everdox / infinityhook Goto Github PK

View Code? Open in Web Editor NEW

2.3K 2.3K 481.0 6.31 MB

Hook system calls, context switches, page faults and more.

C++ 53.30% C 16.12% Objective-C 30.58%

infinityhook's People

Stargazers

Watchers

Forkers

fengjixuchui crackercat fcccode aekras1a 2217936322 ewilded ashr dalerkd arckicriss hzqst fantasyboy sunnyneo meesong 9176324 antiwar3 007alice maxrio n1f2c3 killvxk chigou rifk01 liwei1024 ellen2015 kmwin haidragon kernweak exiahan blacktrace sherief itzdan peta909 jackson5sec ezhangle ajgappmark l33t slurdge orchechik c3358 blaquee st-rnd hello-xbugs m57 wasseresser gavz attackgithub planee fake-cheater yangki1902 hadesw 0x6b7966 shantanu561993 maldiohead monarchsolutions wannabe99 waterman178 assqingt blackhades00 techlord-rce jev0n pegasusx pblackbird eipp4ssenger thewover jackbro kernullist idkwim docterling lovesuae linecode mining8 thomasking2014 edwinyzh m00zh33 hhy5277 singi howknows zdzhjx a10ncoder asked637 gaojl0728 moodsdada louwangzhiyuy qgb1151521 shaunstanislauslau heruix daydayup40 aeo24 jjensn fuzzamos tino23x paran0ids0ul p0prxx thatling fzxcp3 g00dluck sparkyparrot zfdyq0 avgirl hackflame thekilleddead

infinityhook's Issues

win8.1 6.3.9600 : sc start driver fail error code is 127

I used the Dependency Walker to check that there was nothing missing. What do I need to do?

No Address for specific system routines

Hey everyone, do you guys have any idea why routines with no In or Out don't have pointers?

Eg.: NtQueryMultipleValueKey

Edit: Any way to hook those although they are not in ntoskrnl?

Thanks.

hello~~

Excuse me, can this hook many functions?Still can only hook one function，thanks！

It seems that you can only hook a kernel function at a time. What are the ideas for hooking multiple functions?

off-by-one error

InfinityHook/src/libinfinityhook/mm.cpp

Line 37 in b4ee7cf

for (size_t i = 0; i < (SizeOfBuffer - SizeOfSignature); ++i)

for (size_t i = 0; i < (SizeOfBuffer - SizeOfSignature); ++i)
should be
for (size_t i = 0; i < (SizeOfBuffer - SizeOfSignature) + 1; ++i)

system will be crash when calling NtControlTrace

win7 enterprise service pack 1 : sc start driver fail error code is 127

Some tips to optimize the library

would you like to restore _WMI_LOGGER_CONTEXT::GetCpuClock in IfhRelease as a complete release.

I haven't tried yet though, is there a need to scan stack by INFINITYHOOK_MAGIC_1 INFINITYHOOK_MAGIC_2 every time enter syscall. AFAIK it hurts perfermance to some extent. or maybe when enter KiSystemCall64 , address of [rsp+138h+Var_f8] is a fixed offset to PVOID* StackMax = (PVOID*)__readgsqword(OFFSET_KPCR_RSP_BASE) .

Unloading the driver probabilistically occurs bugcheck.

After I repeatedly load and unload the driver, I get a bugcheck with code 0xCE.

[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x000000ce
                       (0xFFFFF8009EFD11AB,0x0000000000000010,0xFFFFF8009EFD11AB,0x0000000000000000)

Driver at fault: kinfinityhook.sys.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 16299 x64 target at (Sun Jul 28 07:32:08.851 2019 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
...............................................
Loading unloaded module list
................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck CE, {fffff8009efd11ab, 10, fffff8009efd11ab, 0}

Probably caused by : kinfinityhook.sys ( kinfinityhook+11ab )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
0010:fffff800`9f7ffc60 cc              int     3
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: fffff8009efd11ab, memory referenced
Arg2: 0000000000000010, value 0 = read operation, 1 = write operation
Arg3: fffff8009efd11ab, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, Mm internal code.

Debugging Details:
------------------


WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 fffff8009efd11ab 

FAULTING_IP: 
kinfinityhook+11ab
0010:fffff800`9efd11ab ??              ???

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xCE

PROCESS_NAME:  DeviceCensus.e

CURRENT_IRQL:  2

TRAP_FRAME:  ffffa58467b877f0 -- (.trap 0xffffa58467b877f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffa88ae8c8b370
rdx=ffffa88aec8f36c0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8009efd11ab rsp=ffffa58467b87980 rbp=ffffa58467b87b00
 r8=ffffa88aec8f36c0  r9=ffff93015e4c0180 r10=fffff8009fa2fb00
r11=ffffa88ae8c8b370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
<Unloaded_kinfinityhook.sys>+0x11ab:
0010:fffff800`9efd11ab ??              ???
Resetting default scope

IP_MODULE_UNLOADED: 
kinfinityhook+11ab
0010:fffff800`9efd11ab ??              ???

