Skip to content

Improve log args for a few hooks: #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: capemon
Choose a base branch
from
Open

Improve log args for a few hooks: #94

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4892e52
Improve log args for a few hooks:
KillerInstinct Apr 16, 2025
64de460
Fix autocomplete typos, tks Gemini
KillerInstinct Apr 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 84 additions & 11 deletions hook_process.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -898,8 +898,27 @@ HOOKDEF(NTSTATUS, WINAPI, NtReadVirtualMemory,
ENSURE_SIZET(NumberOfBytesRead);

ret = Old_NtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesRead);
DWORD pid = pid_from_process_handle(ProcessHandle);

LOQ_ntstatus("process", "pphB", "ProcessHandle", ProcessHandle, "BaseAddress", BaseAddress, "Size", NumberOfBytesToRead, "Buffer", NumberOfBytesRead, Buffer);
if (pid != GetCurrentProcessId()) {
LOQ_ntstatus(
"process", "piphB",
"ProcessHandle", ProcessHandle,
"ProcessId", pid,
"BaseAddress", BaseAddress,
"Size", NumberOfBytesToRead,
"Buffer", NumberOfBytesRead, Buffer
);
}
else {
LOQ_ntstatus(
"process", "piphB",
"ProcessHandle", ProcessHandle,
"BaseAddress", BaseAddress,
"Size", NumberOfBytesToRead,
"Buffer", NumberOfBytesRead, Buffer
);
}
Comment on lines +903 to +921
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The LOQ_ntstatus calls are identical in both the if and else blocks, except for the inclusion of ProcessId in the if block. This redundancy can be eliminated by moving the LOQ_ntstatus call outside the conditional and conditionally including the ProcessId argument in the format string.

Suggested change
if (pid != GetCurrentProcessId()) {
LOQ_ntstatus(
"process", "piphB",
"ProcessHandle", ProcessHandle,
"ProcessId", pid,
"BaseAddress", BaseAddress,
"Size", NumberOfBytesToRead,
"Buffer", NumberOfBytesRead, Buffer
);
}
else {
LOQ_ntstatus(
"process", "piphB",
"ProcessHandle", ProcessHandle,
"BaseAddress", BaseAddress,
"Size", NumberOfBytesToRead,
"Buffer", NumberOfBytesRead, Buffer
);
}
DWORD pid = pid_from_process_handle(ProcessHandle);
LOQ_ntstatus(
"process", pid != GetCurrentProcessId() ? "piphB" : "pphB",
"ProcessHandle", ProcessHandle,
pid != GetCurrentProcessId() ? "ProcessId" : NULL, pid != GetCurrentProcessId() ? pid : 0,
"BaseAddress", BaseAddress,
"Size", NumberOfBytesToRead,
"Buffer", NumberOfBytesRead, Buffer
);


return ret;
}
Expand All @@ -915,8 +934,28 @@ HOOKDEF(BOOL, WINAPI, ReadProcessMemory,
ENSURE_SIZET(lpNumberOfBytesRead);

ret = Old_ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);

LOQ_bool("process", "pphB", "ProcessHandle", hProcess, "BaseAddress", lpBaseAddress, "Size", nSize, "Buffer", lpNumberOfBytesRead, lpBuffer);
DWORD pid = pid_from_process_handle(hProcess);

if (pid != GetCurrentProcessId()) {
LOQ_bool(
"process", "pphB",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Size", nSize,
"Buffer", lpNumberOfBytesRead, lpBuffer,
"ProcessId", pid
);
}
else {
LOQ_bool(
"process", "pphB",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Size", nSize,
"Buffer", lpNumberOfBytesRead, lpBuffer,
"ProcessId", pid
);
Comment on lines +939 to +957
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the previous comment, the LOQ_bool calls are redundant. Move the call outside the conditional and conditionally include the ProcessId argument.

