_CreateProcessW
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
static bool did_init = false;
|
|
|
|
|
2023-09-14 00:23:40 +00:00
|
|
|
static struct process_hook_sym_w *process_syms_w;
|
|
|
|
static struct process_hook_sym_a *process_syms_a;
|
|
|
|
|
|
|
|
static size_t process_nsyms_a = 0;
|
|
|
|
static size_t process_nsyms_w = 0;
|
|
|
|
|
|
|
|
static CRITICAL_SECTION createproc_lock;
|
2023-09-13 21:54:40 +00:00
|
|
|
|
2023-09-14 00:23:40 +00:00
|
|
|
HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, const wchar_t *tail) {
|
|
|
|
struct process_hook_sym_w *new_mem;
|
|
|
|
struct process_hook_sym_w *new_proc;
|
|
|
|
HRESULT hr;
|
|
|
|
|
|
|
|
assert(name != NULL);
|
|
|
|
assert(head != NULL);
|
2023-09-13 21:54:40 +00:00
|
|
|
|
|
|
|
createprocess_hook_init();
|
2023-09-14 00:23:40 +00:00
|
|
|
EnterCriticalSection(&createproc_lock);
|
|
|
|
|
|
|
|
new_mem = realloc(
|
|
|
|
process_syms_w,
|
|
|
|
(process_nsyms_w + 1) * sizeof(struct process_hook_sym_w));
|
|
|
|
|
|
|
|
if (new_mem == NULL) {
|
|
|
|
|
|
|
|
LeaveCriticalSection(&createproc_lock);
|
|
|
|
return E_OUTOFMEMORY;
|
|
|
|
}
|
|
|
|
|
|
|
|
new_proc = &new_mem[process_nsyms_w];
|
|
|
|
memset(new_proc, 0, sizeof(*new_proc));
|
|
|
|
new_proc->name = name;
|
|
|
|
new_proc->head = head;
|
|
|
|
new_proc->tail = tail;
|
|
|
|
|
|
|
|
process_syms_w = new_mem;
|
|
|
|
process_nsyms_w++;
|
|
|
|
|
|
|
|
LeaveCriticalSection(&createproc_lock);
|
|
|
|
return S_OK;
|
2023-09-13 21:54:40 +00:00
|
|
|
}
|
|
|
|
|
2023-09-14 00:23:40 +00:00
|
|
|
HRESULT createprocess_push_hook_a(const char *name, const char *head, const char *tail) {
|
|
|
|
struct process_hook_sym_a *new_mem;
|
|
|
|
struct process_hook_sym_a *new_proc;
|
|
|
|
|
|
|
|
assert(name != NULL);
|
|
|
|
assert(head != NULL);
|
|
|
|
|
2023-09-13 21:54:40 +00:00
|
|
|
createprocess_hook_init();
|
2023-09-14 00:23:40 +00:00
|
|
|
|
|
|
|
EnterCriticalSection(&createproc_lock);
|
|
|
|
|
|
|
|
new_mem = realloc(
|
|
|
|
process_syms_a,
|
|
|
|
(process_nsyms_a + 1) * sizeof(struct process_hook_sym_a));
|
|
|
|
|
|
|
|
if (new_mem == NULL) {
|
|
|
|
|
|
|
|
LeaveCriticalSection(&createproc_lock);
|
|
|
|
return E_OUTOFMEMORY;
|
|
|
|
}
|
|
|
|
|
|
|
|
new_proc = &new_mem[process_nsyms_a];
|
|
|
|
memset(new_proc, 0, sizeof(*new_proc));
|
|
|
|
new_proc->name = name;
|
|
|
|
new_proc->head = head;
|
|
|
|
new_proc->tail = tail;
|
|
|
|
|
|
|
|
process_syms_a = new_mem;
|
|
|
|
process_nsyms_a++;
|
|
|
|
|
|
|
|
LeaveCriticalSection(&createproc_lock);
|
|
|
|
return S_OK;
|
2023-09-13 21:54:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void createprocess_hook_init() {
|
|
|
|
if (did_init) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
did_init = true;
|
|
|
|
|
|
|
|
hook_table_apply(
|
|
|
|
NULL,
|
|
|
|
"kernel32.dll",
|
|
|
|
win32_hooks,
|
|
|
|
_countof(win32_hooks));
|
