Add files via upload

Souhardya · Dec 30, 2021 · 2f0869a · 2f0869a
1 parent 389bbb1
commit 2f0869a
Show file tree

Hide file tree

Showing 34 changed files with 3,392 additions and 0 deletions.
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.cpp b/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.cpp
@@ -0,0 +1,88 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryMultipleValueKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryMultipleValueKey pfnNtQueryMultipleValueKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryMultipleValueKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryMultipleValueKey(
+	IN HANDLE               KeyHandle,
+	IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList,
+	IN ULONG                NumberOfValues,
+	OUT PVOID               DataBuffer,
+	IN OUT ULONG            BufferLength,
+	OUT PULONG              RequiredLength OPTIONAL
+	)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryMultipleValueKey(
+			KeyHandle,
+			ValuesList,
+			NumberOfValues,
+			DataBuffer,
+			BufferLength,
+			RequiredLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryMultipleValueKey(
+		KeyHandle,
+		ValuesList,
+		NumberOfValues,
+		DataBuffer,
+		BufferLength,
+		RequiredLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryMultipleValueKey(
+	IN HANDLE               KeyHandle,
+	IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList,
+	IN ULONG                NumberOfValues,
+	OUT PVOID               DataBuffer,
+	IN OUT ULONG            BufferLength,
+	OUT PULONG              RequiredLength OPTIONAL
+	)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryMultipleValueKey addFun = (__pfnNtQueryMultipleValueKey)GetProcAddress(hDll,"NtQueryMultipleValueKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,ValuesList,NumberOfValues,DataBuffer,BufferLength,RequiredLength);
+	}
+	return ret;
+}
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.h b/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.h
@@ -0,0 +1,45 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtEnumerateKey.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef struct _KEY_MULTIPLE_VALUE_INFORMATION {
+	PUNICODE_STRING         ValueName;
+	ULONG                   DataLength;
+	ULONG                   DataOffset;
+	ULONG                   Type;
+} KEY_MULTIPLE_VALUE_INFORMATION, *PKEY_MULTIPLE_VALUE_INFORMATION;
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryMultipleValueKey)
+(
+	IN HANDLE               KeyHandle,
+	IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList,
+	IN ULONG                NumberOfValues,
+	OUT PVOID               DataBuffer,
+	IN OUT ULONG            BufferLength,
+	OUT PULONG              RequiredLength OPTIONAL
+	);
+
+extern __pfnNtQueryMultipleValueKey pfnNtQueryMultipleValueKey;
+
+NTSTATUS
+NTAPI
+OnNtQueryMultipleValueKey(
+	IN HANDLE               KeyHandle,
+	IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList,
+	IN ULONG                NumberOfValues,
+	OUT PVOID               DataBuffer,
+	IN OUT ULONG            BufferLength,
+	OUT PULONG              RequiredLength OPTIONAL
+	);
+
+NTSTATUS
+NTAPI
+NtQueryMultipleValueKey(
+	IN HANDLE               KeyHandle,
+	IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList,
+	IN ULONG                NumberOfValues,
+	OUT PVOID               DataBuffer,
+	IN OUT ULONG            BufferLength,
+	OUT PULONG              RequiredLength OPTIONAL
+	);
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryObject.cpp b/HookPorts/Dispatch_NTDLL_NtQueryObject.cpp
@@ -0,0 +1,115 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryObject pfnNtQueryObject = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryObject Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryObject(
+	IN HANDLE               ObjectHandle,
+	IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	OUT PVOID               ObjectInformation,
+	IN ULONG                Length,
+	OUT PULONG              ResultLength)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryObject(
+			ObjectHandle,
+			ObjectInformationClass,
+			ObjectInformation,
+			Length,
+			ResultLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryObject(
+		ObjectHandle,
+		ObjectInformationClass,
+		ObjectInformation,
+		Length,
+		ResultLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryObject(
+	IN HANDLE               ObjectHandle,
+	IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	OUT PVOID               ObjectInformation,
+	IN ULONG                Length,
+	OUT PULONG              ResultLength)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryObject addFun = (__pfnNtQueryObject)GetProcAddress(hDll,"NtQueryObject");
+	if(addFun)
+	{
+		ret = addFun(ObjectHandle,ObjectInformationClass,ObjectInformation,Length,ResultLength);
+	}
+	return ret;
+}
+
+int QueryNameInfoByNtQueryObject( IN HANDLE ObjectHandle, OUT WCHAR * lpszNameInfo )
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = -1;
+
+	//
+	//Query info by call NtQueryObject
+	//
+	ULONG uResultLength = 0;
+	POBJECT_NAME_INFORMATION pNameInfo = (POBJECT_NAME_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x1000);   
+
+	NTSTATUS nStatusQueryObject;
+	nStatusQueryObject = NtQueryObject(ObjectHandle, ObjectNameInformation, pNameInfo, 0x1000, &uResultLength);
+	DWORD iQueryCount = 1;
+	while( nStatusQueryObject == STATUS_INFO_LENGTH_MISMATCH )
+	{
+		pNameInfo = (POBJECT_NAME_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pNameInfo, 0x1000 * iQueryCount);
+		nStatusQueryObject = NtQueryObject(ObjectHandle, ObjectNameInformation, pNameInfo, 0x1000, NULL);
+		iQueryCount++;
+	}
+	if( nStatusQueryObject == STATUS_SUCCESS )
+	{
+		lstrcpyW(lpszNameInfo,pNameInfo->Name.Buffer);
+
+		iRet = 0;
+	}
+	HeapFree(GetProcessHeap(),0,pNameInfo);
+
+	return iRet;
+}
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryObject.h b/HookPorts/Dispatch_NTDLL_NtQueryObject.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+
+typedef enum _OBJECT_INFORMATION_CLASS {
+	ObjectBasicInformation,
+	ObjectNameInformation,
+	ObjectTypeInformation,
+	ObjectAllInformation,
+	ObjectDataInformation
+} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryObject)
+(
+	IN HANDLE               ObjectHandle,
+	IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	OUT PVOID               ObjectInformation,
+	IN ULONG                Length,
+	OUT PULONG              ResultLength);
+
+extern __pfnNtQueryObject pfnNtQueryObject;
+
+NTSTATUS
+NTAPI
+OnNtQueryObject(
+	IN HANDLE               ObjectHandle,
+	IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	OUT PVOID               ObjectInformation,
+	IN ULONG                Length,
+	OUT PULONG              ResultLength);
+
+NTSTATUS
+NTAPI
+NtQueryObject(
+	IN HANDLE               ObjectHandle,
+	IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	OUT PVOID               ObjectInformation,
+	IN ULONG                Length,
+	OUT PULONG              ResultLength);
+
+int QueryNameInfoByNtQueryObject( IN HANDLE ObjectHandle, OUT WCHAR * lpszNameInfo );