Suggested change
if (pid != GetCurrentProcessId()) {
LOQ_bool(
"process", "pphB",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Size", nSize,
"Buffer", lpNumberOfBytesRead, lpBuffer,
"ProcessId", pid
);
}
else {
LOQ_bool(
"process", "pphB",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Size", nSize,
"Buffer", lpNumberOfBytesRead, lpBuffer,
"ProcessId", pid
);
DWORD pid = pid_from_process_handle(hProcess);
LOQ_bool(
"process", pid != GetCurrentProcessId() ? "pphB" : "pphB",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Size", nSize,
"Buffer", lpNumberOfBytesRead, lpBuffer,
pid != GetCurrentProcessId() ? "ProcessId" : NULL, pid
);

}

return ret;
}
Expand All @@ -937,12 +976,27 @@ HOOKDEF(NTSTATUS, WINAPI, NtWriteVirtualMemory,

pid = pid_from_process_handle(ProcessHandle);

LOQ_ntstatus("process", "ppBhs",
"ProcessHandle", ProcessHandle,
"BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer,
"BufferLength", is_valid_address_range((ULONG_PTR)NumberOfBytesWritten, 4) ? *NumberOfBytesWritten : 0,
"StackPivoted", is_stack_pivoted() ? "yes" : "no");
if (pid != GetCurrentProcess()) {
LOQ_ntstatus(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The code uses GetCurrentProcess() instead of GetCurrentProcessId(). GetCurrentProcess() returns a pseudo-handle, not the process ID. This is incorrect.

Suggested change
if (pid != GetCurrentProcess()) {
LOQ_ntstatus(
if (pid != GetCurrentProcessId()) {

"process", "pipBhs",
"ProcessHandle", ProcessHandle,
"ProcessId", pid,
"BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer,
"BufferLength", is_valid_address_range((ULONG_PTR)NumberOfBytesWritten, 4) ? *NumberOfBytesWritten : 0,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
}
else {
LOQ_ntstatus(
"process", "pipBhs",
"ProcessHandle", ProcessHandle,
"BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer,
"BufferLength", is_valid_address_range((ULONG_PTR)NumberOfBytesWritten, 4) ? *NumberOfBytesWritten : 0,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
Comment on lines +980 to +998
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the previous comments, the LOQ_ntstatus calls are redundant. Move the call outside the conditional and conditionally include the ProcessId argument in the format string.

Suggested change
LOQ_ntstatus(
"process", "pipBhs",
"ProcessHandle", ProcessHandle,
"ProcessId", pid,
"BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer,
"BufferLength", is_valid_address_range((ULONG_PTR)NumberOfBytesWritten, 4) ? *NumberOfBytesWritten : 0,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
}
else {
LOQ_ntstatus(
"process", "pipBhs",
"ProcessHandle", ProcessHandle,
"BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer,
"BufferLength", is_valid_address_range((ULONG_PTR)NumberOfBytesWritten, 4) ? *NumberOfBytesWritten : 0,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
pid = pid_from_process_handle(ProcessHandle);
LOQ_ntstatus(
"process", pid != GetCurrentProcessId() ? "pipBhs" : "ppBhs",
"ProcessHandle", ProcessHandle,
pid != GetCurrentProcessId() ? "ProcessId" : NULL, pid != GetCurrentProcessId() ? pid : 0,
"BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer,
"BufferLength", is_valid_address_range((ULONG_PTR)NumberOfBytesWritten, 4) ? *NumberOfBytesWritten : 0,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);

}

if (pid != GetCurrentProcessId() && NT_SUCCESS(ret)) {
if (g_config.injection)
Expand Down Expand Up @@ -970,8 +1024,27 @@ HOOKDEF(BOOL, WINAPI, WriteProcessMemory,

pid = pid_from_process_handle(hProcess);

LOQ_bool("process", "ppBhs", "ProcessHandle", hProcess, "BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer, "BufferLength", *lpNumberOfBytesWritten, "StackPivoted", is_stack_pivoted() ? "yes" : "no");
if (pid != GetCurrentProcess()) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The code uses GetCurrentProcess() instead of GetCurrentProcessId(). GetCurrentProcess() returns a pseudo-handle, not the process ID. This is incorrect.

Suggested change
if (pid != GetCurrentProcess()) {
if (pid != GetCurrentProcessId()) {

LOQ_bool(
"process", "pipBhs",
"ProcessHandle", hProcess,
"ProcessId", pid,
"BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer,
"BufferLength", *lpNumberOfBytesWritten,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
}
else {
LOQ_bool(
"process", "ppBhs",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer,
"BufferLength", *lpNumberOfBytesWritten,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
Comment on lines +1028 to +1046
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the previous comments, the LOQ_bool calls are redundant. Move the call outside the conditional and conditionally include the ProcessId argument.

