From 2276f1477132e99c96f31552bce7b4d2925fb918 Mon Sep 17 00:00:00 2001 From: Matthijs Lavrijsen Date: Tue, 26 Jan 2021 03:47:19 +0100 Subject: [PATCH] Add NtUserGetForegroundWindow hook Fixes #116 --- 3rdparty/ntdll/ntdll.h | 20 ++++++++++++++++ ConfigCollection/scylla_hide.ini | 10 ++++++-- HookLibrary/Export.def | 1 + HookLibrary/HookMain.h | 6 +++++ HookLibrary/HookedFunctions.cpp | 12 +++++++++- HookLibrary/HookedFunctions.h | 1 + InjectorCLI/ApplyHooking.cpp | 22 ++++++++++++++---- InjectorCLI/CliMain.cpp | 1 + PluginGeneric/Injector.cpp | 9 ++++++- PluginGeneric/OptionsDialog.cpp | 8 +++++++ Scylla/Settings.cpp | 2 ++ Scylla/Settings.h | 2 ++ ScyllaHideIDAProPlugin/IdaServerClient.cpp | 1 + .../ScyllaHideIDAProPlugin.rc | Bin 23216 -> 23506 bytes ScyllaHideIDAProPlugin/resource.h | Bin 6720 -> 6720 bytes ScyllaHideIDAServer/IdaServerExchange.h | 1 + .../ScyllaHideOlly1Plugin.rc | Bin 27594 -> 27884 bytes ScyllaHideOlly1Plugin/resource.h | Bin 8648 -> 8648 bytes .../ScyllaHideOlly2Plugin.rc | Bin 22144 -> 22434 bytes ScyllaHideOlly2Plugin/resource.h | Bin 6166 -> 6166 bytes .../ScyllaHideX64DBGPlugin.rc | Bin 22282 -> 22572 bytes ScyllaHideX64DBGPlugin/resource.h | Bin 6164 -> 6164 bytes 22 files changed, 88 insertions(+), 8 deletions(-) diff --git a/3rdparty/ntdll/ntdll.h b/3rdparty/ntdll/ntdll.h index 575a09a5..a89b1106 100644 --- a/3rdparty/ntdll/ntdll.h +++ b/3rdparty/ntdll/ntdll.h @@ -4607,6 +4607,26 @@ HANDLE _In_ WINDOWINFOCLASS WindowInfo ); +typedef enum _THREAD_STATE_ROUTINE +{ + THREADSTATE_GETTHREADINFO, + THREADSTATE_ACTIVEWINDOW +} THREAD_STATE_ROUTINE; + +// GetActiveWindow +typedef +ULONG_PTR +(NTAPI +*t_NtUserGetThreadState)( + THREAD_STATE_ROUTINE Routine + ); + +typedef +HWND +(NTAPI +*t_NtUserGetForegroundWindow)( + ); + typedef int (NTAPI diff --git a/ConfigCollection/scylla_hide.ini b/ConfigCollection/scylla_hide.ini index 2ae2cffa..2e623178 100644 --- a/ConfigCollection/scylla_hide.ini +++ b/ConfigCollection/scylla_hide.ini @@ -24,6 +24,7 @@ NtSetInformationThreadHook=1 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -60,7 +61,7 @@ skipCompressedDoNothing=0 skipLoadDllDoLoad=0 skipLoadDllDoNothing=0 advancedInfobar=0 -[Obsidium x86] +[Obsidium x86/x64] DLLNormal=1 DLLStealth=0 DLLUnload=0 @@ -84,6 +85,7 @@ NtSetInformationThreadHook=0 NtUserBuildHwndListHook=1 NtUserFindWindowExHook=1 NtUserQueryWindowHook=1 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -101,7 +103,7 @@ RemoveEPBreak=0 SkipEPOutsideCode=1 X64Fix=1 WindowTitle=Obsidium -[Themida x86] +[Themida x86/x64] DLLNormal=1 DLLStealth=0 DLLUnload=0 @@ -127,6 +129,7 @@ NtUserBlockInputHook=0 NtUserBuildHwndListHook=1 NtUserFindWindowExHook=1 NtUserQueryWindowHook=1 +NtUserGetForegroundWindowHook=1 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -170,6 +173,7 @@ NtUserBlockInputHook=0 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=1 PebBeingDebugged=1 @@ -212,6 +216,7 @@ NtSetInformationProcessHook=0 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -272,6 +277,7 @@ NtUserBlockInputHook=0 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=0 diff --git a/HookLibrary/Export.def