everdox / infinityhook Goto Github PK
View Code? Open in Web Editor NEWHook system calls, context switches, page faults and more.
Hook system calls, context switches, page faults and more.
I used the Dependency Walker to check that there was nothing missing. What do I need to do?
Hey everyone, do you guys have any idea why routines with no In or Out don't have pointers?
Eg.: NtQueryMultipleValueKey
Edit: Any way to hook those although they are not in ntoskrnl?
Thanks.
Excuse me, can this hook many functions?Still can only hook one function,thanks!
InfinityHook/src/libinfinityhook/mm.cpp
Line 37 in b4ee7cf
for (size_t i = 0; i < (SizeOfBuffer - SizeOfSignature); ++i)
should be
for (size_t i = 0; i < (SizeOfBuffer - SizeOfSignature) + 1; ++i)
would you like to restore
_WMI_LOGGER_CONTEXT::GetCpuClock
inIfhRelease
as a complete release.
I haven't tried yet though, is there a need to scan stack by
INFINITYHOOK_MAGIC_1
INFINITYHOOK_MAGIC_2
every time enter syscall. AFAIK it hurts perfermance to some extent. or maybe when enterKiSystemCall64
, address of [rsp+138h+Var_f8] is a fixed offset toPVOID* StackMax = (PVOID*)__readgsqword(OFFSET_KPCR_RSP_BASE)
.
After I repeatedly load and unload the driver, I get a bugcheck with code 0xCE.
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x000000ce
(0xFFFFF8009EFD11AB,0x0000000000000010,0xFFFFF8009EFD11AB,0x0000000000000000)
Driver at fault: kinfinityhook.sys.
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows 7 16299 x64 target at (Sun Jul 28 07:32:08.851 2019 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
...............................................
Loading unloaded module list
................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck CE, {fffff8009efd11ab, 10, fffff8009efd11ab, 0}
Probably caused by : kinfinityhook.sys ( kinfinityhook+11ab )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
0010:fffff800`9f7ffc60 cc int 3
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: fffff8009efd11ab, memory referenced
Arg2: 0000000000000010, value 0 = read operation, 1 = write operation
Arg3: fffff8009efd11ab, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, Mm internal code.
Debugging Details:
------------------
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
fffff8009efd11ab
FAULTING_IP:
kinfinityhook+11ab
0010:fffff800`9efd11ab ?? ???
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xCE
PROCESS_NAME: DeviceCensus.e
CURRENT_IRQL: 2
TRAP_FRAME: ffffa58467b877f0 -- (.trap 0xffffa58467b877f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffa88ae8c8b370
rdx=ffffa88aec8f36c0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8009efd11ab rsp=ffffa58467b87980 rbp=ffffa58467b87b00
r8=ffffa88aec8f36c0 r9=ffff93015e4c0180 r10=fffff8009fa2fb00
r11=ffffa88ae8c8b370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
<Unloaded_kinfinityhook.sys>+0x11ab:
0010:fffff800`9efd11ab ?? ???
Resetting default scope
IP_MODULE_UNLOADED:
kinfinityhook+11ab
0010:fffff800`9efd11ab ?? ???
LAST_CONTROL_TRANSFER: from fffff8009f895782 to fffff8009f7ffc60
STACK_TEXT:
ffffa584`67b86da8 fffff800`9f895782 : fffff800`9efd11ab ffffa88a`ebba0480 ffffa584`67b86f10 fffff800`9f7c0760 : nt!RtlpBreakWithStatusInstruction
ffffa584`67b86db0 fffff800`9f895007 : 00000000`00000003 ffffa584`67b86f10 fffff800`9f808010 ffffa584`67b87470 : nt!KiBugCheckDebugBreak+0x12
ffffa584`67b86e10 fffff800`9f7fa1e7 : 00000000`00000040 ffffa88a`ec8f3880 00000000`00000000 fffff800`9fb98a48 : nt!KeBugCheck2+0x937
ffffa584`67b87530 fffff800`9f839409 : 00000000`00000050 fffff800`9efd11ab 00000000`00000010 ffffa584`67b877f0 : nt!KeBugCheckEx+0x107
ffffa584`67b87570 fffff800`9f705777 : 00000000`00000010 fffff800`9efd11ab ffffa584`67b877f0 ffffa584`67b87710 : nt!MiSystemFault+0x1167e9
ffffa584`67b87610 fffff800`9f803c72 : ffffa88a`e8047dd0 ffffa584`67b877a8 00000000`00000000 ffffa584`67b87838 : nt!MmAccessFault+0xae7
ffffa584`67b877f0 fffff800`9efd11ab : 00000000`00000000 00007ffd`5c443900 fffff800`00000f4d ffffa584`656e6f4e : nt!KiPageFault+0x132
ffffa584`67b87980 00000000`00000000 : 00007ffd`5c443900 fffff800`00000f4d ffffa584`656e6f4e 00000000`00000000 : <Unloaded_kinfinityhook.sys>+0x11ab
STACK_COMMAND: kb
FOLLOWUP_IP:
kinfinityhook+11ab
0010:fffff800`9efd11ab ?? ???
