Add NtUserGetForegroundWindow hook

Fixes #116
x64dbg · Jan 26, 2021 · 2276f14 · 2276f14
1 parent 37ff0b3
commit 2276f14
Show file tree

Hide file tree

Showing 22 changed files with 88 additions and 8 deletions.
diff --git a/3rdparty/ntdll/ntdll.h b/3rdparty/ntdll/ntdll.h
@@ -4607,6 +4607,26 @@ HANDLE
 	_In_ WINDOWINFOCLASS WindowInfo
 	);
 
+typedef enum _THREAD_STATE_ROUTINE
+{
+	THREADSTATE_GETTHREADINFO,
+	THREADSTATE_ACTIVEWINDOW
+} THREAD_STATE_ROUTINE;
+
+// GetActiveWindow
+typedef
+ULONG_PTR
+(NTAPI
+*t_NtUserGetThreadState)(
+	THREAD_STATE_ROUTINE Routine
+	);
+
+typedef
+HWND
+(NTAPI
+*t_NtUserGetForegroundWindow)(
+	);
+
 typedef
 int
 (NTAPI

diff --git a/ConfigCollection/scylla_hide.ini b/ConfigCollection/scylla_hide.ini
@@ -24,6 +24,7 @@ NtSetInformationThreadHook=1
 NtUserBuildHwndListHook=0
 NtUserFindWindowExHook=0
 NtUserQueryWindowHook=0
+NtUserGetForegroundWindowHook=0
 NtYieldExecutionHook=0
 OutputDebugStringHook=0
 PebBeingDebugged=1
@@ -60,7 +61,7 @@ skipCompressedDoNothing=0
 skipLoadDllDoLoad=0
 skipLoadDllDoNothing=0
 advancedInfobar=0
-[Obsidium x86]
+[Obsidium x86/x64]
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -84,6 +85,7 @@ NtSetInformationThreadHook=0
 NtUserBuildHwndListHook=1
 NtUserFindWindowExHook=1
 NtUserQueryWindowHook=1
+NtUserGetForegroundWindowHook=0
 NtYieldExecutionHook=0
 OutputDebugStringHook=0
 PebBeingDebugged=1
@@ -101,7 +103,7 @@ RemoveEPBreak=0
 SkipEPOutsideCode=1
 X64Fix=1
 WindowTitle=Obsidium
-[Themida x86]
+[Themida x86/x64]
 DLLNormal=1
 DLLStealth=0
 DLLUnload=0
@@ -127,6 +129,7 @@ NtUserBlockInputHook=0
 NtUserBuildHwndListHook=1
 NtUserFindWindowExHook=1
 NtUserQueryWindowHook=1
+NtUserGetForegroundWindowHook=1
 NtYieldExecutionHook=0
 OutputDebugStringHook=0
 PebBeingDebugged=1
@@ -170,6 +173,7 @@ NtUserBlockInputHook=0
 NtUserBuildHwndListHook=0
 NtUserFindWindowExHook=0
 NtUserQueryWindowHook=0
+NtUserGetForegroundWindowHook=0
 NtYieldExecutionHook=0
 OutputDebugStringHook=1
 PebBeingDebugged=1
@@ -212,6 +216,7 @@ NtSetInformationProcessHook=0
 NtUserBuildHwndListHook=0
 NtUserFindWindowExHook=0
 NtUserQueryWindowHook=0
+NtUserGetForegroundWindowHook=0
 NtYieldExecutionHook=0
 OutputDebugStringHook=0
 PebBeingDebugged=1
@@ -272,6 +277,7 @@ NtUserBlockInputHook=0
 NtUserBuildHwndListHook=0
 NtUserFindWindowExHook=0
 NtUserQueryWindowHook=0
+NtUserGetForegroundWindowHook=0
 NtYieldExecutionHook=0
 OutputDebugStringHook=0
 PebBeingDebugged=0

diff --git a/HookLibrary/Export.def b/HookLibrary/Export.def
@@ -26,6 +26,7 @@ HookedNtUserBlockInput
 HookedNtUserBuildHwndList
 HookedNtUserBuildHwndList_Eight
 HookedNtUserFindWindowEx
+HookedNtUserGetForegroundWindow
 HookedNtUserQueryWindow
 HookedNtYieldExecution
 HookedOutputDebugStringA

