#include "hook.h"
#include "hook_object.h"

Functions
static INTSTATUS	IntHookObjectRemoveRegionInternal (HOOK_REGION_DESCRIPTOR *Region, DWORD Flags)
	Remove a hooked region of memory. More...

INTSTATUS	IntHookObjectCreate (DWORD ObjectType, QWORD Cr3, void **Object)
	Create a new hook object. More...

INTSTATUS	IntHookObjectHookRegion (void Object, QWORD Cr3, QWORD Gla, SIZE_T Length, BYTE Type, void Callback, void Context, DWORD Flags, HOOK_REGION_DESCRIPTOR *Region)
	Hook a contiguous region of virtual memory inside the provided virtual address space. More...

static INTSTATUS	IntHookObjectDeleteRegion (HOOK_REGION_DESCRIPTOR *Region, DWORD Flags)
	Permanently deletes the indicated region. More...

INTSTATUS	IntHookObjectRemoveRegion (HOOK_REGION_DESCRIPTOR **Region, DWORD Flags)
	Remove a hooked region of memory. More...

INTSTATUS	IntHookObjectDestroy (HOOK_OBJECT_DESCRIPTOR **Object, DWORD Flags)
	Destroy an entire hook object. All regions belonging to this object will be removed. More...

void *	IntHookObjectFindRegion (QWORD Gva, void *HookObject, BYTE HookType)
	Searches for a region of hooked memory inside the provided hook object. More...

static INTSTATUS	IntHookObjectDestroyAll (DWORD Flags)
	Destroy all existing hook objects. More...

INTSTATUS	IntHookObjectCommit (void)
	Commit removed hook objects and regions. More...

INTSTATUS	IntHookObjectInit (void)
	Initialize the hook object system. More...

INTSTATUS	IntHookObjectUninit (void)
	Uninit the hook object system. More...

Function Documentation

◆ IntHookObjectCommit()

INTSTATUS IntHookObjectCommit ( void )

Commit removed hook objects and regions.

This function deletes all removed objects and regions. At this point they will be permanently deleted.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 525 of file hook_object.c.

Referenced by IntHookCommitAllHooks().

◆ IntHookObjectCreate()

INTSTATUS IntHookObjectCreate	(	DWORD	ObjectType,
		QWORD	Cr3,
		void **	Object
	)

Create a new hook object.

This function will create a new hook object, which can be used as a container for multiple hooked regions. For example, one might wish to create a hook object for a loaded module, or for an entire process.

Parameters

[in]	ObjectType	The type of the object. User defined.
[in]	Cr3	The address space the object resides in. Use 0 for global (kernel) objects.
[out]	Object	Will contain, upon successfully return, the newly created object. The object can then be used as a parameter for other hook related functions.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory allocation function fails.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 81 of file hook_object.c.

Referenced by IntLixDrvActivateProtection(), IntLixGuestAllocateHook(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtProtectOnCpu(), IntLixTaskActivateExploitProtection(), IntLixVdsoDynamicProtectNonRelocate(), IntLixVdsoFixedProtect(), IntModBlockHandleBlockModHeadersInMemory(), IntPtiDeliverDriverForLoad(), IntVeDeliverDriverForLoad(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvObjProtect(), IntWinHalProtectHalHeapExecs(), IntWinHalProtectHalIntCtrl(), IntWinIdtProtectOnCpuEpt(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppHookWmiSiloPtr(), and IntWinModHookModule().

◆ IntHookObjectDeleteRegion()

static INTSTATUS IntHookObjectDeleteRegion	(	HOOK_REGION_DESCRIPTOR *	Region,
		DWORD	Flags
	)

static

Permanently deletes the indicated region.

This function deletes a region of hooked memory. This should be called only from the commit function, or by a higher level hook manager.

Parameters

[in]	Region	The hook region.
[in]	Flags	Flags. Reserved for future use.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 265 of file hook_object.c.

Referenced by IntHookObjectCommit().