2023-09-14 00:23:40 +00:00
|
|
|
InitializeCriticalSection(&createproc_lock);
|
2023-09-13 21:54:40 +00:00
|
|
|
dprintf("CreateProcess: Init\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static BOOL WINAPI my_CreateProcessA(
|
|
|
|
LPCSTR lpApplicationName,
|
|
|
|
LPSTR lpCommandLine,
|
|
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
|
|
BOOL bInheritHandles,
|
|
|
|
DWORD dwCreationFlags,
|
|
|
|
LPVOID lpEnvironment,
|
|
|
|
LPCSTR lpCurrentDirectory,
|
|
|
|
LPSTARTUPINFOA lpStartupInfo,
|
|
|
|
LPPROCESS_INFORMATION lpProcessInformation
|
|
|
|
)
|
|
|
|
{
|
2023-09-14 00:23:40 +00:00
|
|
|
for (int i = 0; i < process_nsyms_a; i++) {
|
|
|
|
if (strncmp(process_syms_a->name, lpCommandLine, strlen(process_syms_a->name))) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2023-09-15 05:35:33 +00:00
|
|
|
dprintf("CreateProcess: Hooking child process %s %s\n", lpApplicationName, lpCommandLine);
|
|
|
|
char new_cmd[MAX_PATH] = {0};
|
2023-09-14 00:23:40 +00:00
|
|
|
strcat_s(new_cmd, MAX_PATH, process_syms_a->head);
|
|
|
|
strcat_s(new_cmd, MAX_PATH, lpCommandLine);
|
2023-09-13 21:54:40 +00:00
|
|
|
|
2023-09-15 05:35:33 +00:00
|
|
|
if (process_syms_a->tail != NULL) {
|
2023-09-14 00:23:40 +00:00
|
|
|
strcat_s(new_cmd, MAX_PATH, process_syms_a->tail);
|
|
|
|
}
|
2023-09-13 21:54:40 +00:00
|
|
|
|
2023-09-15 05:35:33 +00:00
|
|
|
dprintf("CreateProcess: Replaced CreateProcessA %s\n", new_cmd);
|
2023-09-14 00:23:40 +00:00
|
|
|
return next_CreateProcessA(
|
|
|
|
lpApplicationName,
|
|
|
|
new_cmd,
|
|
|
|
lpProcessAttributes,
|
|
|
|
lpThreadAttributes,
|
|
|
|
bInheritHandles,
|
|
|
|
dwCreationFlags,
|
|
|
|
lpEnvironment,
|
|
|
|
lpCurrentDirectory,
|
|
|
|
lpStartupInfo,
|
|
|
|
lpProcessInformation
|
|
|
|
);
|
|
|
|
}
|
2023-09-13 21:54:40 +00:00
|
|
|
return next_CreateProcessA(
|
2023-09-14 00:23:40 +00:00
|
|
|
lpApplicationName,
|
|
|
|
lpCommandLine,
|
|
|
|
lpProcessAttributes,
|
|
|
|
lpThreadAttributes,
|
|
|
|
bInheritHandles,
|
|
|
|
dwCreationFlags,
|
|
|
|
lpEnvironment,
|
|
|
|
lpCurrentDirectory,
|
|
|
|
lpStartupInfo,
|
|
|
|
lpProcessInformation
|
|
|
|
);
|
2023-09-13 21:54:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
BOOL my_CreateProcessW(
|
|
|
|
LPCWSTR lpApplicationName,
|
|
|
|
LPWSTR lpCommandLine,
|
|
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
|
|
BOOL bInheritHandles,
|
|
|
|
DWORD dwCreationFlags,
|
|
|
|
LPVOID lpEnvironment,
|
|
|
|
LPCWSTR lpCurrentDirectory,
|
|
|
|
LPSTARTUPINFOW lpStartupInfo,
|
|
|
|
LPPROCESS_INFORMATION lpProcessInformation)
|
|
|
|
{
|
|
|
|
return next_CreateProcessW(
|
|
|
|
lpApplicationName,
|
|
|
|
lpCommandLine,
|
|
|
|
lpProcessAttributes,
|
|
|
|
lpThreadAttributes,
|
|
|
|
bInheritHandles,
|
|
|
|
dwCreationFlags,
|
|
|
|
lpEnvironment,
|
|
|
|
lpCurrentDirectory,
|
|
|
|
lpStartupInfo,
|
|
|
|
lpProcessInformation
|
|
|
|
);
|
|
|
|
}
|