LAST_CONTROL_TRANSFER:  from fffff8009f895782 to fffff8009f7ffc60

STACK_TEXT:  
ffffa584`67b86da8 fffff800`9f895782 : fffff800`9efd11ab ffffa88a`ebba0480 ffffa584`67b86f10 fffff800`9f7c0760 : nt!RtlpBreakWithStatusInstruction
ffffa584`67b86db0 fffff800`9f895007 : 00000000`00000003 ffffa584`67b86f10 fffff800`9f808010 ffffa584`67b87470 : nt!KiBugCheckDebugBreak+0x12
ffffa584`67b86e10 fffff800`9f7fa1e7 : 00000000`00000040 ffffa88a`ec8f3880 00000000`00000000 fffff800`9fb98a48 : nt!KeBugCheck2+0x937
ffffa584`67b87530 fffff800`9f839409 : 00000000`00000050 fffff800`9efd11ab 00000000`00000010 ffffa584`67b877f0 : nt!KeBugCheckEx+0x107
ffffa584`67b87570 fffff800`9f705777 : 00000000`00000010 fffff800`9efd11ab ffffa584`67b877f0 ffffa584`67b87710 : nt!MiSystemFault+0x1167e9
ffffa584`67b87610 fffff800`9f803c72 : ffffa88a`e8047dd0 ffffa584`67b877a8 00000000`00000000 ffffa584`67b87838 : nt!MmAccessFault+0xae7
ffffa584`67b877f0 fffff800`9efd11ab : 00000000`00000000 00007ffd`5c443900 fffff800`00000f4d ffffa584`656e6f4e : nt!KiPageFault+0x132
ffffa584`67b87980 00000000`00000000 : 00007ffd`5c443900 fffff800`00000f4d ffffa584`656e6f4e 00000000`00000000 : <Unloaded_kinfinityhook.sys>+0x11ab


STACK_COMMAND:  kb

FOLLOWUP_IP: 
kinfinityhook+11ab
0010:fffff800`9efd11ab ??              ???

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  kinfinityhook+11ab

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: kinfinityhook

IMAGE_NAME:  kinfinityhook.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  X64_0xCE_kinfinityhook+11ab

BUCKET_ID:  X64_0xCE_kinfinityhook+11ab

Followup: MachineOwner
---------

I found through ida that kinfinityhook+0x11ab points to add rsp, 78h in DetourNtCreateFile.

So I guess it may be that after the driver is unloaded, DetourNtCreateFile isn't done yet.
Perhaps you should add a mutex to the SyscallStub and DetourNtCreateFile and DriverUnload routines.
Thanks for reading.

can it hook Mm function?

hello, will it able to hook Mm functions ? what's the code i need to change ?

about ZwQueryInformationThread and NtGetContextThread

hi , i am learning this source and try to hook ZwQueryInformationThread and NtGetContextThread just like that:

if (*SystemCallFunction == pfn_ZwQueryInformationThread )
	{
		DPRINT("pfn_ZwQueryInformationThread! \n");
		*SystemCallFunction = MyZwQueryInformationThread;
	}
	if (*SystemCallFunction == pfn_NtGetContextThread)
	{
		DPRINT("pfn_NtGetContextThread! \n");
		*SystemCallFunction = MyNtGetContextThread;
	}

but look like my hook function never get call.
Did I screw up something? i have no idea.

Fix Bug Section

sc_name = BuildNumber == 7600 ? ".rdata" : ".data";
PVOID SectionBase = ImgGetImageSection(NtBaseAddress, sc_name, &SizeOfSection);

Win10:
http://prntscr.com/ohxvlz
Win7 7600:
http://prntscr.com/ohxvsb

Does InfinityHook work on 32-bit windows OS?

Thanks in advance for your answer.

It is NOT safe to walk stack through RspBase

The clock interrupt sometimes happens when you execute a long piece of code.
It will dispatch DPCs which may cause the kernel thread stack being swaped to a new one.
This happens frequently when you enable more than one kernel ETW event.

As the screenshot read,
If you walk stack from &retaddr (ffffec80'a19fe3c0) to RspBase (ffffec80'9e630010) you will hit invalid memory at ffffec80'9e63fb0 or ffffec80'a19fdf40 depending on which direction you stack-walk from.
According to RtlWalkFrameChain from wrk1.2, we should call IoGetStackLimit to get correct thread stack limit to stack-walk without invalid memory access.

SAD NEWS: The GetCpuClock hook has been patched by M1CR0$0FT since 18950, the GetCpuClock
value other than [0, 1, 2, 3] would cause KERNEL_SECURITY_CHECK_FAILURE BugCheck now.

Memory leak in ImgGetBaseAddress

Buffer leaks in a successful path of ImgGetBaseAddress.

5ewin using infinity

Are you going to provide advice on stopping anti cheats using this? 5e are using it which seems a disgrace to me. Thx

Win10 19041 fail

1: kd> dt nt!_WMI_LOGGER_CONTEXT ffffcb03`f9b0c4c0
+0x000 LoggerId : 2
+0x004 BufferSize : 0x1000
+0x008 MaximumEventSize : 0xfb8
+0x00c LoggerMode : 0x2800480
+0x010 AcceptNewEvents : 0n0
+0x014 EventMarker : [2] 0xc0130000
+0x01c ErrorMarker : 0xc00d0000
+0x020 SizeMask : 0xffff
+0x028 GetCpuClock : 3 //is not function adress

everdox / infinityhook Goto Github PK

infinityhook's People

Stargazers

Watchers

Forkers

infinityhook's Issues

Recommend Projects

Recommend Topics

Recommend Org