b/HookLibrary/Export.def index d16be8b6..c9b1879e 100644 --- a/HookLibrary/Export.def +++ b/HookLibrary/Export.def @@ -26,6 +26,7 @@ HookedNtUserBlockInput HookedNtUserBuildHwndList HookedNtUserBuildHwndList_Eight HookedNtUserFindWindowEx +HookedNtUserGetForegroundWindow HookedNtUserQueryWindow HookedNtYieldExecution HookedOutputDebugStringA diff --git a/HookLibrary/HookMain.h b/HookLibrary/HookMain.h index 015a75eb..fee4031e 100644 --- a/HookLibrary/HookMain.h +++ b/HookLibrary/HookMain.h @@ -56,13 +56,16 @@ typedef struct _HOOK_DLL_DATA { //Native user32.dll/win32u.dll functions ULONG_PTR NtUserBlockInputVA; ULONG_PTR NtUserQueryWindowVA; + ULONG_PTR NtUserGetForegroundWindowVA; ULONG_PTR NtUserBuildHwndListVA; ULONG_PTR NtUserFindWindowExVA; ULONG_PTR NtUserGetClassNameVA; ULONG_PTR NtUserInternalGetWindowTextVA; + ULONG_PTR NtUserGetThreadStateVA; BOOLEAN EnableNtUserBlockInputHook; BOOLEAN EnableNtUserQueryWindowHook; + BOOLEAN EnableNtUserGetForegroundWindowHook; BOOLEAN EnableNtUserBuildHwndListHook; BOOLEAN EnableNtUserFindWindowExHook; BOOLEAN EnableNtSetDebugFilterStateHook; @@ -142,11 +145,14 @@ typedef struct _HOOK_DLL_DATA { DWORD NtUserBuildHwndListBackupSize; t_NtUserQueryWindow dNtUserQueryWindow; DWORD NtUserQueryWindowBackupSize; + t_NtUserGetForegroundWindow dNtUserGetForegroundWindow; + DWORD NtUserGetForegroundWindowBackupSize; t_NtUserQueryWindow NtUserQueryWindow; t_NtUserGetClassName NtUserGetClassName; t_NtUserInternalGetWindowText NtUserInternalGetWindowText; + t_NtUserGetThreadState NtUserGetThreadState; DWORD dwProtectedProcessId; BOOLEAN EnableProtectProcessId; diff --git a/HookLibrary/HookedFunctions.cpp b/HookLibrary/HookedFunctions.cpp index f1d7ab34..2c1827b3 100644 --- a/HookLibrary/HookedFunctions.cpp +++ b/HookLibrary/HookedFunctions.cpp @@ -947,6 +947,16 @@ HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo) return HookDllData.dNtUserQueryWindow(hwnd, WindowInfo); } +HWND NTAPI HookedNtUserGetForegroundWindow() +{ + HWND Hwnd = HookDllData.dNtUserGetForegroundWindow(); + if (Hwnd != nullptr && IsWindowBad(Hwnd)) + { + Hwnd = (HWND)HookDllData.NtUserGetThreadState(THREADSTATE_ACTIVEWINDOW); + } + return Hwnd; +} + //WIN XP: CreateThread -> CreateRemoteThread -> NtCreateThread NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended) { @@ -1124,7 +1134,7 @@ NTSTATUS NTAPI HookedNtResumeThread(HANDLE ThreadHandle, PULONG PreviousSuspendC { DumpMalware(dwProcessId); TerminateProcessByProcessId(dwProcessId); //terminate it - DbgPrint("Malware called ResumeThread"); + DbgPrint((PCH)"Malware called ResumeThread"); DbgBreakPoint(); return STATUS_SUCCESS; } diff --git a/HookLibrary/HookedFunctions.h b/HookLibrary/HookedFunctions.h index b82eb8fa..a62c0e67 100644 --- a/HookLibrary/HookedFunctions.h +++ b/HookLibrary/HookedFunctions.h @@ -47,6 +47,7 @@ NTSTATUS NTAPI HookedNtUserBuildHwndList_Eight(HDESK hDesktop, HWND hwndParent, NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended); NTSTATUS NTAPI HookedNtCreateThreadEx(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PUSER_THREAD_START_ROUTINE StartRoutine,PVOID Argument,ULONG