diff --git a/HookLibrary/HookMain.h b/HookLibrary/HookMain.h
@@ -56,13 +56,16 @@ typedef struct _HOOK_DLL_DATA {
     //Native user32.dll/win32u.dll functions
     ULONG_PTR NtUserBlockInputVA;
     ULONG_PTR NtUserQueryWindowVA;
+    ULONG_PTR NtUserGetForegroundWindowVA;
     ULONG_PTR NtUserBuildHwndListVA;
     ULONG_PTR NtUserFindWindowExVA;
     ULONG_PTR NtUserGetClassNameVA;
     ULONG_PTR NtUserInternalGetWindowTextVA;
+    ULONG_PTR NtUserGetThreadStateVA;
 
     BOOLEAN EnableNtUserBlockInputHook;
     BOOLEAN EnableNtUserQueryWindowHook;
+    BOOLEAN EnableNtUserGetForegroundWindowHook;
     BOOLEAN EnableNtUserBuildHwndListHook;
     BOOLEAN EnableNtUserFindWindowExHook;
     BOOLEAN EnableNtSetDebugFilterStateHook;
@@ -142,11 +145,14 @@ typedef struct _HOOK_DLL_DATA {
     DWORD NtUserBuildHwndListBackupSize;
     t_NtUserQueryWindow dNtUserQueryWindow;
     DWORD NtUserQueryWindowBackupSize;
+    t_NtUserGetForegroundWindow dNtUserGetForegroundWindow;
+    DWORD NtUserGetForegroundWindowBackupSize;
 
 
     t_NtUserQueryWindow NtUserQueryWindow;
     t_NtUserGetClassName NtUserGetClassName;
     t_NtUserInternalGetWindowText NtUserInternalGetWindowText;
+    t_NtUserGetThreadState NtUserGetThreadState;
 
     DWORD dwProtectedProcessId;
     BOOLEAN EnableProtectProcessId;

diff --git a/HookLibrary/HookedFunctions.cpp b/HookLibrary/HookedFunctions.cpp
@@ -947,6 +947,16 @@ HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo)
 	return HookDllData.dNtUserQueryWindow(hwnd, WindowInfo);
 }
 
+HWND NTAPI HookedNtUserGetForegroundWindow()
+{
+	HWND Hwnd = HookDllData.dNtUserGetForegroundWindow();
+	if (Hwnd != nullptr && IsWindowBad(Hwnd))
+	{
+		Hwnd = (HWND)HookDllData.NtUserGetThreadState(THREADSTATE_ACTIVEWINDOW);
+	}
+	return Hwnd;
+}
+
 //WIN XP: CreateThread -> CreateRemoteThread -> NtCreateThread
 NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended)
 {
@@ -1124,7 +1134,7 @@ NTSTATUS NTAPI HookedNtResumeThread(HANDLE ThreadHandle, PULONG PreviousSuspendC
 	{
 		DumpMalware(dwProcessId);
 		TerminateProcessByProcessId(dwProcessId); //terminate it
-		DbgPrint("Malware called ResumeThread");
+		DbgPrint((PCH)"Malware called ResumeThread");
 		DbgBreakPoint();
 		return STATUS_SUCCESS;
 	}

diff --git a/HookLibrary/HookedFunctions.h b/HookLibrary/HookedFunctions.h
@@ -47,6 +47,7 @@ NTSTATUS NTAPI HookedNtUserBuildHwndList_Eight(HDESK hDesktop, HWND hwndParent,
 NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended);
 NTSTATUS NTAPI HookedNtCreateThreadEx(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PUSER_THREAD_START_ROUTINE StartRoutine,PVOID Argument,ULONG CreateFlags,ULONG_PTR ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,PPS_ATTRIBUTE_LIST AttributeList);
 HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo);
+HWND NTAPI HookedNtUserGetForegroundWindow();
 BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt);
 
