HyperDbg Debugger
Loading...
Searching...
No Matches
Hooks.h
Go to the documentation of this file.
1
12#pragma once
13
15// Syscall Hook //
17
31#define IS_SYSRET_INSTRUCTION(Code) \
32 (*((PUINT8)(Code) + 0) == 0x48 && \
33 *((PUINT8)(Code) + 1) == 0x0F && \
34 *((PUINT8)(Code) + 2) == 0x07)
35#define IS_SYSCALL_INSTRUCTION(Code) \
36 (*((PUINT8)(Code) + 0) == 0x0F && \
37 *((PUINT8)(Code) + 1) == 0x05)
38
43#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
44#define IMAGE_OS2_SIGNATURE 0x454E // NE
45#define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
46#define IMAGE_VXD_SIGNATURE 0x454C // LE
47#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
48
50// Structure //
52
57typedef struct _SSDTStruct
58{
59 LONG * pServiceTable;
60 PVOID pCounterTable;
61#ifdef _WIN64
62 UINT64 NumberOfServices;
63#else
64 ULONG NumberOfServices;
65#endif
66 PCHAR pArgumentTable;
67} SSDTStruct, *PSSDTStruct;
68
80
98
109
119 *PSYSTEM_INFORMATION_CLASS;
120
121typedef NTSTATUS(NTAPI * ZWQUERYSYSTEMINFORMATION)(
122 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
123 OUT PVOID SystemInformation,
124 IN ULONG SystemInformationLength,
125 OUT PULONG ReturnLength OPTIONAL);
126
127NTSTATUS(*NtCreateFileOrig)
128(
129 PHANDLE FileHandle,
130 ACCESS_MASK DesiredAccess,
131 POBJECT_ATTRIBUTES ObjectAttributes,
132 PIO_STATUS_BLOCK IoStatusBlock,
133 PLARGE_INTEGER AllocationSize,
134 ULONG FileAttributes,
135 ULONG ShareAccess,
136 ULONG CreateDisposition,
137 ULONG CreateOptions,
138 PVOID EaBuffer,
139 ULONG EaLength);
140
142// Syscall Hooks Functions //
144
145VOID
146SyscallHookTest();
147
148VOID
149SyscallHookConfigureEFER(VIRTUAL_MACHINE_STATE * VCpu, BOOLEAN EnableEFERSyscallHook);
150
151BOOLEAN
152SyscallHookHandleUD(_Inout_ VIRTUAL_MACHINE_STATE * VCpu);
153
154BOOLEAN
155SyscallHookEmulateSYSRET(_Inout_ VIRTUAL_MACHINE_STATE * VCpu);
156
157BOOLEAN
158SyscallHookEmulateSYSCALL(_Inout_ VIRTUAL_MACHINE_STATE * VCpu);
159
161// Hidden Hooks Test //
163
164PVOID(*ExAllocatePoolWithTagOrig)
165(
166 POOL_TYPE PoolType,
167 SIZE_T NumberOfBytes,
168 ULONG Tag);
169
174#define MAX_EXEC_TRAMPOLINE_SIZE 100
175
176// ----------------------------------------------------------------------
177
186BOOLEAN
187EptHookPerformPageHook(VIRTUAL_MACHINE_STATE * VCpu, PVOID TargetAddress, CR3_TYPE ProcessCr3);
188
199BOOLEAN
200EptHookPerformPageHookMonitorAndInlineHook(VIRTUAL_MACHINE_STATE * VCpu,
201 PVOID HookingDetails,
202 CR3_TYPE ProcessCr3,
203 UINT32 PageHookMask);
204
213BOOLEAN
214EptHook(PVOID TargetAddress, UINT32 ProcessId);
215
223BOOLEAN
224EptHookFromVmxRoot(PVOID TargetAddress);
225
236BOOLEAN
237EptHookInlineHook(VIRTUAL_MACHINE_STATE * VCpu,
238 PVOID TargetAddress,
239 PVOID HookFunction,
240 UINT32 ProcessId);
241
252BOOLEAN
253EptHookMonitorHook(VIRTUAL_MACHINE_STATE * VCpu,
254 EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * HookingDetails,
255 UINT32 ProcessId);
256
266BOOLEAN
267EptHookInlineHookFromVmxRoot(VIRTUAL_MACHINE_STATE * VCpu,
268 PVOID TargetAddress,
269 PVOID HookFunction);
270
280BOOLEAN
281EptHookMonitorFromVmxRoot(VIRTUAL_MACHINE_STATE * VCpu,