CreateFlags,ULONG_PTR ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,PPS_ATTRIBUTE_LIST AttributeList); HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo); +HWND NTAPI HookedNtUserGetForegroundWindow(); BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt); diff --git a/InjectorCLI/ApplyHooking.cpp b/InjectorCLI/ApplyHooking.cpp index cbe2261b..285d7268 100644 --- a/InjectorCLI/ApplyHooking.cpp +++ b/InjectorCLI/ApplyHooking.cpp @@ -50,6 +50,7 @@ t_NtUserBlockInput _NtUserBlockInput = 0; t_NtUserBuildHwndList _NtUserBuildHwndList = 0; t_NtUserFindWindowEx _NtUserFindWindowEx = 0; t_NtUserQueryWindow _NtUserQueryWindow = 0; +t_NtUserGetForegroundWindow _NtUserGetForegroundWindow = 0; t_NtSetInformationThread _NtSetInformationThread = 0; t_NtQuerySystemInformation _NtQuerySystemInformation = 0; @@ -406,28 +407,33 @@ bool ApplyUserHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD void * HookedNtUserBuildHwndList = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserBuildHwndList") + imageBase); void * HookedNtUserBuildHwndList_Eight = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserBuildHwndList_Eight") + imageBase); void * HookedNtUserQueryWindow = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserQueryWindow") + imageBase); + void * HookedNtUserGetForegroundWindow = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserGetForegroundWindow") + imageBase); - g_log.LogDebug(L"ApplyUserHook -> HookedNtUserBlockInput %p HookedNtUserFindWindowEx %p HookedNtUserBuildHwndList %p HookedNtUserBuildHwndList_Eight %p HookedNtUserQueryWindow %p", + g_log.LogDebug(L"ApplyUserHook -> HookedNtUserBlockInput %p HookedNtUserFindWindowEx %p HookedNtUserBuildHwndList %p HookedNtUserBuildHwndList_Eight %p HookedNtUserQueryWindow %p HookedNtUserGetForegroundWindow %p", HookedNtUserBlockInput, HookedNtUserFindWindowEx, HookedNtUserBuildHwndList, HookedNtUserBuildHwndList_Eight, - HookedNtUserQueryWindow); + HookedNtUserQueryWindow, + HookedNtUserGetForegroundWindow); _NtUserBlockInput = (t_NtUserBlockInput)hdd->NtUserBlockInputVA; _NtUserFindWindowEx = (t_NtUserFindWindowEx)hdd->NtUserFindWindowExVA; _NtUserBuildHwndList = (t_NtUserBuildHwndList)hdd->NtUserBuildHwndListVA; _NtUserQueryWindow = (t_NtUserQueryWindow)hdd->NtUserQueryWindowVA; + _NtUserGetForegroundWindow = (t_NtUserGetForegroundWindow)hdd->NtUserGetForegroundWindowVA; hdd->NtUserQueryWindow = _NtUserQueryWindow; hdd->NtUserGetClassName = (t_NtUserGetClassName)hdd->NtUserGetClassNameVA; hdd->NtUserInternalGetWindowText = (t_NtUserInternalGetWindowText)hdd->NtUserInternalGetWindowTextVA; + hdd->NtUserGetThreadState = (t_NtUserGetThreadState)hdd->NtUserGetThreadStateVA; - g_log.LogDebug(L"ApplyUserHook -> _NtUserBlockInput %p _NtUserFindWindowEx %p _NtUserBuildHwndList %p _NtUserQueryWindow %p", + g_log.LogDebug(L"ApplyUserHook -> _NtUserBlockInput %p _NtUserFindWindowEx %p _NtUserBuildHwndList %p _NtUserQueryWindow %p _NtUserGetForegroundWindow %p", _NtUserBlockInput, _NtUserFindWindowEx, _NtUserBuildHwndList, - _NtUserQueryWindow); + _NtUserQueryWindow, + _NtUserGetForegroundWindow); if (hdd->EnableNtUserBlockInputHook) { @@ -454,6 +460,11 @@ bool ApplyUserHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD g_log.LogDebug(L"ApplyUserHook -> Hooking NtUserQueryWindow"); HOOK_NATIVE(NtUserQueryWindow); } + if (hdd->EnableNtUserGetForegroundWindowHook) + { + g_log.LogDebug(L"ApplyUserHook -> Hooking NtUserGetForegroundWindow"); + HOOK_NATIVE(NtUserGetForegroundWindow); + } hdd->isUserDllHooked = TRUE; @@ -736,18 +747,21 @@ void RestoreUserHooks(HOOK_DLL_DATA * hdd, HANDLE hProcess) RESTORE_JMP(NtUserFindWindowEx); RESTORE_JMP(NtUserBuildHwndList); RESTORE_JMP(NtUserQueryWindow); + RESTORE_JMP(NtUserGetForegroundWindow); } #else RESTORE_JMP(NtUserBlockInput); RESTORE_JMP(NtUserFindWindowEx); RESTORE_JMP(NtUserBuildHwndList); RESTORE_JMP(NtUserQueryWindow); + RESTORE_JMP(NtUserGetForegroundWindow); #endif FREE_HOOK(NtUserBlockInput); FREE_HOOK(NtUserFindWindowEx); FREE_HOOK(NtUserBuildHwndList); FREE_HOOK(NtUserQueryWindow); + FREE_HOOK(NtUserGetForegroundWindow); hdd->isUserDllHooked = FALSE; } diff --git a/InjectorCLI/CliMain.cpp b/InjectorCLI/CliMain.cpp index 8e958c13..4dbaf259 100644 --- a/InjectorCLI/CliMain.cpp +++ b/InjectorCLI/CliMain.cpp @@ -306,6 +306,7 @@ void ReadSettings() g_hdd.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; g_hdd.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; g_hdd.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; + g_hdd.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; g_hdd.EnableNtYieldExecutionHook = g_settings.opts().hookNtYieldExecution; g_hdd.EnableOutputDebugStringHook = g_settings.opts().hookOutputDebugStringA; g_hdd.EnablePebBeingDebugged = g_settings.opts().fixPebBeingDebugged; diff --git a/PluginGeneric/Injector.cpp b/PluginGeneric/Injector.cpp index d350c0e1..9ac306c2 100644 --- a/PluginGeneric/Injector.cpp +++ b/PluginGeneric/Injector.cpp @@ -34,8 +34,10 @@ void ReadNtApiInformation(HOOK_DLL_DATA *hdd) "NtUserBuildHwndList", "NtUserFindWindowEx", "NtUserQueryWindow", + "NtUserGetForegroundWindow", "NtUserGetClassName", - "NtUserInternalGetWindowText" })) + "NtUserInternalGetWindowText", + "NtUserGetThreadState" })) { g_log.LogError(L"Failed to find user32.dll/win32u.dll syscalls!"); return; @@ -43,17 +45,21 @@ void ReadNtApiInformation(HOOK_DLL_DATA *hdd) hdd->NtUserBlockInputVA = user32Loader.GetUserSyscallVa("NtUserBlockInput"); hdd->NtUserQueryWindowVA = user32Loader.GetUserSyscallVa("NtUserQueryWindow"); + hdd->NtUserGetForegroundWindowVA = user32Loader.GetUserSyscallVa("NtUserGetForegroundWindow"); hdd->NtUserBuildHwndListVA = user32Loader.GetUserSyscallVa("NtUserBuildHwndList"); hdd->NtUserFindWindowExVA = user32Loader.GetUserSyscallVa("NtUserFindWindowEx"); hdd->NtUserGetClassNameVA = user32Loader.GetUserSyscallVa("NtUserGetClassName"); hdd->NtUserInternalGetWindowTextVA = user32Loader.GetUserSyscallVa("NtUserInternalGetWindowText"); + hdd->NtUserGetThreadStateVA = user32Loader.GetUserSyscallVa("NtUserGetThreadState"); g_log.LogInfo(L"Loaded VA for NtUserBlockInput = 0x%p", hdd->NtUserBlockInputVA); g_log.LogInfo(L"Loaded VA for NtUserQueryWindow = 0x%p", hdd->NtUserQueryWindowVA); + g_log.LogInfo(L"Loaded