ProgrammingClone
diff --git a/‎KernelHooking.sln
Lines changed: 51 additions & 0 deletions b/‎KernelHooking.sln
Lines changed: 51 additions & 0 deletions
diff --git a/‎KernelTrampolineHooking/Common.h
Lines changed: 39 additions & 0 deletions b/‎KernelTrampolineHooking/Common.h
Lines changed: 39 additions & 0 deletions
diff --git a/‎KernelTrampolineHooking/Driver.c
Lines changed: 76 additions & 0 deletions b/‎KernelTrampolineHooking/Driver.c
Lines changed: 76 additions & 0 deletions
diff --git a/‎KernelTrampolineHooking/Driver.h
Lines changed: 11 additions & 0 deletions b/‎KernelTrampolineHooking/Driver.h
Lines changed: 11 additions & 0 deletions
diff --git a/‎KernelTrampolineHooking/Hook.c
Lines changed: 196 additions & 0 deletions b/‎KernelTrampolineHooking/Hook.c
Lines changed: 196 additions & 0 deletions
@@ -0,0 +1,51 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.34601.136
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelTrampolineHooking", "KernelTrampolineHooking\KernelTrampolineHooking.vcxproj", "{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM = Debug|ARM
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|ARM = Release|ARM
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|ARM.ActiveCfg = Debug|ARM
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|ARM.Build.0 = Debug|ARM
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|ARM.Deploy.0 = Debug|ARM
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|ARM64.Build.0 = Debug|ARM64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|x64.ActiveCfg = Debug|x64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|x64.Build.0 = Debug|x64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|x64.Deploy.0 = Debug|x64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|x86.ActiveCfg = Debug|Win32
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|x86.Build.0 = Debug|Win32
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Debug|x86.Deploy.0 = Debug|Win32
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|ARM.ActiveCfg = Release|ARM
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|ARM.Build.0 = Release|ARM
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|ARM.Deploy.0 = Release|ARM
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|ARM64.ActiveCfg = Release|ARM64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|ARM64.Build.0 = Release|ARM64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|ARM64.Deploy.0 = Release|ARM64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|x64.ActiveCfg = Release|x64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|x64.Build.0 = Release|x64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|x64.Deploy.0 = Release|x64
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|x86.ActiveCfg = Release|Win32
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|x86.Build.0 = Release|Win32
+		{47B8C5F8-9DDA-4C1B-91EC-C9149B13393A}.Release|x86.Deploy.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {24376BC5-265C-4ADD-85D2-6316A4748B81}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,39 @@
+#pragma once
+
+#ifndef Common_H
+#define Common_H
+
+#include <ntifs.h>
+#include <ntddk.h>
+#include <wdm.h> 
+#include <wdf.h>
+
+#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__)
+
+typedef struct _SYSTEM_BASIC_INFORMATION {
+    ULONG Reserved;
+    ULONG TimerResolution;
+    ULONG PageSize;
+    ULONG NumberOfPhysicalPages;
+    ULONG LowestPhysicalPageNumber;
+    ULONG HighestPhysicalPageNumber;
+    ULONG AllocationGranularity;
+    ULONG MinimumUserModeAddress;
+    ULONG MaximumUserModeAddress;
+    KAFFINITY ActiveProcessorsAffinityMask;
+    UCHAR NumberOfProcessors;  // This is the field we will modify
+} SYSTEM_BASIC_INFORMATION, * PSYSTEM_BASIC_INFORMATION;
+
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+    SystemBasicInformation = 0,