 

diff --git a/InjectorCLI/ApplyHooking.cpp b/InjectorCLI/ApplyHooking.cpp
@@ -50,6 +50,7 @@ t_NtUserBlockInput _NtUserBlockInput = 0;
 t_NtUserBuildHwndList _NtUserBuildHwndList = 0;
 t_NtUserFindWindowEx _NtUserFindWindowEx = 0;
 t_NtUserQueryWindow _NtUserQueryWindow = 0;
+t_NtUserGetForegroundWindow _NtUserGetForegroundWindow = 0;
 
 t_NtSetInformationThread _NtSetInformationThread = 0;
 t_NtQuerySystemInformation _NtQuerySystemInformation = 0;
@@ -406,28 +407,33 @@ bool ApplyUserHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD
     void * HookedNtUserBuildHwndList = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserBuildHwndList") + imageBase);
     void * HookedNtUserBuildHwndList_Eight = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserBuildHwndList_Eight") + imageBase);
     void * HookedNtUserQueryWindow = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserQueryWindow") + imageBase);
+    void * HookedNtUserGetForegroundWindow = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserGetForegroundWindow") + imageBase);
 
-    g_log.LogDebug(L"ApplyUserHook -> HookedNtUserBlockInput %p HookedNtUserFindWindowEx %p HookedNtUserBuildHwndList %p HookedNtUserBuildHwndList_Eight %p HookedNtUserQueryWindow %p",
+    g_log.LogDebug(L"ApplyUserHook -> HookedNtUserBlockInput %p HookedNtUserFindWindowEx %p HookedNtUserBuildHwndList %p HookedNtUserBuildHwndList_Eight %p HookedNtUserQueryWindow %p HookedNtUserGetForegroundWindow %p",
         HookedNtUserBlockInput,
         HookedNtUserFindWindowEx,
         HookedNtUserBuildHwndList,
         HookedNtUserBuildHwndList_Eight,
-        HookedNtUserQueryWindow);
+        HookedNtUserQueryWindow,
+        HookedNtUserGetForegroundWindow);
 
     _NtUserBlockInput = (t_NtUserBlockInput)hdd->NtUserBlockInputVA;
     _NtUserFindWindowEx = (t_NtUserFindWindowEx)hdd->NtUserFindWindowExVA;
     _NtUserBuildHwndList = (t_NtUserBuildHwndList)hdd->NtUserBuildHwndListVA;
     _NtUserQueryWindow = (t_NtUserQueryWindow)hdd->NtUserQueryWindowVA;
+    _NtUserGetForegroundWindow = (t_NtUserGetForegroundWindow)hdd->NtUserGetForegroundWindowVA;
 
     hdd->NtUserQueryWindow = _NtUserQueryWindow;
     hdd->NtUserGetClassName = (t_NtUserGetClassName)hdd->NtUserGetClassNameVA;
     hdd->NtUserInternalGetWindowText = (t_NtUserInternalGetWindowText)hdd->NtUserInternalGetWindowTextVA;
+    hdd->NtUserGetThreadState = (t_NtUserGetThreadState)hdd->NtUserGetThreadStateVA;
 
-    g_log.LogDebug(L"ApplyUserHook -> _NtUserBlockInput %p _NtUserFindWindowEx %p _NtUserBuildHwndList %p _NtUserQueryWindow %p",
+    g_log.LogDebug(L"ApplyUserHook -> _NtUserBlockInput %p _NtUserFindWindowEx %p _NtUserBuildHwndList %p _NtUserQueryWindow %p _NtUserGetForegroundWindow %p",
         _NtUserBlockInput,
         _NtUserFindWindowEx,
         _NtUserBuildHwndList,
-        _NtUserQueryWindow);
+        _NtUserQueryWindow,
+        _NtUserGetForegroundWindow);
 
     if (hdd->EnableNtUserBlockInputHook)
     {
@@ -454,6 +460,11 @@ bool ApplyUserHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD
         g_log.LogDebug(L"ApplyUserHook -> Hooking NtUserQueryWindow");
         HOOK_NATIVE(NtUserQueryWindow);
     }
+    if (hdd->EnableNtUserGetForegroundWindowHook)
+    {
+        g_log.LogDebug(L"ApplyUserHook -> Hooking NtUserGetForegroundWindow");
+        HOOK_NATIVE(NtUserGetForegroundWindow);
+    }
 
     hdd->isUserDllHooked = TRUE;
 
