AppInitHook
Global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process.
Building & Usage
cmake -B build
cmake --build build --config ReleaseAlternatively you can open this folder in a CMake-supported IDE (Visual Studio, CLion, Qt Creator, etc).
The first time you use this framework you need to build and register AppInitDispatcher.dll in the AppInitDLLs registry key. You can do so by building the register_AppInitDLLs target. This will also create AppInitHook.ini in your build folder where you can customize which module gets loaded in which process:
[TestLoader.exe]
Module=ExitProcess.dllNow if you run the TestLoader target you should see it exits immediately instead of showing a Hello world! message box.
Debugging
You can use DebugView with the filter [AppInitHook]* to see the dlog and dlogp messages, or you can break on DLL load of AppInitDispatcher.dll in x64dbg.
Developing modules
The AppInitExampleModule hooks SetCurrentDirectoryW:
#include "HookDll.hpp"
/* MSDN Signature:
BOOL SetCurrentDirectory(
LPCTSTR lpPathName
);
*/
HOOK(kernelbase.dll, BOOL WINAPI, SetCurrentDirectoryW)(
LPCWSTR lpPathName
)
{
dlogp("'%S'", lpPathName);
return original_SetCurrentDirectoryW(lpPathName);
}
BOOL WINAPI DllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
return HookDllMain(hinstDLL, fdwReason, lpvReserved);
}For more examples you can check the Modules folder.
Private Modules
If you enable -DAPPINITHOOK_PRIVATE_MODULES=ON it will look for Private/cmake.toml where you can add your own modules:
[target.MyPrivateModule]
type = "shared"
sources = ["MyPrivateModule/*.cpp", "MyPrivateModule/*.hpp"]
link-libraries = ["HookDll"]You can set up your own private git repository in this folder if you desire, since the folder is fully ignored by the .gitignore of this project.
Credits
- MinHook by Tsuda Kageyu
ntdll.hby Matthijs Lavrijsen- Can BΓΆlΓΌk for helping with the
HOOKmacro