+    // Theres a lot more of these but I deleted them to save space since we wont be using them
+} SYSTEM_INFORMATION_CLASS;
+
+
+typedef NTSTATUS(*NtQuerySystemInformation_t)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
+
+
+KEVENT HookConfiguredEvent; // Used to prevent other threads from using the function we are hooking while making the hook
+
+#endif // Common_H
@@ -0,0 +1,76 @@
+#include "Driver.h"
+#include "Queue.h"
+#include "Hook.h"
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, DriverEntry)  // After DriverEntry runs all code denoted by 'INIT' will be discarded
+#pragma alloc_text (PAGE, DriverUnload) // 'PAGE' means this code section can be paged out while we are waiting for it to run (only works at IRQL of 0 aka Passive Level)
+#endif;
+
+
+NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
+    UNREFERENCED_PARAMETER(RegistryPath);
+
+    WDF_OBJECT_ATTRIBUTES deviceAttributes;
+    WDF_DRIVER_CONFIG config;
+    WDFDRIVER driver;
+    NTSTATUS status;
+
+    // Initlaize the global fields in our header files
+    myTrampolineMemory = NULL;
+    myTrampolineMDL = NULL;
+    myTrampoline = NULL;
+    gDevice = NULL;
+    KeInitializeEvent(&HookConfiguredEvent, NotificationEvent, FALSE);
+
+    DECLARE_CONST_UNICODE_STRING(ntDeviceName, NTDEVICE_NAME);
+    WDF_DRIVER_CONFIG_INIT(&config, WDF_NO_EVENT_CALLBACK);
+
+    if (!NT_SUCCESS(status = WdfDriverCreate(DriverObject, RegistryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, &driver))) {
+        DebugMessage("WdfDriverCreate failed: 0x%x\n", status);
+        return status;
+    }
+
+    PWDFDEVICE_INIT pDeviceInit = WdfControlDeviceInitAllocate(driver, &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R);
+    if (pDeviceInit == NULL) {
+        DebugMessage("WdfControlDeviceInitAllocate failed\n");
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
+    WdfDeviceInitSetExclusive(pDeviceInit, TRUE); // Ensure we are the only queue for this device
+
+    if (!NT_SUCCESS(status = WdfDeviceInitAssignName(pDeviceInit, &ntDeviceName))) {
+        DebugMessage("Failed to create symbolic link: 0x%x\n", status);
+        WdfDeviceInitFree(pDeviceInit);
+        return status;
+    }
+
+    WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes, DEVICE_EXTENSION);
+
+    if (!NT_SUCCESS(status = WdfDeviceCreate(&pDeviceInit, &deviceAttributes, &gDevice)) || gDevice == NULL) { // This will auto handle freeing 'pDeviceInit'
+        DebugMessage("WdfDeviceCreate failed: 0x%x\n", status);
+        return status;
+    }
+
+    UCHAR cores = QueryProcessorCount(8); // You can change this default value if you would like
+    DebugMessage("Starting CoreCount: %lu \n", cores);
+
+    PDEVICE_EXTENSION deviceExtension = GetDeviceExtension(gDevice);
+    deviceExtension->CoreCount = cores;
+
+    if (!NT_SUCCESS(status = QueueInitialize(gDevice))) { // Initialize the IOCTL queue
+        DebugMessage("Queue initialization failed: 0x%x\n", status);
+        return status;
+    }
+
+    DriverObject->DriverUnload = DriverUnload; // Lastly, register our unload function
+    return STATUS_SUCCESS;
+}
+
+
+VOID DriverUnload(PDRIVER_OBJECT DriverObject) {
+    UNREFERENCED_PARAMETER(DriverObject);
+    PAGED_CODE();
+
+    RemoveHook();
+}
@@ -0,0 +1,11 @@
+#pragma once
+
+#ifndef Driver_H
+#define Driver_H
+
+#include "Common.h"
+
+VOID DriverUnload(PDRIVER_OBJECT DriverObject);
+DRIVER_INITIALIZE DriverEntry;
+
+#endif // Driver_H
@@ -0,0 +1,196 @@
+#include "Hook.h"
+#include "Queue.h"
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, RemoveHook)
+#endif;
+
+#define TRAMPOLINE_SIZE 32 // Extra bytes are added for alignment
+
+NTSTATUS HookedNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength) {
+    NTSTATUS status = STATUS_SUCCESS;