VA for NtUserGetForegroundWindow = 0x%p", hdd->NtUserGetForegroundWindowVA); g_log.LogInfo(L"Loaded VA for NtUserBuildHwndList = 0x%p", hdd->NtUserBuildHwndListVA); g_log.LogInfo(L"Loaded VA for NtUserFindWindowEx = 0x%p", hdd->NtUserFindWindowExVA); g_log.LogInfo(L"Loaded VA for NtUserGetClassName = 0x%p", hdd->NtUserGetClassNameVA); g_log.LogInfo(L"Loaded VA for NtUserInternalGetWindowText = 0x%p", hdd->NtUserInternalGetWindowTextVA); + g_log.LogInfo(L"Loaded VA for NtUserGetThreadState = 0x%p", hdd->NtUserGetThreadStateVA); } #ifndef _WIN64 @@ -641,6 +647,7 @@ void FillHookDllData(HANDLE hProcess, HOOK_DLL_DATA *hdd) hdd->EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; hdd->EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; hdd->EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; + hdd->EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; hdd->EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState; hdd->EnableGetTickCountHook = g_settings.opts().hookGetTickCount; hdd->EnableGetTickCount64Hook = g_settings.opts().hookGetTickCount64; diff --git a/PluginGeneric/OptionsDialog.cpp b/PluginGeneric/OptionsDialog.cpp index 4be177b0..98a33590 100644 --- a/PluginGeneric/OptionsDialog.cpp +++ b/PluginGeneric/OptionsDialog.cpp @@ -119,6 +119,7 @@ static void UpdateOptions(HWND hWnd, const scl::Settings *settings) CheckDlgButton(hWnd, IDC_NTUSERFINDWINDOWEX, opts->hookNtUserFindWindowEx); CheckDlgButton(hWnd, IDC_NTUSERBUILDHWNDLIST, opts->hookNtUserBuildHwndList); CheckDlgButton(hWnd, IDC_NTUSERQUERYWINDOW, opts->hookNtUserQueryWindow); + CheckDlgButton(hWnd, IDC_NTUSERGETFOREGROUNDWINDOW, opts->hookNtUserGetForegroundWindow); CheckDlgButton(hWnd, IDC_NTSETDEBUGFILTERSTATE, opts->hookNtSetDebugFilterState); CheckDlgButton(hWnd, IDC_NTCLOSE, opts->hookNtClose); CheckDlgButton(hWnd, IDC_NTCREATETHREADEX, opts->hookNtCreateThreadEx); @@ -208,6 +209,7 @@ void SaveOptions(HWND hWnd, scl::Settings *settings) opts->hookNtUserBlockInput = (IsDlgButtonChecked(hWnd, IDC_NTUSERBLOCKINPUT) == BST_CHECKED); opts->hookNtUserBuildHwndList = (IsDlgButtonChecked(hWnd, IDC_NTUSERBUILDHWNDLIST) == BST_CHECKED); opts->hookNtUserQueryWindow = (IsDlgButtonChecked(hWnd, IDC_NTUSERQUERYWINDOW) == BST_CHECKED); + opts->hookNtUserGetForegroundWindow = (IsDlgButtonChecked(hWnd, IDC_NTUSERGETFOREGROUNDWINDOW) == BST_CHECKED); opts->hookNtSetDebugFilterState = (IsDlgButtonChecked(hWnd, IDC_NTSETDEBUGFILTERSTATE) == BST_CHECKED); opts->hookNtClose = (IsDlgButtonChecked(hWnd, IDC_NTCLOSE) == BST_CHECKED); opts->hookNtCreateThreadEx = (IsDlgButtonChecked(hWnd, IDC_NTCREATETHREADEX) == BST_CHECKED); @@ -362,6 +364,12 @@ HWND CreateTooltips(HWND hDlg) L"The windows API GetWindowThreadProcessId calls this internally.\r\n" L"This is used to hide the debugger process." }, + { + IDC_NTUSERGETFOREGROUNDWINDOW, + L"This is a system call function in user32.dll.\r\n" + L"The windows API GetForegroundWindow calls this internally.\r\n" + L"The debugger window will be hidden." + }, { IDC_NTSETDEBUGFILTERSTATE, L"ScyllaHide returns always STATUS_ACCESS_DENIED.