282 EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * MemoryAddressDetails);
283
296BOOLEAN
297EptHookHandleHookedPage(VIRTUAL_MACHINE_STATE * VCpu,
298 EPT_HOOKED_PAGE_DETAIL * HookedEntryDetails,
299 VMX_EXIT_QUALIFICATION_EPT_VIOLATION ViolationQualification,
300 SIZE_T PhysicalAddress,
301 EPT_HOOKS_CONTEXT * LastContext,
302 BOOLEAN * IgnoreReadOrWriteOrExec,
303 BOOLEAN * IsExecViolation);
304
314BOOLEAN
315EptHookRestoreSingleHookToOriginalEntry(VIRTUAL_MACHINE_STATE * VCpu,
316 SIZE_T PhysicalAddress,
317 UINT64 OriginalEntry);
318
326VOID
327EptHookRestoreAllHooksToOriginalEntry(VIRTUAL_MACHINE_STATE * VCpu);
328
334VOID
335EptHookUnHookAll();
336
344BOOLEAN
345EptHookUnHookAllByHookingTag(UINT64 HookingTag);
346
356BOOLEAN
357EptHookUnHookSingleAddress(UINT64 VirtualAddress,
358 UINT64 PhysAddress,
359 UINT32 ProcessId);
360
368BOOLEAN
369EptHookUnHookSingleHookByHookingTagFromVmxRoot(UINT64 HookingTag,
370 EPT_SINGLE_HOOK_UNHOOKING_DETAILS * TargetUnhookingDetails);
371
382BOOLEAN
383EptHookUnHookSingleAddressFromVmxRoot(UINT64 VirtualAddress,
384 UINT64 PhysAddress,
385 EPT_SINGLE_HOOK_UNHOOKING_DETAILS * TargetUnhookingDetails);
386
394UINT32
395EptHookGetCountOfEpthooks(BOOLEAN IsEptHook2);
396
403BOOLEAN
404EptHookRemoveEntryAndFreePoolFromEptHook2sDetourList(UINT64 Address);
405
413PVOID
414EptHook2GeneralDetourEventHandler(PGUEST_REGS Regs, PVOID CalledFrom);
415
424VOID
425EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks(UINT32 Count);
426
434VOID
435EptHookReservePreallocatedPoolsForEptHooks(UINT32 Count);
436
447BOOLEAN
448EptHookModifyInstructionFetchState(VIRTUAL_MACHINE_STATE * VCpu,
449 PVOID PhysicalAddress,
450 BOOLEAN IsUnset);
451
462BOOLEAN
463EptHookModifyPageReadState(VIRTUAL_MACHINE_STATE * VCpu,
464 PVOID PhysicalAddress,
465 BOOLEAN IsUnset);
466
477BOOLEAN
478EptHookModifyPageWriteState(VIRTUAL_MACHINE_STATE * VCpu,
479 PVOID PhysicalAddress,
480 BOOLEAN IsUnset);
481
488VOID
489EptHookHandleMonitorTrapFlag(VIRTUAL_MACHINE_STATE * VCpu);
UINT16
unsigned short UINT16
Definition BasicTypes.h:47
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
UCHAR
unsigned char UCHAR
Definition BasicTypes.h:35
VOID
#define VOID
Definition BasicTypes.h:33
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
ZWQUERYSYSTEMINFORMATION
NTSTATUS(NTAPI * ZWQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL)
Definition Hooks.h:121
SyscallHookConfigureEFER
VOID SyscallHookConfigureEFER(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN EnableEFERSyscallHook)
This function enables or disables EFER syscall hoo.
Definition EferHook.c:31
PSYSTEM_MODULE_ENTRY
struct _SYSTEM_MODULE_ENTRY * PSYSTEM_MODULE_ENTRY
EptHookRestoreSingleHookToOriginalEntry
BOOLEAN EptHookRestoreSingleHookToOriginalEntry(VIRTUAL_MACHINE_STATE *VCpu, SIZE_T PhysicalAddress, UINT64 OriginalEntry)
Remove a special hook from the hooked pages lists.
Definition EptHook.c:656
EptHookModifyPageWriteState
BOOLEAN EptHookModifyPageWriteState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for write @detail should be called from VMX-root.
