This commit is contained in:
DavidXanatos 2021-12-12 18:09:26 +01:00
parent 36cc77873c
commit 48168984b0
2 changed files with 18 additions and 20 deletions

View File

@ -282,10 +282,10 @@ _FX BOOLEAN Syscall_Init_List(void)
// preapre the enabled/disabled lists
//
//LIST enabled_hooks;
//LIST disabled_hooks;
//Syscall_LoadHookMap(L"EnableNtDllHook", &enabled_hooks);
//Syscall_LoadHookMap(L"DisableNtDllHook", &disabled_hooks);
LIST enabled_hooks;
LIST disabled_hooks;
Syscall_LoadHookMap(L"EnableNtDllHook", &enabled_hooks);
Syscall_LoadHookMap(L"DisableNtDllHook", &disabled_hooks);
//
// scan each ZwXxx export in NTDLL
@ -337,12 +337,11 @@ _FX BOOLEAN Syscall_Init_List(void)
goto next_zwxxx;
}
//BOOLEAN default_action = TRUE;
BOOLEAN install_hook = TRUE;
// ICD-10607 - McAfee uses it to pass its own data in the stack. The call is not important to us.
if ( IS_PROC_NAME(14, "YieldExecution"))
goto next_zwxxx;
// default_action = FALSE;
install_hook = FALSE;
//
// the Google Chrome "wow_helper" process expects NtMapViewOfSection
@ -352,17 +351,16 @@ _FX BOOLEAN Syscall_Init_List(void)
//
if ( IS_PROC_NAME(16, "MapViewOfSection"))
goto next_zwxxx;
// default_action = FALSE;
install_hook = FALSE;
//
// check our custom map
//
//if (!Syscall_TestHookMap(name, name_len, &enabled_hooks, &disabled_hooks, default_action)) {
// //DbgPrint(" NtDll Hook disabled for %s\n", name);
// goto next_zwxxx;
//}
if (!Syscall_TestHookMap(name, name_len, &enabled_hooks, &disabled_hooks, install_hook)) {
//DbgPrint(" NtDll Hook disabled for %s\n", name);
goto next_zwxxx;
}
//DbgPrint(" NtDll Hook enabled for %s\n", name);
//
@ -451,8 +449,8 @@ next_zwxxx:
finish:
//Syscall_FreeHookMap(&enabled_hooks);
//Syscall_FreeHookMap(&disabled_hooks);
Syscall_FreeHookMap(&enabled_hooks);
Syscall_FreeHookMap(&disabled_hooks);
return success;
}

View File

@ -148,7 +148,7 @@ _FX BOOLEAN Syscall_Init_List32(void)
Syscall_LoadHookMap(L"EnableWin32Hook", &enabled_hooks);
Syscall_LoadHookMap(L"DisableWin32Hook", &disabled_hooks);
//BOOLEAN ignore_hook_blacklist = Conf_Get_Boolean(NULL, L"IgnoreHookBlacklist", 0, FALSE);
BOOLEAN ignore_hook_blacklist = Conf_Get_Boolean(NULL, L"IgnoreWin32HookBlacklist", 0, FALSE);
//
// get the syscall table
@ -237,7 +237,7 @@ _FX BOOLEAN Syscall_Init_List32(void)
#define IS_PROC_NAME(ln,nm) (name_len == ln && memcmp(name, nm, ln) == 0)
//if(!ignore_hook_blacklist)
if (!ignore_hook_blacklist)
if ( IS_PROC_NAME(18, "UserCreateWindowEx")
|| IS_PROC_NAME( 7, "GdiInit") // bsod
@ -256,12 +256,12 @@ _FX BOOLEAN Syscall_Init_List32(void)
//
// Chrome and msedge need GdiDdDDI to be hooked in order for
// the HW acceleration to work
// the HW acceleration to work.
//
BOOLEAN default_action = IS_PROC_PREFIX(8, "GdiDdDDI");
BOOLEAN install_hook = IS_PROC_PREFIX(8, "GdiDdDDI");
if (!Syscall_TestHookMap(name, name_len, &enabled_hooks, &disabled_hooks, default_action)) {
if (!Syscall_TestHookMap(name, name_len, &enabled_hooks, &disabled_hooks, install_hook)) {
//DbgPrint(" Win32k Hook disabled for %s\n", name);
goto next_ntxxx;
}