\r\n" diff --git a/Scylla/Settings.cpp b/Scylla/Settings.cpp index 3e1cd3cd..d0b414da 100644 --- a/Scylla/Settings.cpp +++ b/Scylla/Settings.cpp @@ -85,6 +85,7 @@ void scl::Settings::LoadProfile(const wchar_t *file, const wchar_t *name, Profil profile->hookNtUserBuildHwndList = IniLoadNum(file, name, L"NtUserBuildHwndListHook", 1); profile->hookNtUserFindWindowEx = IniLoadNum(file, name, L"NtUserFindWindowExHook", 1); profile->hookNtUserQueryWindow = IniLoadNum(file, name, L"NtUserQueryWindowHook", 1); + profile->hookNtUserGetForegroundWindow = IniLoadNum(file, name, L"NtUserGetForegroundWindowHook", 1); profile->hookNtYieldExecution = IniLoadNum(file, name, L"NtYieldExecutionHook", 1); profile->hookOutputDebugStringA = IniLoadNum(file, name, L"OutputDebugStringHook", 1); @@ -161,6 +162,7 @@ bool scl::Settings::SaveProfile(const wchar_t *file, const wchar_t *name, const success &= IniSaveNum(file, name, L"NtUserBuildHwndListHook", profile->hookNtUserBuildHwndList); success &= IniSaveNum(file, name, L"NtUserFindWindowExHook", profile->hookNtUserFindWindowEx); success &= IniSaveNum(file, name, L"NtUserQueryWindowHook", profile->hookNtUserQueryWindow); + success &= IniSaveNum(file, name, L"NtUserGetForegroundWindowHook", profile->hookNtUserGetForegroundWindow); success &= IniSaveNum(file, name, L"NtYieldExecutionHook", profile->hookNtYieldExecution); success &= IniSaveNum(file, name, L"OutputDebugStringHook", profile->hookOutputDebugStringA); diff --git a/Scylla/Settings.h b/Scylla/Settings.h index fa64c87e..20cc0536 100644 --- a/Scylla/Settings.h +++ b/Scylla/Settings.h @@ -36,6 +36,7 @@ namespace scl BOOL hookNtUserBuildHwndList; BOOL hookNtUserFindWindowEx; BOOL hookNtUserQueryWindow; + BOOL hookNtUserGetForegroundWindow; BOOL hookNtYieldExecution; BOOL hookOutputDebugStringA; BOOL fixPebBeingDebugged; @@ -128,6 +129,7 @@ namespace scl profile_.hookNtUserBuildHwndList || profile_.hookNtUserFindWindowEx || profile_.hookNtUserQueryWindow || + profile_.hookNtUserGetForegroundWindow || profile_.hookNtYieldExecution || profile_.hookOutputDebugStringA || profile_.preventThreadCreation || diff --git a/ScyllaHideIDAProPlugin/IdaServerClient.cpp b/ScyllaHideIDAProPlugin/IdaServerClient.cpp index 7d77af56..fc73aa47 100644 --- a/ScyllaHideIDAProPlugin/IdaServerClient.cpp +++ b/ScyllaHideIDAProPlugin/IdaServerClient.cpp @@ -73,6 +73,7 @@ bool SendEventToServer(unsigned long notif_code, unsigned long ProcessId) idaExchange.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; idaExchange.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; idaExchange.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; + idaExchange.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; idaExchange.EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState; idaExchange.DllInjectNormal = g_settings.opts().dllNormal; idaExchange.DllInjectStealth = g_settings.opts().dllStealth; diff --git a/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc b/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc index 3836a38521b08e2118c3c51db06dd590af61bfb3..1d6a0f4bfc6f2aa911bfe24968ab1ffe84c3e5db 100644 GIT binary patch delta 135 