forked from ldebug/BetaShield
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDLLNotificationCallback.cpp
More file actions
81 lines (68 loc) · 2.94 KB
/
Copy pathDLLNotificationCallback.cpp
File metadata and controls
81 lines (68 loc) · 2.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#include "ProjectMain.h"
#include "DynamicWinapi.h"
#include "XOR.h"
#include "ApiHooks.h"
#include "Scan.h"
#include "DirFuncs.h"
#include "CLog.h"
#include "VersionHelpers.h"
#include "Functions.h"
#pragma optimize("", off )
VOID NTAPI LdrDllNotification_TRAMPOLINE(ULONG NotificationReason, PCLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context)
{
#ifdef _DEBUG
LPLog->DetourLog(0,"LdrDllNotification called!");
#endif
if (NotificationReason == 1 /* aka. Load Event */)
{
#ifdef _DEBUG
LPLog->DetourLog(0, "LdrDllNotification call reason: LOAD!");
#endif
std::wstring wszModule = NotificationData->Loaded.FullDllName->Buffer;
transform(wszModule.begin(), wszModule.end(), wszModule.begin(), towlower);
std::string szModule = LPFunctions->WstringToUTF8(wszModule);
#ifdef _DEBUG
LPLog->DetourLog(0,"LdrDllNotification loaded dll: %s", szModule.c_str());
#endif
CScan lpScan;
static BOOL bSignRet = FALSE;
lpScan.IsSignedFile(wszModule.c_str(), &bSignRet);
if (bSignRet == FALSE)
{
WCHAR wc_szPYD[] = { L'.', L'p', L'y', L'd', L'\0' };
WCHAR wc_szMIX[] = { L'.', L'm', L'3', L'd', L'\0' };
WCHAR wc_szM3D[] = { L'.', L'm', L'i', L'x', L'\0' };
WCHAR wc_szFLT[] = { L'.', L'f', L'l', L't', L'\0' };
WCHAR wc_szASI[] = { L'.', L'a', L's', L'i', L'\0' };
if (!wcsstr(wszModule.c_str(), wc_szPYD) && !wcsstr(wszModule.c_str(), wc_szMIX) && !wcsstr(wszModule.c_str(), wc_szM3D) &&
!wcsstr(wszModule.c_str(), wc_szFLT) && !wcsstr(wszModule.c_str(), wc_szASI) &&
!LPDirFunctions->IsFromCurrentPath(wszModule) && !LPDirFunctions->IsFromWindowsPath(wszModule))
{
CHAR __warnunknown[] = { 'U', 'n', 'k', 'n', 'o', 'w', 'n', ' ', 'd', 'l', 'l', ' ', 'd', 'e', 't', 'e', 'c', 't', 'e', 'd', ' ', 'i', 'n', ' ', 'p', 'r', 'o', 'c', 'e', 's', 's', ':', ' ', '%', 's', 0x0 }; // Unknown dll detected in process: %s
LPLog->AddLog(0,__warnunknown, szModule.c_str());
BetaFunctionTable->NtUnmapViewOfSection(NtCurrentProcess, NotificationData->Loaded.DllBase);
}
}
}
}
#pragma optimize("", on )
typedef VOID(NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(ULONG NotificationReason, PCLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context);
void CSelfApiHooks::InitDllNotificationCallback()
{
#ifdef _DEBUG
LPLog->DetourLog(0,"LdrRegisterDllNotification has been initializing");
#endif
if (!IsWindowsVistaOrGreater()) {
#ifdef _DEBUG
LPLog->DetourLog(0,"LdrRegisterDllNotification passed in this OS");
#endif
return;
}
typedef NTSTATUS(NTAPI *lpLdrRegisterDllNotification)(ULONG Flags, PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, void* Context, void **Cookie);
auto LdrRegisterDllNotification = (lpLdrRegisterDllNotification)BetaFunctionTable->GetProcAddress(BetaModuleTable->hNtdll, XOR("LdrRegisterDllNotification"));
void * pvCookie = NULL;
LdrRegisterDllNotification(0, LdrDllNotification_TRAMPOLINE, NULL, &pvCookie);
#ifdef _DEBUG
LPLog->DetourLog(0,"LdrRegisterDllNotification succesfuly initialized");
#endif
}