◆ IntHookObjectDestroy()

INTSTATUS IntHookObjectDestroy	(	HOOK_OBJECT_DESCRIPTOR **	Object,
		DWORD	Flags
	)

Destroy an entire hook object. All regions belonging to this object will be removed.

This function will destroy an entire hook object, and all its belonging regions. This function will not delete the hooked regions on the spot - instead, it will remove them: all hooks will be disabled (no callbacks will be called from this point on), but the regions will be deleted during the commit phase.

Parameters

[in,out]	Object	The hook object to be destroyed.
[in]	Flags	The hook flags. Will usually be 0.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.

Definition at line 357 of file hook_object.c.

Referenced by IntLixDrvActivateProtection(), IntLixDrvDeactivateProtection(), IntLixGuestUnhookGuestCode(), IntLixIdtUnprotectAll(), IntLixTaskDeactivateExploitProtection(), IntLixUnhookKernelRead(), IntLixUnhookKernelWrite(), IntLixVdsoUnprotect(), IntModBlockHandleBlockModHeadersInMemory(), IntPtiUnhookPtFilter(), IntVeUnhookVeAgent(), IntWinDrvHandleDriverEntry(), IntWinDrvObjUnprotect(), IntWinDrvRemoveEntry(), IntWinDrvUnprotect(), IntWinHalUnprotectHalHeapExecs(), IntWinHalUnprotectHalIntCtrl(), IntWinIdtUnprotectOnCpuEpt(), IntWinInfHookSppViolationCallbackWmiPtrChanged(), IntWinInfHookUnprotect(), IntWinModBlockRemoveBlockObject(), and IntWinModUnHookModule().

◆ IntHookObjectDestroyAll()

static INTSTATUS IntHookObjectDestroyAll ( DWORD Flags )

static

Destroy all existing hook objects.

Parameters

[in] Flags Hook flags.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 467 of file hook_object.c.

Referenced by IntHookObjectUninit().

◆ IntHookObjectFindRegion()

void* IntHookObjectFindRegion	(	QWORD	Gva,
		void *	HookObject,
		BYTE	HookType
	)

Searches for a region of hooked memory inside the provided hook object.

Parameters

[in]	Gva	The region guest virtual address to be searched.
[in]	HookObject	The target hook object.
[in]	HookType	The searched hook type.

Returns: The identified hook region or NULL, if none is found.

Definition at line 424 of file hook_object.c.

Referenced by IntExceptVerifyCodeBlocksSig(), and IntLixVdsoDynamicProtectNonRelocate().

◆ IntHookObjectHookRegion()

INTSTATUS IntHookObjectHookRegion	(	void *	Object,
		QWORD	Cr3,
		QWORD	Gla,
		SIZE_T	Length,
		BYTE	Type,
		void *	Callback,
		void *	Context,
		DWORD	Flags,
		HOOK_REGION_DESCRIPTOR **	Region
	)

Hook a contiguous region of virtual memory inside the provided virtual address space.

This function hooks a contiguous region of memory inside the provided virtual address space. The entire region will be hooked using the same hook type. Both access hooks (read, write or execute) and swap hooks can be set. The region will later be removed by either explicitly calling IntHookObjectRemoveRegion on the handle returned bu this function (the Region parameter) or when the hook object this region belongs to is destroyed.

Parameters

[in]	Object	A previously created hook object, using IntHookObjectCreate function.
[in]	Cr3	The target virtual address space.
[in]	Gla	Guest linear address where the hook starts.
[in]	Length	The length of the hooked region. Can span multiple pages.
[in]	Type	Hook type. Can be IG_EPT_HOOK_READ, IG_EPT_HOOK_WRITE, IG_EPT_HOOK_EXECUTE or IG_EPT_HOOK_NONE, for swap in hooks.
[in]	Callback	The callback to be called whenever the region is accessed or swapped.
[in]	Context	Optional context to be passed to the provided callback on events.
[in]	Flags	Hook flags.
[out]	Region	Optional pointer to a region handle, which can later be used to unhook the memory area.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_INVALID_PARAMETER	If an invalid parameter is supplied.
INT_STATUS_INSUFFICIENT_RESOURCES	If a memory allocation fails.