@@ -736,18 +747,21 @@ void RestoreUserHooks(HOOK_DLL_DATA * hdd, HANDLE hProcess)
         RESTORE_JMP(NtUserFindWindowEx);
         RESTORE_JMP(NtUserBuildHwndList);
         RESTORE_JMP(NtUserQueryWindow);
+        RESTORE_JMP(NtUserGetForegroundWindow);
     }
 #else
     RESTORE_JMP(NtUserBlockInput);
     RESTORE_JMP(NtUserFindWindowEx);
     RESTORE_JMP(NtUserBuildHwndList);
     RESTORE_JMP(NtUserQueryWindow);
+    RESTORE_JMP(NtUserGetForegroundWindow);
 #endif
 
     FREE_HOOK(NtUserBlockInput);
     FREE_HOOK(NtUserFindWindowEx);
     FREE_HOOK(NtUserBuildHwndList);
     FREE_HOOK(NtUserQueryWindow);
+    FREE_HOOK(NtUserGetForegroundWindow);
 
     hdd->isUserDllHooked = FALSE;
 }

diff --git a/InjectorCLI/CliMain.cpp b/InjectorCLI/CliMain.cpp
@@ -306,6 +306,7 @@ void ReadSettings()
     g_hdd.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList;
     g_hdd.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx;
     g_hdd.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow;
+    g_hdd.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow;
     g_hdd.EnableNtYieldExecutionHook = g_settings.opts().hookNtYieldExecution;
     g_hdd.EnableOutputDebugStringHook = g_settings.opts().hookOutputDebugStringA;
     g_hdd.EnablePebBeingDebugged = g_settings.opts().fixPebBeingDebugged;

diff --git a/PluginGeneric/Injector.cpp b/PluginGeneric/Injector.cpp
@@ -34,26 +34,32 @@ void ReadNtApiInformation(HOOK_DLL_DATA *hdd)
         "NtUserBuildHwndList",
         "NtUserFindWindowEx",
         "NtUserQueryWindow",
+        "NtUserGetForegroundWindow",
         "NtUserGetClassName",
-        "NtUserInternalGetWindowText" }))
+        "NtUserInternalGetWindowText",
+        "NtUserGetThreadState" }))
     {
         g_log.LogError(L"Failed to find user32.dll/win32u.dll syscalls!");
         return;
     }
 
     hdd->NtUserBlockInputVA = user32Loader.GetUserSyscallVa("NtUserBlockInput");
     hdd->NtUserQueryWindowVA = user32Loader.GetUserSyscallVa("NtUserQueryWindow");
+    hdd->NtUserGetForegroundWindowVA = user32Loader.GetUserSyscallVa("NtUserGetForegroundWindow");
     hdd->NtUserBuildHwndListVA = user32Loader.GetUserSyscallVa("NtUserBuildHwndList");
     hdd->NtUserFindWindowExVA = user32Loader.GetUserSyscallVa("NtUserFindWindowEx");
     hdd->NtUserGetClassNameVA = user32Loader.GetUserSyscallVa("NtUserGetClassName");
     hdd->NtUserInternalGetWindowTextVA = user32Loader.GetUserSyscallVa("NtUserInternalGetWindowText");
+    hdd->NtUserGetThreadStateVA = user32Loader.GetUserSyscallVa("NtUserGetThreadState");
 
     g_log.LogInfo(L"Loaded VA for NtUserBlockInput = 0x%p", hdd->NtUserBlockInputVA);
     g_log.LogInfo(L"Loaded VA for NtUserQueryWindow = 0x%p", hdd->NtUserQueryWindowVA);
+    g_log.LogInfo(L"Loaded VA for NtUserGetForegroundWindow = 0x%p", hdd->NtUserGetForegroundWindowVA);
     g_log.LogInfo(L"Loaded VA for NtUserBuildHwndList = 0x%p", hdd->NtUserBuildHwndListVA);
     g_log.LogInfo(L"Loaded VA for NtUserFindWindowEx = 0x%p", hdd->NtUserFindWindowExVA);
     g_log.LogInfo(L"Loaded VA for NtUserGetClassName = 0x%p", hdd->NtUserGetClassNameVA);
     g_log.LogInfo(L"Loaded VA for NtUserInternalGetWindowText = 0x%p", hdd->NtUserInternalGetWindowTextVA);
+    g_log.LogInfo(L"Loaded VA for NtUserGetThreadState = 0x%p", hdd->NtUserGetThreadStateVA);
 }
 
