Code:
// C language
#include <windows.h>
#include <stdbool.h>
#define CALL1_OFFSET 0xFA782B
#define CALL2_OFFSET 0xFA7A84
#define CALL3_OFFSET 0xFA7B63
//Global variables
DWORD HookAddr = 0;
DWORD JmpBackAddr = 0;
//Call the hook function and jump back to next instruction
void __declspec(naked) CallHookJmpBack() {
__asm {
call [HookAddr]; //call the hook func
jmp [JmpBackAddr]; //jump back
}
}
//Prototypes
bool Hook(void* toHook, void* asmFunc, int len);
//Hack
DWORD WINAPI init(HMODULE hModule) {
DWORD cshell = (DWORD)GetModuleHandle("cshell.dll");
if (cshell) {
DWORD callAddr = 0;
//Hooking calls
callAddr = (DWORD)(cshell + CALL1_OFFSET);
Hook((void*)callAddr, CallHookJmpBack, 6);
callAddr = (DWORD)(cshell + CALL2_OFFSET);
Hook((void*)callAddr, CallHookJmpBack, 6);
callAddr = (DWORD)(cshell + CALL3_OFFSET);
Hook((void*)callAddr, CallHookJmpBack, 6);
MessageBox(0, "Hooked", "Success", MB_OK);
}
while (0x01) {
if (GetAsyncKeyState(VK_INSERT) & 1)
break;
}
FreeLibraryAndExitThread(hModule, 0);
}
//The function to replace the main one with
BOOL hookDeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
)
{
// I just call the main function to change the received data after
bool DIC = DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
// [Return fake data]
// Now i don't do anything because i just want to check if everything is OK
return DIC;
}
bool Hook(void* toHook, void* asmFunc, int len) {
if (len < 5)
return FALSE;
//Store the address of DIC hook function
HookAddr = (DWORD)hookDeviceIoControl;
//Store the address of the next instruction to jmp back
JmpBackAddr = (DWORD)toHook + len;
//Change the protection
DWORD oldProtect = 0;
VirtualProtect(toHook, len, PAGE_EXECUTE_READWRITE, &oldProtect);
//Fill with NOP
memset(toHook, 0x90, len);
//Relative address
DWORD targetAddr = ((DWORD)asmFunc - (DWORD)toHook) - 5;
//Change first byte to jmp
*(BYTE*)toHook = 0xE9;
//Jump to relative address
*(DWORD*)((DWORD)toHook + 1) = targetAddr;
//Restore protection
DWORD tempProtect = 0;
VirtualProtect(toHook, len, oldProtect, &tempProtect);
return TRUE;
}
BOOL __stdcall DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)init, hModule, 0, 0);
}
return TRUE;
}