Merge branch 'master' of https://github.com/ke0z/HookThatBin

README.md

@@ -7,3 +7,10 @@ More scripts are incoming (when I can dedicate some time):
 -Mobile Root Bypass
 -DynamicReversing (by stalking through function calls)
 -Exploit Development 
+
+# Compiling 
+
+Using VisualStudio, .NET4.8, Frida (frida-clr-16.1.10-windows-x86.dll.xz) or (frida-clr-16.1.10-windows-x86_64.dll.xz) as referenced DLLs tested with version 16.1.4-10 , copy the scripts folder to binary compiled location
+
+# Running
+Extract and Execute HookThatBin

scripts/file_hooks.js

@@ -0,0 +1,167 @@
+const FILE_ACCESS_MASKS = {
+	"GENERIC_ALL": 0x10000000,
+	"GENERIC_EXECUTE": 0x20000000,	
+	"GENERIC_WRITE": 0x40000000,
+	"GENERIC_READ": 0x80000000
+};
+
+const FILE_CREATION_ACTIONS = {
+	"CREATE_ALWAYS": 2,
+	"CREATE_NEW": 1,
+	"OPEN_ALWAYS": 4,
+	"OPEN_EXISTING": 3,
+	"TRUNCATE_EXISTING": 5
+};
+
+/*
+HANDLE CreateFileW(
+  LPCWSTR               lpFileName,
+  DWORD                 dwDesiredAccess,
+  DWORD                 dwShareMode,
+  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+  DWORD                 dwCreationDisposition,
+  DWORD                 dwFlagsAndAttributes,
+  HANDLE                hTemplateFile
+);
+*/
+function instrumentCreateFile(opts) {
+	var pCreateFile = opts.unicode ? Module.findExportByName(null, "CreateFileW")
+                                   : Module.findExportByName(null, "CreateFileA");
+	Interceptor.attach(pCreateFile, {
+		onEnter: function(args) {
+			this.path = opts.unicode ? args[0].readUtf16String() : args[0].readUtf8String();
+			var mask = args[1].toInt32();
+			var action = args[4].toInt32();
+
+			this.new = 0;
+			if(action == FILE_CREATION_ACTIONS["CREATE_ALWAYS"] || action == FILE_CREATION_ACTIONS["CREATE_NEW"])
+				this.new = 1;
+		},
+		onLeave: function(retval) {
+			send({
+				'hook': 'CreateFile',
+				'handle': retval.toInt32(),   // file handle
+				'path': this.path,
+				'new': this.new
+			});
+		}
+	});
+}
+instrumentCreateFile({unicode: 0});
+instrumentCreateFile({unicode: 1});
+
+/*
+BOOL WriteFile(
+  HANDLE       hFile,
+  LPCVOID      lpBuffer,
+  DWORD        nNumberOfBytesToWrite,
+  LPDWORD      lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+*/
+var pWriteFile = Module.getExportByName(null, "WriteFile");
+Interceptor.attach(pWriteFile, {
+	onEnter: function(args) {
+		send({
+			'hook': 'WriteFile',
+			'handle': args[0].toInt32()
+		});
+	}
+});
+
+/*
+BOOL MoveFileW(
+  LPCWSTR lpExistingFileName,
+  LPCWSTR lpNewFileName
+);
+BOOL MoveFileExW(
+  LPCWSTR lpExistingFileName,
+  LPCWSTR lpNewFileName,
+  DWORD   dwFlags
+);
+*/
+function instrumentMoveFile(opts) {
+	if(opts.ex) {
+		var pMoveFile = opts.unicode ? Module.findExportByName(null, "MoveFileExW")
+                                     : Module.findExportByName(null, "MoveFileExA");
+    } else {
+		var pMoveFile = opts.unicode ? Module.findExportByName(null, "MoveFileW")
+                                     : Module.findExportByName(null, "MoveFileA");
+    }
+	Interceptor.attach(pMoveFile, {
+		onEnter: function(args) {
+			var oldpath = opts.unicode ? args[0].readUtf16String() : args[0].readUtf8String();
+			var newpath = opts.unicode ? args[1].readUtf16String() : args[1].readUtf8String();
+			send({
+				'hook': 'MoveFile',
+				'oldpath': oldpath,
+				'newpath': newpath
+			});
+		}
+	});
+}
+instrumentMoveFile({unicode: 0, ex: 0});
+instrumentMoveFile({unicode: 1, ex: 0});
+instrumentMoveFile({unicode: 0, ex: 1});
+instrumentMoveFile({unicode: 1, ex: 1});
+
+/*
+BOOL CopyFileW(
+  LPCWSTR lpExistingFileName,
+  LPCWSTR lpNewFileName,
+  BOOL    bFailIfExists
+);
+BOOL CopyFileExW(
+  LPCWSTR            lpExistingFileName,
+  LPCWSTR            lpNewFileName,
+  LPPROGRESS_ROUTINE lpProgressRoutine,
+  LPVOID             lpData,
+  LPBOOL             pbCancel,
+  DWORD              dwCopyFlags
+);
+*/
+function instrumentCopyFile(opts) {
+	if(opts.ex) {
+		var pCopyFile = opts.unicode ? Module.findExportByName(null, "CopyFileExW")
+                                     : Module.findExportByName(null, "CopyFileExA");
+    } else {
+		var pCopyFile = opts.unicode ? Module.findExportByName(null, "CopyFileW")
+                                     : Module.findExportByName(null, "CopyFileA");
+    }
+	Interceptor.attach(pCopyFile, {
+		onEnter: function(args) {
+			var oldpath = opts.unicode ? args[0].readUtf16String() : args[0].readUtf8String();
+			var newpath = opts.unicode ? args[1].readUtf16String() : args[1].readUtf8String();
+			send({
+				'hook': 'CopyFile',
+				'oldpath': oldpath,
+				'newpath': newpath
+			});
+		}
+	});
+}
+instrumentCopyFile({unicode: 0, ex: 0});
+instrumentCopyFile({unicode: 1, ex: 0});
+instrumentCopyFile({unicode: 0, ex: 1});
+instrumentCopyFile({unicode: 1, ex: 1});
+
+/*
+BOOL DeleteFileW(
+  LPCWSTR lpFileName
+);
+*/
+function instrumentDeleteFile(opts) {
+	var pDeleteFile = opts.unicode ? Module.findExportByName(null, "DeleteFileW")
+                                   : Module.findExportByName(null, "DeleteFileA");
+	Interceptor.attach(pDeleteFile, {
+		onEnter: function(args) {
+			var path = opts.unicode ? args[0].readUtf16String() : args[0].readUtf8String();
+			send({
+				'hook': 'DeleteFile',
+				'path': path
+			});
+		}
+	});
+}
+instrumentDeleteFile({unicode: 0});
+instrumentDeleteFile({unicode: 1});