 #ifndef _WIN64
@@ -641,6 +647,7 @@ void FillHookDllData(HANDLE hProcess, HOOK_DLL_DATA *hdd)
     hdd->EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx;
     hdd->EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList;
     hdd->EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow;
+    hdd->EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow;
     hdd->EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState;
     hdd->EnableGetTickCountHook = g_settings.opts().hookGetTickCount;
     hdd->EnableGetTickCount64Hook = g_settings.opts().hookGetTickCount64;

diff --git a/PluginGeneric/OptionsDialog.cpp b/PluginGeneric/OptionsDialog.cpp
@@ -119,6 +119,7 @@ static void UpdateOptions(HWND hWnd, const scl::Settings *settings)
     CheckDlgButton(hWnd, IDC_NTUSERFINDWINDOWEX, opts->hookNtUserFindWindowEx);
     CheckDlgButton(hWnd, IDC_NTUSERBUILDHWNDLIST, opts->hookNtUserBuildHwndList);
     CheckDlgButton(hWnd, IDC_NTUSERQUERYWINDOW, opts->hookNtUserQueryWindow);
+    CheckDlgButton(hWnd, IDC_NTUSERGETFOREGROUNDWINDOW, opts->hookNtUserGetForegroundWindow);
     CheckDlgButton(hWnd, IDC_NTSETDEBUGFILTERSTATE, opts->hookNtSetDebugFilterState);
     CheckDlgButton(hWnd, IDC_NTCLOSE, opts->hookNtClose);
     CheckDlgButton(hWnd, IDC_NTCREATETHREADEX, opts->hookNtCreateThreadEx);
@@ -208,6 +209,7 @@ void SaveOptions(HWND hWnd, scl::Settings *settings)
     opts->hookNtUserBlockInput = (IsDlgButtonChecked(hWnd, IDC_NTUSERBLOCKINPUT) == BST_CHECKED);
     opts->hookNtUserBuildHwndList = (IsDlgButtonChecked(hWnd, IDC_NTUSERBUILDHWNDLIST) == BST_CHECKED);
     opts->hookNtUserQueryWindow = (IsDlgButtonChecked(hWnd, IDC_NTUSERQUERYWINDOW) == BST_CHECKED);
+    opts->hookNtUserGetForegroundWindow = (IsDlgButtonChecked(hWnd, IDC_NTUSERGETFOREGROUNDWINDOW) == BST_CHECKED);
     opts->hookNtSetDebugFilterState = (IsDlgButtonChecked(hWnd, IDC_NTSETDEBUGFILTERSTATE) == BST_CHECKED);
     opts->hookNtClose = (IsDlgButtonChecked(hWnd, IDC_NTCLOSE) == BST_CHECKED);
     opts->hookNtCreateThreadEx = (IsDlgButtonChecked(hWnd, IDC_NTCREATETHREADEX) == BST_CHECKED);
@@ -362,6 +364,12 @@ HWND CreateTooltips(HWND hDlg)
             L"The windows API GetWindowThreadProcessId calls this internally.\r\n"
             L"This is used to hide the debugger process."
         },
+        {
+            IDC_NTUSERGETFOREGROUNDWINDOW,
+            L"This is a system call function in user32.dll.\r\n"
+            L"The windows API GetForegroundWindow calls this internally.\r\n"
+            L"The debugger window will be hidden."
+        },
         {
             IDC_NTSETDEBUGFILTERSTATE,
             L"ScyllaHide returns always STATUS_ACCESS_DENIED.\r\n"

diff --git a/Scylla/Settings.cpp b/Scylla/Settings.cpp
@@ -85,6 +85,7 @@ void scl::Settings::LoadProfile(const wchar_t *file, const wchar_t *name, Profil
     profile->hookNtUserBuildHwndList = IniLoadNum(file, name, L"NtUserBuildHwndListHook", 1);
     profile->hookNtUserFindWindowEx = IniLoadNum(file, name, L"NtUserFindWindowExHook", 1);
     profile->hookNtUserQueryWindow = IniLoadNum(file, name, L"NtUserQueryWindowHook", 1);
+    profile->hookNtUserGetForegroundWindow = IniLoadNum(file, name, L"NtUserGetForegroundWindowHook", 1);
     profile->hookNtYieldExecution = IniLoadNum(file, name, L"NtYieldExecutionHook", 1);
     profile->hookOutputDebugStringA = IniLoadNum(file, name, L"OutputDebugStringHook", 1);
 
