Skip to content

Commit 4090e9e

Browse files
authored
Add files via upload
1 parent f78f223 commit 4090e9e

1 file changed

Lines changed: 45 additions & 15 deletions

File tree

NoMoreCookies/NoMoreCookies/dllmain.cpp

Lines changed: 45 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
#define STATUS_ACCESS_DENIED 0xC0000022
1818

1919
typedef NTSTATUS(NTAPI* RealNtCreateFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);
20+
typedef NTSTATUS(NTAPI *RealNtOpenFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG);
2021
typedef NTSTATUS(NTAPI* RealNtResumeThread)(HANDLE, PULONG);
2122
typedef NTSTATUS(NTAPI* RealNtSetValueKey)(HANDLE, PUNICODE_STRING, ULONG, ULONG, PVOID, ULONG);
2223
typedef NTSTATUS(NTAPI* RealNtProtectVirtualMemory)(HANDLE, PVOID*, PULONG, ULONG, PULONG);
@@ -27,11 +28,13 @@ HANDLE Mutex2 = CreateMutex(NULL, FALSE, NULL);
2728
HANDLE Mutex3 = CreateMutex(NULL, FALSE, NULL);
2829
HANDLE Mutex4 = CreateMutex(NULL, FALSE, NULL);
2930
HANDLE Mutex5 = CreateMutex(NULL, FALSE, NULL);
30-
BOOL XMode = FALSE; //you set the mode you want
31-
BOOL Mini = TRUE; //Mini Mode FALSE/TRUE
31+
HANDLE Mutex6 = CreateMutex(NULL, FALSE, NULL);
32+
BOOL XMode = TRUE; //you set the mode you want
33+
BOOL Mini = FALSE; //Mini Mode FALSE/TRUE
3234
HMODULE Module = NULL;
3335

3436
RealNtCreateFile OriginalNtCreateFile = nullptr;
37+
RealNtOpenFile OriginalNtOpenFile = nullptr;
3538
RealNtResumeThread OriginalNtResumeThread = nullptr;
3639
RealNtSetValueKey OriginalNtSetValueKey = nullptr;
3740
RealNtProtectVirtualMemory OriginalNtProtectVirtualMemory = nullptr;
@@ -338,9 +341,32 @@ NTSTATUS NTAPI HookedNtCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess,
338341
return OriginalNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
339342
}
340343

341-
NTSTATUS NTAPI HookedNtResumeThread(HANDLE Thread, PULONG SuspendCount)
344+
BOOL AlreadyShown2 = FALSE;
345+
NTSTATUS NTAPI HookedNtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions)
342346
{
343347
WaitForSingleObject(Mutex2, INFINITE);
348+
if (ObjectAttributes != nullptr && ObjectAttributes->ObjectName != nullptr)
349+
{
350+
std::wstring fileName(ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Length / sizeof(wchar_t));
351+
if (IsBlacklistedPath(fileName.c_str()))
352+
{
353+
if (!AlreadyShown2)
354+
{
355+
std::wstring NotificationString(L"NoMoreCookies: A process tried to access a restricted browser path, which was denied successfully.");
356+
ShowNotification(NotificationString);
357+
AlreadyShown = TRUE;
358+
}
359+
ReleaseMutex(Mutex2);
360+
return STATUS_ACCESS_DENIED;
361+
}
362+
}
363+
ReleaseMutex(Mutex2);
364+
return OriginalNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
365+
}
366+
367+
NTSTATUS NTAPI HookedNtResumeThread(HANDLE Thread, PULONG SuspendCount)
368+
{
369+
WaitForSingleObject(Mutex3, INFINITE);
344370
DWORD PID = GetProcessIdOfThread(Thread);
345371
if (PID != GetCurrentProcessId())
346372
{
@@ -356,66 +382,68 @@ NTSTATUS NTAPI HookedNtResumeThread(HANDLE Thread, PULONG SuspendCount)
356382
CloseHandle(InjectionThread);
357383
CloseHandle(hProcess);
358384
}
359-
ReleaseMutex(Mutex2);
385+
ReleaseMutex(Mutex3);
360386
return OriginalNtResumeThread(Thread, SuspendCount);
361387
}
362388

363389
NTSTATUS NTAPI HookedNtSetValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex, ULONG Type, PVOID Data, ULONG DataSize)
364390
{
365-
WaitForSingleObject(Mutex3, INFINITE);
391+
WaitForSingleObject(Mutex4, INFINITE);
366392
if (ValueName != NULL && ValueName->Buffer != NULL && Type == REG_SZ && wcsstr(ValueName->Buffer, L"AppInit_DLLs") || ValueName != NULL && ValueName->Buffer != NULL && Type == REG_DWORD && wcsstr(ValueName->Buffer, L"LoadAppInit_DLLs"))
367393
{
368-
ReleaseMutex(Mutex3);
394+
ReleaseMutex(Mutex4);
369395
return STATUS_ACCESS_DENIED;
370396
}
371-
ReleaseMutex(Mutex3);
397+
ReleaseMutex(Mutex4);
372398
return OriginalNtSetValueKey(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize);
373399
}
374400