scripts/general_hooks.js

@@ -0,0 +1,56 @@
+/*
+FARPROC GetProcAddress(
+  HMODULE hModule,
+  LPCSTR  lpProcName
+);
+*/
+var pGetProcAddress = Module.findExportByName(null, "GetProcAddress");
+Interceptor.attach(pGetProcAddress, {
+	onEnter: function(args) {
+		send({
+			'hook': 'GetProcAddress',
+			'func': args[1].readUtf8String()
+		});
+	}
+});
+
+
+/*
+HANDLE CreateMutexW(
+  LPSECURITY_ATTRIBUTES lpMutexAttributes,
+  BOOL                  bInitialOwner,
+  LPCWSTR               lpName
+);
+HANDLE CreateMutexExW(
+  LPSECURITY_ATTRIBUTES lpMutexAttributes,
+  LPCWSTR               lpName,
+  DWORD                 dwFlags,
+  DWORD                 dwDesiredAccess
+);
+*/
+function instrumentCreateMutex(opts) {
+	if(opts.ex) {
+		var pCreateMutex = opts.unicode ? Module.findExportByName(null, "CreateMutexExW")
+                                    	: Module.findExportByName(null, "CreateMutexExA");
+    } else {
+		var pCreateMutex = opts.unicode ? Module.findExportByName(null, "CreateMutexW")
+                                    	: Module.findExportByName(null, "CreateMutexA");
+    }
+	Interceptor.attach(pCreateMutex, {
+		onEnter: function(args) {
+			if(opts.ex) {
+				var mutex = opts.unicode ? args[1].readUtf16String() : args[1].readUtf8String();
+			} else {
+				var mutex = opts.unicode ? args[2].readUtf16String() : args[2].readUtf8String();
+			}
+			send({
+				'hook': 'CreateMutex',
+				'mutex': mutex
+			});
+		}
+	});
+}
+instrumentCreateMutex({unicode: 0, ex: 0});
+instrumentCreateMutex({unicode: 1, ex: 0});
+instrumentCreateMutex({unicode: 0, ex: 1});
+instrumentCreateMutex({unicode: 1, ex: 1});

