64-bit support

[otofoto]

This seems to be compatible only with 32-bit OS so I had to set Appinit under WOW-64 node for this to work on Windows 64-bit:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

and then use findstr ExfilKeyData "C:\CryptoHookLog.dll"

But how to compile for 64-bit?

antiransom.cpp(711) : error C2664: 'ReadProcessMemory' : cannot convert parameter 5 from 'DWORD *' to 'SIZE_T *'
Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast

[otofoto]

Ok got it to compile in x64 but seems it needs to be refactored to use Detour 4.0.1 with x64 support.

/out:antiransom.dll /dll /implib:antiransom.lib antiransom.obj antiransom.obj : error LNK2019: unresolved external symbol DetourTransactionBegin referenced in function "long __cdecl Fake_NtCreateFile(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,struct _IO_STATUS_BLOCK *,union _LARGE_INTEGER *,unsigned long,unsigned long,unsigned long,unsigned long,void *,unsigned long)" (?Fake_NtCreateFile@@YAJPEAPEAXKPEAU_OBJECT_ATTRIBUTES@@PEAU_IO_STATUS_BLOCK@@PEAT_LARGE_INTEGER@@KKKKPEAXK@Z) antiransom.obj : error LNK2019: unresolved external symbol DetourTransactionCommit referenced in function "long __cdecl Fake_NtCreateFile(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,struct _IO_STATUS_BLOCK *,union _LARGE_INTEGER *,unsigned long,unsigned long,unsigned long,unsigned long,void *,unsigned long)" (?Fake_NtCreateFile@@YAJPEAPEAXKPEAU_OBJECT_ATTRIBUTES@@PEAU_IO_STATUS_BLOCK@@PEAT_LARGE_INTEGER@@KKKKPEAXK@Z) antiransom.obj : error LNK2019: unresolved external symbol DetourUpdateThread referenced in function "long __cdecl Fake_NtCreateFile(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,struct _IO_STATUS_BLOCK *,union _LARGE_INTEGER *,unsigned long,unsigned long,unsigned long,unsigned long,void *,unsigned long)" (?Fake_NtCreateFile@@YAJPEAPEAXKPEAU_OBJECT_ATTRIBUTES@@PEAU_IO_STATUS_BLOCK@@PEAT_LARGE_INTEGER@@KKKKPEAXK@Z) antiransom.obj : error LNK2019: unresolved external symbol DetourAttach referenced in function "long __cdecl Fake_NtCreateFile(void * *,unsigned long,struct _OBJECT_ATTRIBUTES *,struct _IO_STATUS_BLOCK *,union _LARGE_INTEGER *,unsigned long,unsigned long,unsigned long,unsigned long,void *,unsigned long)" (?Fake_NtCreateFile@@YAJPEAPEAXKPEAU_OBJECT_ATTRIBUTES@@PEAU_IO_STATUS_BLOCK@@PEAT_LARGE_INTEGER@@KKKKPEAXK@Z) antiransom.obj : error LNK2019: unresolved external symbol DetourDetach referenced in function DllMain antiransom.dll : fatal error LNK1120: 5 unresolved externals

Detours 4.0.1 is now open source under the MIT license. Detours is on GitHub at https://github.com/Microsoft/Detours. The source code is identical to Build 343 of Detours 3.0. Detours Build 338 and later fix a security vulnerability that has been identified in releases of Detours before 3.0 Build 334.

Detours 4.0.1 supports x86, x64 and other Windows-compatible processors (IA64 and ARM). It includes support for either 32-bit or 64-bit processes.

[eugenekolo]

Hey @otofoto,

Thank you for your interest in the project. This project was built for 32-bit Windows 7. At this time, there's no plans (or time for myself) to update it for a new version of Windows or 64-bit. Awesome that you got it to compile for 64-bit, but I can't support you there as I don't have access to a 64-bit Windows 7 machine.

I'll keep this issue open so other people can learn from what you found.