+    __try {
+        // Wait for the event to be signaled, with an optional timeout if desired
+        KeWaitForSingleObject(&HookConfiguredEvent, Executive, KernelMode, FALSE, NULL);
+
+        if (myTrampoline == NULL) {
+            return STATUS_UNSUCCESSFUL;
+        }
+
+        status = ((NtQuerySystemInformation_t)myTrampoline)(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
+
+        if (NT_SUCCESS(status) && gDevice != NULL) {
+            PDEVICE_EXTENSION deviceExtension = GetDeviceExtension(gDevice);
+
+            if (SystemInformationClass == SystemBasicInformation && deviceExtension->CoreCount > 0 && deviceExtension->CoreCount <= 128) {
+                PSYSTEM_BASIC_INFORMATION pInfo = (PSYSTEM_BASIC_INFORMATION)SystemInformation;
+                pInfo->NumberOfProcessors = deviceExtension->CoreCount;
+            }
+        }
+    }
+    __except (EXCEPTION_EXECUTE_HANDLER) {
+        NTSTATUS exceptionCode = GetExceptionCode();
+        DebugMessage("Exception occurred in HookedNtQuerySystemInformation: 0x%x\n", exceptionCode);
+    }
+
+    return status;
+}
+
+
+
+static VOID PrintFunctionBytes(PVOID address, SIZE_T size) {
+    PUCHAR bytePtr = (PUCHAR)address;
+    DebugMessage("First %Iu bytes at address %p:\n", size, address);
+    for (SIZE_T i = 0; i < size; i++) {
+        DebugMessage("0x%02X ", bytePtr[i]);
+    }
+    DebugMessage("\n");
+}
+
+static PVOID AllocateAlignedExecutableMemory(SIZE_T size, ULONG tag) {
+    PVOID alignedMemory = NULL;
+    ULONG_PTR alignedSize = (size + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);  // Round up to page size
+
+    // Allocate the memory, ensuring it’s executable and cache-aligned
+    alignedMemory = ExAllocatePoolWithTag(NonPagedPoolExecute, alignedSize, tag);
+    if (alignedMemory == NULL) {
+        return NULL;
+    }
+
+    // Ensure it’s aligned to a page boundary
+    if ((ULONG_PTR)alignedMemory % PAGE_SIZE != 0) {
+        ExFreePool(alignedMemory);
+        alignedMemory = ExAllocatePoolWithTag(NonPagedPoolExecute | POOL_COLD_ALLOCATION, alignedSize, tag);
+    }
+    return alignedMemory;
+}
+
+static VOID WriteToReadOnlyMemory(PVOID target, PVOID source, SIZE_T size) {
+    PMDL mdl = IoAllocateMdl(target, (ULONG)size, FALSE, FALSE, NULL);
+
+    if (mdl == NULL) {
+        DebugMessage("Failed to allocate MDL\n");
+        return;
+    }
+
+    MmBuildMdlForNonPagedPool(mdl); // Builds the MDL for the given non-paged memory.
+
+    __try {
+        PVOID mappedAddress = MmMapLockedPagesSpecifyCache(mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
+
+        if (mappedAddress != NULL) {
+            RtlCopyMemory(mappedAddress, source, size);
+            MmUnmapLockedPages(mappedAddress, mdl);
+        }
+    }
+    __except (EXCEPTION_EXECUTE_HANDLER) {
+        NTSTATUS exceptionCode = GetExceptionCode();
+        DebugMessage("Exception occurred while writing to read-only memory: 0x%x\n", exceptionCode);
+    }
+
+    IoFreeMdl(mdl);
+}
+
+
+VOID InstallHook() {
+    const UCHAR bytesRemoved = 12;
+
+    // Get the address of NtQuerySystemInformation
+    UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"NtQuerySystemInformation");
+    OriginalNtQuerySystemInformation = (NtQuerySystemInformation_t)MmGetSystemRoutineAddress(&routineName);
+
+    if (OriginalNtQuerySystemInformation) {
+        // Allocate memory for the trampoline using an MDL for cross-context access
+        myTrampolineMemory = AllocateAlignedExecutableMemory(TRAMPOLINE_SIZE, 'Hook');
+        if (myTrampolineMemory == NULL) {
+            DebugMessage("Failed to allocate trampoline memory\n");
+            return;
+        }
+
+        // Create an MDL to describe trampolineMemory
+        myTrampolineMDL = IoAllocateMdl(myTrampolineMemory, TRAMPOLINE_SIZE, FALSE, FALSE, NULL);