@@ -161,6 +162,7 @@ bool scl::Settings::SaveProfile(const wchar_t *file, const wchar_t *name, const
     success &= IniSaveNum(file, name, L"NtUserBuildHwndListHook", profile->hookNtUserBuildHwndList);
     success &= IniSaveNum(file, name, L"NtUserFindWindowExHook", profile->hookNtUserFindWindowEx);
     success &= IniSaveNum(file, name, L"NtUserQueryWindowHook", profile->hookNtUserQueryWindow);
+    success &= IniSaveNum(file, name, L"NtUserGetForegroundWindowHook", profile->hookNtUserGetForegroundWindow);
     success &= IniSaveNum(file, name, L"NtYieldExecutionHook", profile->hookNtYieldExecution);
     success &= IniSaveNum(file, name, L"OutputDebugStringHook", profile->hookOutputDebugStringA);
 

diff --git a/Scylla/Settings.h b/Scylla/Settings.h
@@ -36,6 +36,7 @@ namespace scl
             BOOL hookNtUserBuildHwndList;
             BOOL hookNtUserFindWindowEx;
             BOOL hookNtUserQueryWindow;
+            BOOL hookNtUserGetForegroundWindow;
             BOOL hookNtYieldExecution;
             BOOL hookOutputDebugStringA;
             BOOL fixPebBeingDebugged;
@@ -128,6 +129,7 @@ namespace scl
                 profile_.hookNtUserBuildHwndList ||
                 profile_.hookNtUserFindWindowEx ||
                 profile_.hookNtUserQueryWindow ||
+                profile_.hookNtUserGetForegroundWindow ||
                 profile_.hookNtYieldExecution ||
                 profile_.hookOutputDebugStringA ||
                 profile_.preventThreadCreation ||

diff --git a/ScyllaHideIDAProPlugin/IdaServerClient.cpp b/ScyllaHideIDAProPlugin/IdaServerClient.cpp
@@ -73,6 +73,7 @@ bool SendEventToServer(unsigned long notif_code, unsigned long ProcessId)
     idaExchange.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx;
     idaExchange.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList;
     idaExchange.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow;
+    idaExchange.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow;
     idaExchange.EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState;
     idaExchange.DllInjectNormal = g_settings.opts().dllNormal;
     idaExchange.DllInjectStealth = g_settings.opts().dllStealth;

diff --git a/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc b/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc
diff --git a/ScyllaHideIDAProPlugin/resource.h b/ScyllaHideIDAProPlugin/resource.h
diff --git a/ScyllaHideIDAServer/IdaServerExchange.h b/ScyllaHideIDAServer/IdaServerExchange.h
@@ -120,6 +120,7 @@ typedef struct _IDA_SERVER_EXCHANGE
 
 	unsigned char EnableNtUserBlockInputHook;
 	unsigned char EnableNtUserQueryWindowHook;
+	unsigned char EnableNtUserGetForegroundWindowHook;
 	unsigned char EnableNtUserBuildHwndListHook;
 	unsigned char EnableNtUserFindWindowExHook;
 	unsigned char EnableNtSetDebugFilterStateHook;

diff --git a/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc b/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc
diff --git a/ScyllaHideOlly1Plugin/resource.h b/ScyllaHideOlly1Plugin/resource.h
diff --git a/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc b/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc
diff --git a/ScyllaHideOlly2Plugin/resource.h b/ScyllaHideOlly2Plugin/resource.h
diff --git a/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc b/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc
diff --git a/ScyllaHideX64DBGPlugin/resource.h b/ScyllaHideX64DBGPlugin/resource.h