Windows Memory Hacking Libraries

Bibliotheken

Sprache Code Lizenz Download Funktionalitäten
N-CodeHook C++ Open :?: Website API-Hooking
N-InjectLib C++ Open :?: Website DLL-Injection
Mhook C Open MIT Website
HadesMem C++ Open Boost Software License Website
diStorm C, Assembler Open Dual-Lizenz (GPL und kommerzielle) Website
EasyHook C# Open L-GPL Website
Extemory C# Open Simplified BSD Website
BlackMagick C# Open :?: Website
WhiteMagick C# Open GPLv3 Website
Trappola C++ Open L-GPL Website
DynamoRIO C Open BSD Website

N-CodeHook

main.cpp
#include <iostream>
#include <NInjectLib/IATModifier.h>
 
int _tmain(int argc, _TCHAR* argv[])
{
    /*if (argc != 3)
    {
        std::cout << "Usage is: simple_example executable dll" << std::endl;
        return 1;
    }*/
 
    //const char* exe = argv[1];
    //const char* dll = argv[2];
 
    const char* exe = "C:\\Windows\\system32\\notepad.exe";
    // NOTE: this only works if inject_test.dll is in the path of the executable
    // replace with full path to inject_test.dll!
    const char* dll = "inject_test.dll";
 
    STARTUPINFO sInfo = {0};
    sInfo.cb = sizeof(STARTUPINFO);
    PROCESS_INFORMATION pInfo;
 
    if (CreateProcess(exe, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sInfo, &pInfo))
    {
        try
        {
            Process process(pInfo.dwProcessId);
            IATModifier iatModifier(process);
            // retrieve image base address so IATModifier is able to find the import directory
            iatModifier.setImageBase(process.getImageBase(pInfo.hThread));
            // modify import directory so our injected dll is loaded first
            iatModifier.writeIAT(dll);
            ResumeThread(pInfo.hThread);
            std::cout << "DLL successfully injected" << std::endl;
        }
        catch (std::exception& e)
        {
            std::cout << "Error while trying to inject dll into process: " << e.what() << std::endl;
            ResumeThread(pInfo.hThread);
            CloseHandle(pInfo.hThread);
            CloseHandle(pInfo.hProcess);
        }
    }
    else
    {
        DWORD lastErr = GetLastError();
        std::cout << "Failed to start process, system error: " << lastErr << std::endl;
    }
    return 0;
}

N-InjectLib

dllmain.cpp
#include <NCodeHook/NCodeHookInstantiation.h>
 
// NOTE: every injected dll has to export at least one symbol - otherwise
// the OS loader will fail with STATUS_INVALID_IMAGE_FORMAT (0x0C000007B)
__declspec(dllexport) void dummyExport() {}
 
typedef VOID (WINAPI *ExitProcessFPtr)(UINT uExitCode);
ExitProcessFPtr originalExitProcess = NULL;
 
VOID WINAPI ExitProcessHook(UINT uExitCode)
{
    MessageBox(0, "Good bye!", "You've been hooked!", MB_ICONINFORMATION);
    originalExitProcess(uExitCode);
}
 
// NOTE: this needs to be in global scope - otherwise the trampolines and hooks
// are deleted when the destructor of nCodeHook is called!
NCodeHookIA32 nCodeHook;
void hookExitProcess()
{
    originalExitProcess = nCodeHook.createHookByName("kernel32.dll", "ExitProcess", ExitProcessHook);
}
 
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        hookExitProcess();        
        break;
 
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Mhook

HadesMem

diStorm

EasyHook

Extemory

BlackMagick

WhiteMagick

Trappola

main.cpp
/*
*
*  This file is
*    Copyright (C) 2006-2008 Nektra S.A.
*  
*  This program is free software; you can redistribute it and/or modify
*  it under the terms of the GNU Lesser General Public License as published by
*  the Free Software Foundation; either version 2, or (at your option)
*  any later version.
*  
*  This program is distributed in the hope that it will be useful,
*  but WITHOUT ANY WARRANTY; without even the implied warranty of
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*  GNU General Public License for more details.
*  
*/
#include <Windows.h>
#include <ShlObj.h>
#include <list>
#include "Trappola.h"
 
typedef struct
{
   LPCWSTR module;
   LPCSTR functionName;
   USHORT pmSize;
   LPCVOID handler;
   int flags;
}HookDesc;
typedef yasper::ptr<NktApiHook> ApiHookPtr;
typedef std::list<ApiHookPtr> HookList;
 
void Handler_FindFirstFile(NktHandlerParams*);
void Handler_FindNextFile(NktHandlerParams*);
void InstallHook(const HookDesc&);
std::wstring ToLower(const std::wstring&);
 