Definition EptHook.c:2682
SyscallHookEmulateSYSCALL
BOOLEAN SyscallHookEmulateSYSCALL(_Inout_ VIRTUAL_MACHINE_STATE *VCpu)
EptHookRestoreAllHooksToOriginalEntry
VOID EptHookRestoreAllHooksToOriginalEntry(VIRTUAL_MACHINE_STATE *VCpu)
Remove all hooks from the hooked pages lists (Should be called in vmx-root)
Definition EptHook.c:704
PHIDDEN_HOOKS_DETOUR_DETAILS
struct _HIDDEN_HOOKS_DETOUR_DETAILS * PHIDDEN_HOOKS_DETOUR_DETAILS
PSYSTEM_MODULE_INFORMATION
struct _SYSTEM_MODULE_INFORMATION * PSYSTEM_MODULE_INFORMATION
EptHookFromVmxRoot
BOOLEAN EptHookFromVmxRoot(PVOID TargetAddress)
This function invokes a direct VMCALL to setup the hook.
Definition EptHook.c:631
EptHookModifyPageReadState
BOOLEAN EptHookModifyPageReadState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for read @detail should be called from VMX-root.
Definition EptHook.c:2624
EptHookHandleMonitorTrapFlag
VOID EptHookHandleMonitorTrapFlag(VIRTUAL_MACHINE_STATE *VCpu)
Handle vm-exits for Monitor Trap Flag to restore previous state.
Definition EptHook.c:1963
SyscallHookTest
VOID SyscallHookTest()
Make examples for testing hidden hooks.
Definition SsdtHook.c:271
ObjectAttributes
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES ObjectAttributes
Definition Hooks.h:131
EptHookUnHookSingleAddress
BOOLEAN EptHookUnHookSingleAddress(UINT64 VirtualAddress, UINT64 PhysAddress, UINT32 ProcessId)
Remove single hook from the hooked pages list and invalidate TLB From VMX non-root mode.
Definition EptHook.c:2370
IoStatusBlock
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK IoStatusBlock
Definition Hooks.h:132
EptHookInlineHook
BOOLEAN EptHookInlineHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, PVOID HookFunction, UINT32 ProcessId)
Hook in VMX non-root mode (hidden detours)
Definition EptHook.c:1542
EptHook2GeneralDetourEventHandler
PVOID EptHook2GeneralDetourEventHandler(PGUEST_REGS Regs, PVOID CalledFrom)
routines to generally handle breakpoint hit for detour
Definition EptHook.c:2483
EptHookMonitorFromVmxRoot
BOOLEAN EptHookMonitorFromVmxRoot(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *MemoryAddressDetails)
This function applies EPT monitor hooks to the target EPT table.
Definition EptHook.c:1651
EptHookPerformPageHook
BOOLEAN EptHookPerformPageHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, CR3_TYPE ProcessCr3)
Hook in VMX Root Mode with hidden breakpoints (A pre-allocated buffer should be available)
Definition EptHook.c:474
EptHookHandleHookedPage
BOOLEAN EptHookHandleHookedPage(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKED_PAGE_DETAIL *HookedEntryDetails, VMX_EXIT_QUALIFICATION_EPT_VIOLATION ViolationQualification, SIZE_T PhysicalAddress, EPT_HOOKS_CONTEXT *LastContext, BOOLEAN *IgnoreReadOrWriteOrExec, BOOLEAN *IsExecViolation)
Handle hooked pages in Vmx-root mode.
Definition EptHook.c:1686
EptHookUnHookAllByHookingTag
BOOLEAN EptHookUnHookAllByHookingTag(UINT64 HookingTag)
Remove all hooks from the hooked pages by the given hooking tag.
Definition EptHook.c:2296
EptHookModifyInstructionFetchState
BOOLEAN EptHookModifyInstructionFetchState(VIRTUAL_MACHINE_STATE *VCpu, PVOID PhysicalAddress, BOOLEAN IsUnset)
Change PML EPT state for execution (execute) @detail should be called from VMX-root.