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: kinfinityhook+11ab
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: kinfinityhook
IMAGE_NAME: kinfinityhook.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: X64_0xCE_kinfinityhook+11ab
BUCKET_ID: X64_0xCE_kinfinityhook+11ab
Followup: MachineOwner
---------
I found through ida that kinfinityhook+0x11ab
points to add rsp, 78h
in DetourNtCreateFile
.
So I guess it may be that after the driver is unloaded, DetourNtCreateFile
isn't done yet.
Perhaps you should add a mutex to the SyscallStub
and DetourNtCreateFile
and DriverUnload
routines.
Thanks for reading.
hello, will it able to hook Mm functions ? what's the code i need to change ?
hi , i am learning this source and try to hook ZwQueryInformationThread and NtGetContextThread just like that:
if (*SystemCallFunction == pfn_ZwQueryInformationThread )
{
DPRINT("pfn_ZwQueryInformationThread! \n");
*SystemCallFunction = MyZwQueryInformationThread;
}
if (*SystemCallFunction == pfn_NtGetContextThread)
{
DPRINT("pfn_NtGetContextThread! \n");
*SystemCallFunction = MyNtGetContextThread;
}
but look like my hook function never get call.
Did I screw up something? i have no idea.
sc_name = BuildNumber == 7600 ? ".rdata" : ".data";
PVOID SectionBase = ImgGetImageSection(NtBaseAddress, sc_name, &SizeOfSection);
Win10:
http://prntscr.com/ohxvlz
Win7 7600:
http://prntscr.com/ohxvsb
Thanks in advance for your answer.
The clock interrupt sometimes happens when you execute a long piece of code.
It will dispatch DPCs which may cause the kernel thread stack being swaped to a new one.
This happens frequently when you enable more than one kernel ETW event.
As the screenshot read,
If you walk stack from &retaddr (ffffec80'a19fe3c0) to RspBase (ffffec80'9e630010) you will hit invalid memory at ffffec80'9e63fb0 or ffffec80'a19fdf40 depending on which direction you stack-walk from.
According to RtlWalkFrameChain from wrk1.2, we should call IoGetStackLimit to get correct thread stack limit to stack-walk without invalid memory access.
SAD NEWS: The GetCpuClock hook has been patched by M1CR0$0FT since 18950, the GetCpuClock
value other than [0, 1, 2, 3] would cause KERNEL_SECURITY_CHECK_FAILURE BugCheck now.
Buffer
leaks in a successful path of ImgGetBaseAddress
.
Are you going to provide advice on stopping anti cheats using this? 5e are using it which seems a disgrace to me. Thx
1: kd> dt nt!_WMI_LOGGER_CONTEXT ffffcb03`f9b0c4c0
+0x000 LoggerId : 2
+0x004 BufferSize : 0x1000
+0x008 MaximumEventSize : 0xfb8
+0x00c LoggerMode : 0x2800480
+0x010 AcceptNewEvents : 0n0
+0x014 EventMarker : [2] 0xc0130000
+0x01c ErrorMarker : 0xc00d0000
+0x020 SizeMask : 0xffff
+0x028 GetCpuClock : 3 //is not function adress
Not sure, but while taking a first look into the crashdump, it looks like a stack overflow in IfhInitialize
.
Crashdump: https://file.io/UPNyTka2KYKL
I have use your example sys in windows 7 that version 6.1.7601.17514.
but there was a error:127
reason: can not find function ZwTraceControl
When I load the driver I get BSOD 'caused by Security Check Failure.
Can someone pls point me to a newer method to mitigate this when hooking a function.
I'm running Windows10.v.1941
I tried to compile this and not work help me please I'm china p coder
Edit: How do I compile .md file
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.