zcmdn6mGRPc#tr|}C%;kQkaTBAWhh~AW5{PH0nESlaGB)9Hkn1^#N=g~Zj*&Hr%aZxlAHX%Nn`UH%|}ek j#ti10FY37SGMY}_s3bf2AD7bP2&*(k<{9 diff --git a/ScyllaHideIDAProPlugin/resource.h b/ScyllaHideIDAProPlugin/resource.h index c3a4bfcbf720bd61d7614abdf537a528929c481e..a0688b989560ebdbb8684b8615e2bd774dacfee4 100644 GIT binary patch delta 87 zcmX?La=>Im0sAC24oP$P$_SN-_)p*@72j delta 57 zcmX?La=>Im0sG`L>{gRkvCB>N;o@R6oUF*KJBcG{G8>27<_3;7fyqpQVv}Vg7flWj Nl>pKrlV3@O0RSBh5v2eC diff --git a/ScyllaHideIDAServer/IdaServerExchange.h b/ScyllaHideIDAServer/IdaServerExchange.h index 73b9dfab..fb106439 100644 --- a/ScyllaHideIDAServer/IdaServerExchange.h +++ b/ScyllaHideIDAServer/IdaServerExchange.h @@ -120,6 +120,7 @@ typedef struct _IDA_SERVER_EXCHANGE unsigned char EnableNtUserBlockInputHook; unsigned char EnableNtUserQueryWindowHook; + unsigned char EnableNtUserGetForegroundWindowHook; unsigned char EnableNtUserBuildHwndListHook; unsigned char EnableNtUserFindWindowExHook; unsigned char EnableNtSetDebugFilterStateHook; diff --git a/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc b/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc index da7b47bd688f92a67b020d248738f6d0651b039c..6dcd2fc10e9b8fb9d2406e7faa46971cbf487002 100644 GIT binary patch delta 132 zcmX?go$<|0#tllklLfRmB;6TO8A=%381fm4fUI;Nna@zlkjIcR*-%FnDC^1)0+jV< z2m-R)fuuh}D1#q^%j9^S`pF-3T_z_evQ5^|Ju&%|p4((Iy(yC;+~p>J&{EsXr$2$0 f*@(e>^Fo{LT+Aj6mXjaqNKam8qqKR3yO9b2VNfP; delta 57 zcmV-90LK69*#XMe0k9%1lVBkRlS(egk}gD(Rxg&55-&!xGBAz}0Wp)2Kr^%SJ%$RC P>@OaZ9zPCX_#;K$&?5YFHUru`YhC(mSWpL~ItWpe|Eha>@2Qa`y#&1LdDTeiu&R8LHfQFohsLT$?A xL#A?*7pQ4$UZkGD%xuJ9Iyulmf3t~p9~Yy^WJd@4%}i#?m>3N=ue7)>3jkXLEENC% delta 67 zcmV-J0KEUAuK|Fq0kE_slfXU(liViAlaeMxljtXwlcXm`v&1N10|PMtIFrFbFSAxG ZjtY~0C?1o5K_asxH>LssFtf`!*B!_<8pr?u diff --git a/ScyllaHideOlly2Plugin/resource.h b/ScyllaHideOlly2Plugin/resource.h index 2aae4651382afe07472c0859cf7f314d33e94e65..e2c3f26866181ba4ce96fa6aa36144b7fa13f75a 100644 GIT binary patch delta 108 zcmbPcFwI~?9{c2ftQ@ND46Y0z3~mhm3_(DaJCO8e2xahNaA62%@C4KT4B?Y!vujV@ z$HXcbsgKH8?C7EjA}|RP#+%VHKMkATBYPOT3HOjKOsBLMBllUu5zD G@h||M=o?Z1 delta 68 zcmbPcFwI~?9{c1|>{gRku**&M;^Ja7oSX>6OdN5OSvcf2*Kx%0F&a%?$Rs*BKwM%n Rmv|SmDFcizGWmdb7y!la6Q=+G diff --git a/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc b/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc index 6342740cd2dff8822a8300ac40fef47f5d0e7cff..c302fbf734a216ace28944c9748de761dee7d5a7 100644 GIT binary patch delta 132 zcmeBL$GBz#;|3;;$sbfWB;6TO8A=%381fm4fUI;Nna@zlkjIcRSx{XSDC^1)0+jV< z2m-R)fuuh}D1#q^%Vc}?`pFkGTqfJeuubOBI5ByZrrTsO%_);7n8{7PpsKd{o#rDZ fW@84U$qUW&H#6z>aWb1Sm`@gzklwt`EJgtUA;Bco delta 56 zcmV-80LTBVumOs$0k8rnlVCdrlPW35li(;slQt@rlkzD>vl1)d0s}GtIFolRFS8^r OjtP^@Dju`YH(VfKiWJQN diff --git a/ScyllaHideX64DBGPlugin/resource.h b/ScyllaHideX64DBGPlugin/resource.h index 094dddd8bf3d3ac8a4f1df2f5c5ebdc661675dda..f2c53a7db91a7e4cf46fe7502bc69ff0d2088214 100644 GIT binary patch delta 92 zcmbPYFvVbl3ddvtb`Di{23Lj<1~&$Oh9Drz9Z32!gfjRsxG;n>c!FtvhVaRO9NLo= oIP50x;)t0X#3Q%agmW1$kRdktgV-WQv&jpY#DOf4$@|2^0I_KolK=n! delta 63 zcmbPYFvVbl3diII4y(y=9CDMmxfl&6Co<|zUck;ac^5|v5X)^g;atW$*@H=J@&~a+ SjHZ((vWWv(B9r%thXDYDpA_Q&