Definition EptHook.c:2566
FileAttributes
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG FileAttributes
Definition Hooks.h:134
SyscallHookHandleUD
BOOLEAN SyscallHookHandleUD(_Inout_ VIRTUAL_MACHINE_STATE *VCpu)
EptHookInlineHookFromVmxRoot
BOOLEAN EptHookInlineHookFromVmxRoot(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, PVOID HookFunction)
Hook in VMX root-mode (hidden detours)
Definition EptHook.c:1613
EptHookReservePreallocatedPoolsForEptHooks
VOID EptHookReservePreallocatedPoolsForEptHooks(UINT32 Count)
Allocate pre-allocated pools for EPT hooks.
Definition EptHook.c:70
PoolType
POOL_TYPE PoolType
Definition Hooks.h:166
NumberOfBytes
POOL_TYPE SIZE_T NumberOfBytes
Definition Hooks.h:167
SYSTEM_MODULE_ENTRY
struct _SYSTEM_MODULE_ENTRY SYSTEM_MODULE_ENTRY
Module entry.
AllocationSize
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER AllocationSize
Definition Hooks.h:133
SyscallHookEmulateSYSRET
BOOLEAN SyscallHookEmulateSYSRET(_Inout_ VIRTUAL_MACHINE_STATE *VCpu)
FileHandle
PHANDLE FileHandle
Definition Hooks.h:129
SSDTStruct
struct _SSDTStruct SSDTStruct
SSDT structure.
EptHookUnHookSingleAddressFromVmxRoot
BOOLEAN EptHookUnHookSingleAddressFromVmxRoot(UINT64 VirtualAddress, UINT64 PhysAddress, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
Remove single hook from the hooked pages list and invalidate TLB From VMX root-mode.
Definition EptHook.c:2404
ShareAccess
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ShareAccess
Definition Hooks.h:135
EaBuffer
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID EaBuffer
Definition Hooks.h:138
EptHookPerformPageHookMonitorAndInlineHook
BOOLEAN EptHookPerformPageHookMonitorAndInlineHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID HookingDetails, CR3_TYPE ProcessCr3, UINT32 PageHookMask)
Hook in VMX Root Mode with hidden detours and monitor (A pre-allocated buffer should be available)
Definition EptHook.c:980
CreateDisposition
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG CreateDisposition
Definition Hooks.h:136
SYSTEM_MODULE_INFORMATION
struct _SYSTEM_MODULE_INFORMATION SYSTEM_MODULE_INFORMATION
System Information for modules.
Tag
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:168
EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks
VOID EptHookAllocateExtraHookingPagesForMemoryMonitorsAndExecEptHooks(UINT32 Count)
Allocate (reserve) extra pages for storing details of page hooks for memory monitor and regular hidde...
Definition EptHook.c:110
EptHook
BOOLEAN EptHook(PVOID TargetAddress, UINT32 ProcessId)
Hook in VMX non-root Mode (hidden breakpoint)
Definition EptHook.c:605
DesiredAccess
PHANDLE ACCESS_MASK DesiredAccess
Definition Hooks.h:130
EptHookUnHookAll
VOID EptHookUnHookAll()
Remove all hooks from the hooked pages lists.
Definition EptHook.c:2431
EptHookRemoveEntryAndFreePoolFromEptHook2sDetourList
BOOLEAN EptHookRemoveEntryAndFreePoolFromEptHook2sDetourList(UINT64 Address)
Remove an entry from g_EptHook2sDetourListHead.
Definition EptHook.c:1826
EptHookMonitorHook
BOOLEAN EptHookMonitorHook(VIRTUAL_MACHINE_STATE *VCpu, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR *HookingDetails, UINT32 ProcessId)
This function applies monitor hooks to the target EPT table.
Definition EptHook.c:1582
EptHookGetCountOfEpthooks
UINT32 EptHookGetCountOfEpthooks(BOOLEAN IsEptHook2)
get the length of active EPT hooks (!epthook and !epthook2)
Definition EptHook.c:1865
CreateOptions
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG CreateOptions
Definition Hooks.h:137
_SYSTEM_INFORMATION_CLASS
_SYSTEM_INFORMATION_CLASS
System information class.
Definition Hooks.h:115
SystemKernelDebuggerInformation
@ SystemKernelDebuggerInformation
Definition Hooks.h:117
SystemModuleInformation
@ SystemModuleInformation
Definition Hooks.h:116
SYSTEM_INFORMATION_CLASS
enum _SYSTEM_INFORMATION_CLASS SYSTEM_INFORMATION_CLASS
System information class.