HookList g_hookList;
WCHAR g_blockFolder[512] = {0};
WCHAR* g_blockExt[] = { L".exe", L".bat", L".com" };
#define ARRAY_LEN(_array) (sizeof(_array)/sizeof(_array[0]))
#define PARAMS(_c) (sizeof(void*)*_c)
 
HookDesc g_hooksDesc[] = { \
{ L"kernel32.dll", "FindFirstFileExW", PARAMS(6), Handler_FindFirstFile, _call_before},
{ L"kernel32.dll", "FindNextFileW",    PARAMS(2), Handler_FindNextFile,  _call_after }
};
 
/**
This example shows how to prevent access to a certain file or directory. It does this by hooking
FindFirstFile & FindNextFile, and denying its access or completely hiding the unwanted result 
from the caller.
*/
int __stdcall WinMain(IN HINSTANCE hInstance, IN HINSTANCE hPrevInstance, IN LPSTR lpCmdLine, IN int nShowCmd)
{
   HRESULT hRes = SHGetFolderPathW(NULL, CSIDL_PERSONAL, NULL, SHGFP_TYPE_CURRENT, g_blockFolder);
 
   //Install hooks:
   for (int i = ARRAY_LEN(g_hooksDesc)-1; i >= 0; --i)
      InstallHook(g_hooksDesc[i]);
 
   //Start Open dialog
   OPENFILENAME of = {0};
   of.lStructSize = sizeof(of);
   GetOpenFileName(&of);
 
   g_hookList.clear();
   return 0;
}
 
void InstallHook(const HookDesc& desc)
{
   HMODULE hMod = LoadLibraryW(desc.module); _ASSERT(hMod);
   FARPROC proc = GetProcAddress(hMod, desc.functionName); _ASSERT(proc);
 
   NktFunctionWrapper fwFunction(proc, stdcall_, desc.pmSize);
   NktFunctionWrapper fwMyHandler(desc.handler, cdecl_, sizeof(NktHandlerParams*));
 
   ApiHookPtr hook = new NktApiHook(fwFunction, fwMyHandler, desc.flags);
   g_hookList.push_back(hook);
 
   FreeLibrary(hMod);
}
 
void Handler_FindFirstFile(NktHandlerParams* hp)
{
   //Obtain filename from first param:
   LPCWSTR pm1 = *(LPCWSTR*)hp->context.pms;
   std::wstring wstr(pm1);
 
   //If this is the folder we want to hide, deny access to it.
   if (wstr.find(g_blockFolder) != std::wstring::npos)
   {
      hp->iHook->SetLastError(&hp->context, E_ACCESSDENIED);
      hp->iHook->SkipCall(&hp->context, (INT_PTR)INVALID_HANDLE_VALUE);
   }
}
 
void Handler_FindNextFile(NktHandlerParams* hp)
{
   //If the call failed, we are not interested.
   if (hp->context.regs->EAX == 0 || hp->context.regs->lastError == ERROR_NO_MORE_FILES)
      return;
 
   //Obtain handle and find structure
   HANDLE hFindFile = *(HANDLE*)hp->context.pms;
   size_t ppm2 = ((size_t)hp->context.pms + sizeof(HANDLE));
   LPWIN32_FIND_DATAW findData = *(LPWIN32_FIND_DATAW*)ppm2;
 
   //Compare filename with our filters
   std::wstring wstr(ToLower(findData->cFileName));
   bool skip = false;
   for (int i = ARRAY_LEN(g_blockExt)-1; i >= 0 && !skip; --i)
   {
      if (wstr.find(g_blockExt[i]) != std::wstring::npos)
         skip = true;
   }
 
   //Force a new call to hide this one from caller
   if (skip)
   {
      BOOL ret = FindNextFileW(hFindFile, findData);
      DWORD err = GetLastError();
      hp->iHook->SetLastError(&hp->context, err);
      hp->iHook->SetReturnValue(&hp->context, (INT_PTR)ret);
   }
}
 
std::wstring ToLower(const std::wstring& str)
{
   std::wstring ret;
   ret.resize(str.size());
   std::transform(str.begin(), str.end(), ret.begin(), tolower);
   return ret;
}

DynamoRIO