375401
FARPROC NtCreateFileAddress = NULL;
402+
FARPROC NtOpenFileAddress = NULL;
376403
FARPROC NtResumeThreadAddress = NULL;
377404
FARPROC NtSetValueKeyAddress = NULL;
378405
FARPROC NtWriteVirtualMemory = NULL;
379406
FARPROC NtProtectVirtualMemory = NULL;
380407

381408
NTSTATUS NTAPI HookedNtProtectVirtualMemory(HANDLE ProcessHandle, PVOID* BaseAddress, PULONG NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection)
382409
{
383-
WaitForSingleObject(Mutex4, INFINITE);
410+
WaitForSingleObject(Mutex5, INFINITE);
384411
if (GetProcessId(ProcessHandle) == GetCurrentProcessId())
385412
{
386-
if ((int)(*BaseAddress) == (int)(NtCreateFileAddress) || (int)(*BaseAddress) == (int)(NtResumeThreadAddress) || (int)(*BaseAddress) == (int)(NtSetValueKeyAddress) || (int)(*BaseAddress) == (int)(NtWriteVirtualMemory) || (int)(*BaseAddress) == (int)(NtProtectVirtualMemory))
413+
if ((int)(*BaseAddress) == (int)(NtCreateFileAddress) || (int)(*BaseAddress) == (int)(NtOpenFileAddress) || (int)(*BaseAddress) == (int)(NtResumeThreadAddress) || (int)(*BaseAddress) == (int)(NtSetValueKeyAddress) || (int)(*BaseAddress) == (int)(NtWriteVirtualMemory) || (int)(*BaseAddress) == (int)(NtProtectVirtualMemory))
387414
{
388-
ReleaseMutex(Mutex4);
415+
ReleaseMutex(Mutex5);
389416
return STATUS_ACCESS_DENIED;
390417
}
391418
}
392-
ReleaseMutex(Mutex4);
419+
ReleaseMutex(Mutex5);
393420
return OriginalNtProtectVirtualMemory(ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection);
394421
}
395422

396423
NTSTATUS NTAPI HookedNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, LPCVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesWritten)
397424
{
398-
WaitForSingleObject(Mutex5, INFINITE);
425+
WaitForSingleObject(Mutex6, INFINITE);
399426
if (GetProcessId(ProcessHandle) == GetCurrentProcessId())
400427
{
401428
if ((int)(BaseAddress) == (int)(NtCreateFileAddress) || (int)(BaseAddress) == (int)(NtResumeThreadAddress) || (int)(BaseAddress) == (int)(NtSetValueKeyAddress) || (int)(BaseAddress) == (int)(NtWriteVirtualMemory) || (int)(BaseAddress) == (int)(NtProtectVirtualMemory))
402429
{
403-
ReleaseMutex(Mutex5);
430+
ReleaseMutex(Mutex6);
404431
return STATUS_ACCESS_DENIED;
405432
}
406433
}
407-
ReleaseMutex(Mutex5);
434+
ReleaseMutex(Mutex6);
408435
return OriginalNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesWritten);
409436
}
410437

411438
void CheckHook()
412439
{
413440
NtCreateFileAddress = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtCreateFile");
441+
NtOpenFileAddress = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtOpenFile");
414442
NtResumeThreadAddress = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtResumeThread");
415443
NtSetValueKeyAddress = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtSetValueKey");
416444
NtWriteVirtualMemory = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWriteVirtualMemory");
417445
NtProtectVirtualMemory = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
418-
const char* Functions[] = { "NtCreateFile", "NtResumeThread", "NtSetValueKey", "NtProtectVirtualMemory", "NtWriteVirtualMemory" };
446+
const char* Functions[] = { "NtCreateFile", "NtOpenFile", "NtResumeThread", "NtSetValueKey", "NtProtectVirtualMemory", "NtWriteVirtualMemory" };
419447
const int Size = sizeof(Functions) / sizeof(Functions[0]);
420448
while (true)
421449
{
@@ -440,6 +468,8 @@ void HookingThread()
440468
DetourUpdateThread(GetCurrentThread());
441469
OriginalNtCreateFile = reinterpret_cast<RealNtCreateFile>(DetourFindFunction("ntdll.dll", "NtCreateFile"));
442470
DetourAttach(&(LPVOID&)OriginalNtCreateFile, HookedNtCreateFile);
471+
OriginalNtOpenFile = reinterpret_cast<RealNtOpenFile>(DetourFindFunction("ntdll.dll", "NtOpenFile"));
472+
DetourAttach(&(LPVOID&)OriginalNtOpenFile, HookedNtOpenFile);
443473
if (!Mini)
444474
{
445475
OriginalNtResumeThread = reinterpret_cast<RealNtResumeThread>(DetourFindFunction("ntdll.dll", "NtResumeThread"));

0 commit comments

Comments
 (0)