EaLength
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID ULONG EaLength
Definition Hooks.h:139
PSYSTEM_INFORMATION_CLASS
enum _SYSTEM_INFORMATION_CLASS * PSYSTEM_INFORMATION_CLASS
EptHookUnHookSingleHookByHookingTagFromVmxRoot
BOOLEAN EptHookUnHookSingleHookByHookingTagFromVmxRoot(UINT64 HookingTag, EPT_SINGLE_HOOK_UNHOOKING_DETAILS *TargetUnhookingDetails)
Remove single hook from the hooked pages by the given hooking tag.
Definition EptHook.c:2339
HIDDEN_HOOKS_DETOUR_DETAILS
struct _HIDDEN_HOOKS_DETOUR_DETAILS HIDDEN_HOOKS_DETOUR_DETAILS
Details of detours style EPT hooks.
PSSDTStruct
struct _SSDTStruct * PSSDTStruct
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
_CR3_TYPE
CR3 Structure.
Definition BasicTypes.h:130
_EPT_HOOKED_PAGE_DETAIL
Structure to save the state of each hooked pages.
Definition State.h:163
_EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR
Setting details for EPT Hooks (!monitor)
Definition DataTypes.h:331
_EPT_HOOKS_CONTEXT
Temporary $context used in some EPT hook commands.
Definition DataTypes.h:320
_EPT_SINGLE_HOOK_UNHOOKING_DETAILS
Details of unhooking single EPT hooks.
Definition DataTypes.h:358
_HIDDEN_HOOKS_DETOUR_DETAILS
Details of detours style EPT hooks.
Definition Hooks.h:74
_HIDDEN_HOOKS_DETOUR_DETAILS::HookedFunctionAddress
PVOID HookedFunctionAddress
Definition Hooks.h:76
_HIDDEN_HOOKS_DETOUR_DETAILS::ReturnAddress
PVOID ReturnAddress
Definition Hooks.h:77
_HIDDEN_HOOKS_DETOUR_DETAILS::OtherHooksList
LIST_ENTRY OtherHooksList
Definition Hooks.h:75
_SSDTStruct
SSDT structure.
Definition Hooks.h:58
_SSDTStruct::NumberOfServices
ULONG NumberOfServices
Definition Hooks.h:64
_SSDTStruct::pArgumentTable
PCHAR pArgumentTable
Definition Hooks.h:66
_SSDTStruct::pCounterTable
PVOID pCounterTable
Definition Hooks.h:60
_SSDTStruct::pServiceTable
LONG * pServiceTable
Definition Hooks.h:59
_SYSTEM_MODULE_ENTRY
Module entry.
Definition Hooks.h:86
_SYSTEM_MODULE_ENTRY::InitOrderIndex
UINT16 InitOrderIndex
Definition Hooks.h:93
_SYSTEM_MODULE_ENTRY::LoadOrderIndex
UINT16 LoadOrderIndex
Definition Hooks.h:92
_SYSTEM_MODULE_ENTRY::LoadCount
UINT16 LoadCount
Definition Hooks.h:94
_SYSTEM_MODULE_ENTRY::ImageSize
ULONG ImageSize
Definition Hooks.h:90
_SYSTEM_MODULE_ENTRY::MappedBase
PVOID MappedBase
Definition Hooks.h:88
_SYSTEM_MODULE_ENTRY::Section
HANDLE Section
Definition Hooks.h:87
_SYSTEM_MODULE_ENTRY::FullPathName
UCHAR FullPathName[256]
Definition Hooks.h:96
_SYSTEM_MODULE_ENTRY::ImageBase
PVOID ImageBase
Definition Hooks.h:89
_SYSTEM_MODULE_ENTRY::Flags
ULONG Flags
Definition Hooks.h:91
_SYSTEM_MODULE_ENTRY::OffsetToFileName
UINT16 OffsetToFileName
Definition Hooks.h:95
_SYSTEM_MODULE_INFORMATION
System Information for modules.
Definition Hooks.h:104
_SYSTEM_MODULE_INFORMATION::Count
ULONG Count
Definition Hooks.h:105
_SYSTEM_MODULE_INFORMATION::Module
SYSTEM_MODULE_ENTRY Module
Definition Hooks.h:106
_VIRTUAL_MACHINE_STATE
The status of each core after and before VMX.
Definition State.h:290
GUEST_REGS
Definition BasicTypes.h:70