Definition at line 132 of file hook_object.c.

Referenced by IntLixDrvActivateProtection(), IntLixGuestAllocateHook(), IntLixHookKernelRead(), IntLixHookKernelWrite(), IntLixIdtProtectOnCpu(), IntLixVdsoDynamicProtectNonRelocate(), IntLixVdsoFixedProtect(), IntLixVmaProtect(), IntModBlockHandleBlockModHeadersInMemory(), IntPtiHookPtDriver(), IntVeHookVeDriver(), IntWinDrvCreateFromAddress(), IntWinDrvHeadersInMemory(), IntWinDrvObjProtect(), IntWinHalProtectHalHeapExecs(), IntWinHalProtectHalIntCtrl(), IntWinIdtProtectOnCpuEpt(), IntWinInfHookHookSppWmiGetClock(), IntWinInfHookSppHookWmiSiloPtr(), IntWinModHookModule(), and IntWinProtectReadNtEat().

◆ IntHookObjectInit()

INTSTATUS IntHookObjectInit ( void )

Initialize the hook object system.

Return values

INT_STATUS_SUCCESS On success.

Definition at line 598 of file hook_object.c.

Referenced by IntHookInit().

◆ IntHookObjectRemoveRegion()

INTSTATUS IntHookObjectRemoveRegion	(	HOOK_REGION_DESCRIPTOR **	Region,
		DWORD	Flags
	)

Remove a hooked region of memory.

This function will remove a region of hooked memory. It will call the remove function for each child hook (with the HOOK_FLG_CHAIN_DELETE flag set, in order to allow us to delete the hooks), and it will remove the hook from the list of active hooks. The region will not actually be removed until the commit phase. However, it will be marked as removed, and no callback for any of the lower-level hooks will be called again.

Parameters

[in,out]	Region	The hook region to be removed.
[in]	Flags	Flags. Reserved for future use.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_NEEDED_HINT	If the region has already been removed.

Definition at line 309 of file hook_object.c.

Referenced by IntHookRemoveChain(), IntLixVmaRemoveProtection(), and IntWinUnprotectReadNtEat().

◆ IntHookObjectRemoveRegionInternal()

static INTSTATUS IntHookObjectRemoveRegionInternal	(	HOOK_REGION_DESCRIPTOR *	Region,
		DWORD	Flags
	)

static

Remove a hooked region of memory.

This function will remove a region of hooked memory. It will call the remove function for each child hook (with the HOOK_FLG_CHAIN_DELETE flag set, in order to allow us to delete the hooks), and it will remove the hook from the list of active hooks. The region will not actually be removed until the commit phase. However, it will be marked as removed, and no callback for any of the lower-level hooks will be called again.

Parameters

[in]	Region	The hook region to be removed.
[in]	Flags	Flags. Reserved for future use.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_NEEDED_HINT	If the region has already been removed.

Definition at line 10 of file hook_object.c.

Referenced by IntHookObjectDestroy(), IntHookObjectDestroyAll(), IntHookObjectHookRegion(), and IntHookObjectRemoveRegion().

◆ IntHookObjectUninit()

INTSTATUS IntHookObjectUninit ( void )

Uninit the hook object system.

Return values

INT_STATUS_SUCCESS	On success.
INT_STATUS_NOT_INITIALIZED_HINT	If the hook system has not been initialized yet.

Definition at line 614 of file hook_object.c.

Referenced by IntHookInit(), and IntHookUninit().

Functions

Function Documentation

◆ IntHookObjectCommit()

◆ IntHookObjectCreate()

◆ IntHookObjectDeleteRegion()

◆ IntHookObjectDestroy()

◆ IntHookObjectDestroyAll()

◆ IntHookObjectFindRegion()

◆ IntHookObjectHookRegion()

◆ IntHookObjectInit()

◆ IntHookObjectRemoveRegion()

◆ IntHookObjectRemoveRegionInternal()

◆ IntHookObjectUninit()