Suggested change
LOQ_bool(
"process", "pipBhs",
"ProcessHandle", hProcess,
"ProcessId", pid,
"BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer,
"BufferLength", *lpNumberOfBytesWritten,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
}
else {
LOQ_bool(
"process", "ppBhs",
"ProcessHandle", hProcess,
"BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer,
"BufferLength", *lpNumberOfBytesWritten,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);
pid = pid_from_process_handle(hProcess);
LOQ_bool(
"process", pid != GetCurrentProcessId() ? "pipBhs" : "ppBhs",
"ProcessHandle", hProcess,
pid != GetCurrentProcessId() ? "ProcessId" : NULL, pid != GetCurrentProcessId() ? pid : 0,
"BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer,
"BufferLength", *lpNumberOfBytesWritten,
"StackPivoted", is_stack_pivoted() ? "yes" : "no"
);

}

if (pid != GetCurrentProcessId() && ret) {
if (g_config.injection)
Expand Down
164 changes: 150 additions & 14 deletions hook_thread.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,8 +286,8 @@ HOOKDEF(NTSTATUS, WINAPI, NtOpenThread,
}

if (ClientId) {
LOQ_ntstatus("threading", "Phiii", "ThreadHandle", ThreadHandle, "DesiredAccess", DesiredAccess,
"ProcessId", pid, "ThreadId", tid, "ProcessId", pid);
LOQ_ntstatus("threading", "Phii", "ThreadHandle", ThreadHandle, "DesiredAccess", DesiredAccess,
"ProcessId", pid, "ThreadId", tid);
} else {
LOQ_ntstatus("threading", "PhOi", "ThreadHandle", ThreadHandle, "DesiredAccess", DesiredAccess,
"ObjectAttributes", ObjectAttributes, "ProcessId", pid);
Expand All @@ -306,16 +306,83 @@ HOOKDEF(NTSTATUS, WINAPI, NtGetContextThread,

NTSTATUS ret = Old_NtGetContextThread(ThreadHandle, Context);
DWORD pid = pid_from_thread_handle(ThreadHandle);
if (Context && Context->ContextFlags & CONTEXT_CONTROL)
if (Context && (Context->ContextFlags & (CONTEXT_CONTROL | CONTEXT_INTEGER)) == (CONTEXT_CONTROL | CONTEXT_INTEGER))
#ifdef _WIN64
LOQ_ntstatus("threading", "pppi", "ThreadHandle", ThreadHandle, "HollowedInstructionPointer",
Context->Rcx, "CurrentInstructionPointer", Context->Rip, "ProcessId", pid);
LOQ_ntstatus(
"threading", "pppppppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Rip,
"Rax", Context->Rax,
"Rbx", Context->Rbx,
"Rcx", Context->Rcx,
"Rdx", Context->Rdx,
"Rsp", Context->Rsp,
"ProcessId", pid,
"ThreadId", tid
);
#else
LOQ_ntstatus("threading", "pppi", "ThreadHandle", ThreadHandle, "HollowedInstructionPointer",
Context->Eax, "CurrentInstructionPointer", Context->Eip, "ProcessId", pid);
LOQ_ntstatus(
"threading", "pppppppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Eip,
"Eax", Context->Eax,
"Ebx", Context->Ebx,
"Ecx", Context->Ecx,
"Edx", Context->Edx,
"Esp", Context->Esp,
"ProcessId", pid,
"ThreadId", tid
);
#endif
else
LOQ_ntstatus("threading", "pi", "ThreadHandle", ThreadHandle, "ProcessId", pid);
else if (Context && (Context->ContextFlags & CONTEXT_INTEGER)) {
#ifdef _WIN64
LOQ_ntstatus(
"threading", "pppppii",
"ThreadHandle", ThreadHandle,
"Rax", Context->Rax,
"Rbx", Context->Rbx,
"Rcx", Context->Rcx,
"Rdx", Context->Rdx,
"ProcessId", pid,
"ThreadId", tid
);
#else
LOQ_ntstatus(
"threading", "pppppii",
"ThreadHandle", ThreadHandle,
"Eax", Context->Eax,
"Ebx", Context->Ebx,
"Ecx", Context->Ecx,
"Edx", Context->Edx,
"ProcessId", pid,
"ThreadId", tid
);
#endif
}
else if (Context && (Context->ContextFlags & CONTEXT_CONTROL)) {
#ifdef _WIN64
LOQ_ntstatus(
"threading", "pppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Rip,
"Rsp", Context->Rsp,
"ProcessId", pid,
"ThreadId", tid
);
#else
LOQ_ntstatus(
"threading", "pppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Eip,
"Esp", Context->Esp,
"ProcessId", pid,
"ThreadId", tid
);
#endif
}
else {
LOQ_ntstatus("threading", "pii", "ThreadHandle", ThreadHandle, "ProcessId", pid, "ThreadId", tid);
}