scripts/internet_hooks.js

@@ -0,0 +1,121 @@
+/*
+void InternetOpenUrlW(
+  HINTERNET hInternet,
+  LPCWSTR   lpszUrl,
+  LPCWSTR   lpszHeaders,
+  DWORD     dwHeadersLength,
+  DWORD     dwFlags,
+  DWORD_PTR dwContext
+);
+*/
+function instrumentInternetOpenUrl(opts) {
+	var pInternetOpenUrl = opts.unicode ? Module.findExportByName("wininet.dll", "InternetOpenUrlW")
+                                        : Module.findExportByName("wininet.dll", "InternetOpenUrlA");
+	if(null == pInternetOpenUrl)
+		return 0;
+
+	Interceptor.attach(pInternetOpenUrl, {
+		onEnter: function(args) {
+			var url = opts.unicode ? args[1].readUtf16String() : args[1].readUtf8String();
+			send({
+				'hook': 'InternetOpenUrl',
+				'url': url
+			});
+		}
+	});
+	return 1;
+}
+
+/*
+INT WSAAPI GetAddrInfoW(
+  PCWSTR          pNodeName,
+  PCWSTR          pServiceName,
+  const ADDRINFOW *pHints,
+  PADDRINFOW      *ppResult
+);
+INT WSAAPI GetAddrInfoExW(
+  PCWSTR                             pName,
+  PCWSTR                             pServiceName,
+  DWORD                              dwNameSpace,
+  LPGUID                             lpNspId,
+  const ADDRINFOEXW                  *hints,
+  PADDRINFOEXW                       *ppResult,
+  timeval                            *timeout,
+  LPOVERLAPPED                       lpOverlapped,
+  LPLOOKUPSERVICE_COMPLETION_ROUTINE lpCompletionRoutine,
+  LPHANDLE                           lpHandle
+);
+*/
+function instrumentGetAddrInfo(opts) {
+	if(opts.ex) {
+		var pGetAddrInfo = opts.unicode ? Module.findExportByName("ws2_32.dll", "GetAddrInfoExW")
+                                        : Module.findExportByName("ws2_32.dll", "GetAddrInfoExA");
+    } else {
+		var pGetAddrInfo = opts.unicode ? Module.findExportByName("ws2_32.dll", "GetAddrInfoW")
+                                        : Module.findExportByName("ws2_32.dll", "getaddrinfo");
+    }
+
+	if(null == pGetAddrInfo)
+		return 0;
+
+	Interceptor.attach(pGetAddrInfo, {
+		onEnter: function(args) {
+			var domain = opts.unicode ? args[0].readUtf16String() : args[0].readUtf8String();
+			send({
+				'hook': 'GetAddrInfo',
+				'domain': domain
+			});
+		}
+	});
+	return 1;
+}
+
+
+var InternetOpenUrl_Instrumented = 0;
+var GetAddrInfo_Instrumented = 0;
+
+/*
+HMODULE LoadLibraryW(
+  LPCWSTR lpLibFileName
+);
+*/
+function instrumentLoadLibrary(opts) {
+	var pLoadLibrary = opts.unicode ? Module.findExportByName(null, "LoadLibraryW")
+	                                : Module.findExportByName(null, "LoadLibraryA")
+	Interceptor.attach(pLoadLibrary, {
+		onEnter: function(args) {
+			this.wininet = 0;
+			this.ws2_32  = 0;
+			var libName = (opts.unicode ? args[0].readUtf16String() : args[0].readUtf8String()).toLowerCase();
+			if(libName.startsWith("wininet"))
+				this.wininet = 1;
+			else if(libName.startsWith("ws2_32"))
+				this.ws2_32 = 1;
+		},
+		onLeave: function(retval) {
+			if(this.wininet == 1 && !InternetOpenUrl_Instrumented) {
+				instrumentInternetOpenUrl({unicode: 0});
+				instrumentInternetOpenUrl({unicode: 1});
+			} else if(this.ws2_32 == 1 && !GetAddrInfo_Instrumented) {
+				instrumentGetAddrInfo({unicode: 0, ex: 0});
+				instrumentGetAddrInfo({unicode: 1, ex: 0});
+				instrumentGetAddrInfo({unicode: 0, ex: 1});
+				instrumentGetAddrInfo({unicode: 1, ex: 1});
+			}
+		}
+	});
+}
+
+InternetOpenUrl_Instrumented = (instrumentInternetOpenUrl({unicode: 0}) && 
+	                            instrumentInternetOpenUrl({unicode: 1}));
+
+GetAddrInfo_Instrumented = (instrumentGetAddrInfo({unicode: 0, ex: 0}) && 
+	                        instrumentGetAddrInfo({unicode: 1, ex: 0}) && 
+	                        instrumentGetAddrInfo({unicode: 0, ex: 1}) && 
+	                        instrumentGetAddrInfo({unicode: 1, ex: 1}));
+
+if(!InternetOpenUrl_Instrumented || !GetAddrInfo_Instrumented) {        // (wininet.dll | ws2_32.dll) not imported yet
+	instrumentLoadLibrary({unicode: 0});
+	instrumentLoadLibrary({unicode: 1});
+}
+