+        if (myTrampolineMDL == NULL) {
+            ExFreePool(myTrampolineMemory);
+            myTrampolineMemory = NULL;
+            DebugMessage("Failed to allocate MDL for trampoline\n");
+            return;
+        }
+
+        // Map the MDL pages for trampolineMemory
+        MmBuildMdlForNonPagedPool(myTrampolineMDL);
+        MmProtectMdlSystemAddress(myTrampolineMDL, PAGE_EXECUTE_READWRITE);  // Set execute, read, and write permissions
+        myTrampoline = MmMapLockedPagesSpecifyCache(myTrampolineMDL, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority);
+
+        if (myTrampoline == NULL) {
+            ExFreePool(myTrampolineMemory);
+            IoFreeMdl(myTrampolineMDL);
+            DebugMessage("Failed to map trampoline pages\n");
+            return;
+        }
+
+        ULONGLONG offsetBackToOriginal = (ULONGLONG)((uintptr_t)(PUCHAR)OriginalNtQuerySystemInformation + bytesRemoved);
+
+        RtlZeroMemory(myTrampoline, TRAMPOLINE_SIZE); // Clear the trampoline memory to avoid unexpected execution of the last unused bytes
+        RtlCopyMemory(myTrampoline, (PVOID)OriginalNtQuerySystemInformation, bytesRemoved); // Copy the first bytes from NtQuerySystemInformation to trampoline
+
+         // MOV REX, offsetBackToOriginal -> <OriginalNtQuerySystemInformation>
+        *((PUCHAR)myTrampoline + bytesRemoved) = 0x48;      // REX
+        *((PUCHAR)myTrampoline + bytesRemoved + 1) = 0xB8;  // mov
+        *((ULONGLONG*)((PUCHAR)myTrampoline + bytesRemoved + 2)) = offsetBackToOriginal; // mov (8 bytes)
+
+        // Indrect JMP to RAX aka `offsetBackToOriginal` (we cant use 0xE9 since that is a relative jump and only works in an address space of 32 bit)
+        *((PUCHAR)myTrampoline + bytesRemoved + 10) = 0xFF;
+        *((PUCHAR)myTrampoline + bytesRemoved + 11) = 0xE0;
+
+
+        // Define the new jump instruction to `HookedNtQuerySystemInformation`
+        UCHAR jump[12] = { 0 };
+
+        // Step 1: MOV RAX, <HookedNtQuerySystemInformation>
+        jump[0] = 0x48;   // REX prefix for 64-bit operand
+        jump[1] = 0xB8;   // Opcode for `mov rax, <64-bit immediate>`
+        *((ULONGLONG*)(jump + 2)) = (ULONGLONG)HookedNtQuerySystemInformation; // 64-bit address to jump to
+
+        // Step 2: JMP RAX (indirect jump)
+        jump[10] = 0xFF;  // Opcode for indirect jump
+        jump[11] = 0xE0;  // ModR/M byte for `jmp rax`
+
+        // Apply the hook by writing the jump instruction at the start of NtQuerySystemInformation
+        WriteToReadOnlyMemory((PVOID)OriginalNtQuerySystemInformation, jump, sizeof(jump));
+        KeInvalidateAllCaches();
+
+        // Signal the event to indicate hook configuration is complete
+        KeSetEvent(&HookConfiguredEvent, 0, FALSE);
+    }
+    else {
+        DebugMessage("Failed to retrieve address for NtQuerySystemInformation\n");
+    }
+}
+
+
+VOID RemoveHook() {
+    PAGED_CODE();
+
+    if (myTrampoline) {
+        KeClearEvent(&HookConfiguredEvent); // make our hook wait while we change its code
+
+        if (myTrampoline != NULL) {
+            WriteToReadOnlyMemory((PVOID)OriginalNtQuerySystemInformation, myTrampoline, 6); // Restore the original bytes in NtQuerySystemInformation
+            ExFreePoolWithTag(myTrampoline, 'Hook');
+            myTrampoline = NULL;
+        }
+
+        if (myTrampolineMemory != NULL) {
+            ExFreePool(myTrampolineMemory);
+            myTrampolineMemory = NULL;
+        }
+
+        if (myTrampolineMDL != NULL) {
+            IoFreeMdl(myTrampolineMDL);
+            myTrampolineMDL = NULL;
+        }
+
+        DebugMessage("NtQuerySystemInformation unhooked successfully\n");
+        KeSetEvent(&HookConfiguredEvent, 0, FALSE); // Let any threads stuck on waiting continue but exit with STATUS_UNSUCCESSFUL
+    }
+}