GetThreadContextHandler(pid, Context);

Expand Down Expand Up @@ -370,14 +437,83 @@ HOOKDEF(NTSTATUS, WINAPI, NtSetContextThread,

ret = Old_NtSetContextThread(ThreadHandle, Context);

if (Context && Context->ContextFlags & CONTEXT_CONTROL)
if (Context && (Context->ContextFlags & (CONTEXT_CONTROL | CONTEXT_INTEGER)) == (CONTEXT_CONTROL | CONTEXT_INTEGER))
#ifdef _WIN64
LOQ_ntstatus("threading", "pppp", "ThreadHandle", ThreadHandle, "HollowedInstructionPointer", Context->Rcx, "CurrentInstructionPointer", Context->Rip, "Flags", Context->ContextFlags);
LOQ_ntstatus(
"threading", "pppppppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Rip,
"Rax", Context->Rax,
"Rbx", Context->Rbx,
"Rcx", Context->Rcx,
"Rdx", Context->Rdx,
"Rsp", Context->Rsp,
"ProcessId", pid,
"ThreadId", tid
);
#else
LOQ_ntstatus("threading", "pppp", "ThreadHandle", ThreadHandle, "HollowedInstructionPointer", Context->Eax, "CurrentInstructionPointer", Context->Eip, "Flags", Context->ContextFlags);
LOQ_ntstatus(
"threading", "pppppppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Eip,
"Eax", Context->Eax,
"Ebx", Context->Ebx,
"Ecx", Context->Ecx,
"Edx", Context->Edx,
"Esp", Context->Esp,
"ProcessId", pid,
"ThreadId", tid
);
#endif
else
LOQ_ntstatus("threading", "p", "ThreadHandle", ThreadHandle);
else if (Context && (Context->ContextFlags & CONTEXT_INTEGER)) {
#ifdef _WIN64
LOQ_ntstatus(
"threading", "pppppii",
"ThreadHandle", ThreadHandle,
"Rax", Context->Rax,
"Rbx", Context->Rbx,
"Rcx", Context->Rcx,
"Rdx", Context->Rdx,
"ProcessId", pid,
"ThreadId", tid
);
#else
LOQ_ntstatus(
"threading", "pppppii",
"ThreadHandle", ThreadHandle,
"Eax", Context->Eax,
"Ebx", Context->Ebx,
"Ecx", Context->Ecx,
"Edx", Context->Edx,
"ProcessId", pid,
"ThreadId", tid
);
#endif
}
else if (Context && (Context->ContextFlags & CONTEXT_CONTROL)) {
#ifdef _WIN64
LOQ_ntstatus(
"threading", "pppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Rip,
"Rsp", Context->Rsp,
"ProcessId", pid,
"ThreadId", tid
);
#else
LOQ_ntstatus(
"threading", "pppii",
"ThreadHandle", ThreadHandle,
"InstructionPointer", Context->Eip,
"Esp", Context->Esp,
"ProcessId", pid,
"ThreadId", tid
);
#endif
}
else {
LOQ_ntstatus("threading", "pii", "ThreadHandle", ThreadHandle, "ProcessId", pid, "ThreadId", tid);
}

SetThreadContextHandler(pid, Context);
if (pid != GetCurrentProcessId())
Expand Down