diff --git a/3rdparty/ntdll/ntdll.h b/3rdparty/ntdll/ntdll.h index 575a09a5..a89b1106 100644 --- a/3rdparty/ntdll/ntdll.h +++ b/3rdparty/ntdll/ntdll.h @@ -4607,6 +4607,26 @@ HANDLE _In_ WINDOWINFOCLASS WindowInfo ); +typedef enum _THREAD_STATE_ROUTINE +{ + THREADSTATE_GETTHREADINFO, + THREADSTATE_ACTIVEWINDOW +} THREAD_STATE_ROUTINE; + +// GetActiveWindow +typedef +ULONG_PTR +(NTAPI +*t_NtUserGetThreadState)( + THREAD_STATE_ROUTINE Routine + ); + +typedef +HWND +(NTAPI +*t_NtUserGetForegroundWindow)( + ); + typedef int (NTAPI diff --git a/ConfigCollection/scylla_hide.ini b/ConfigCollection/scylla_hide.ini index 2ae2cffa..2e623178 100644 --- a/ConfigCollection/scylla_hide.ini +++ b/ConfigCollection/scylla_hide.ini @@ -24,6 +24,7 @@ NtSetInformationThreadHook=1 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -60,7 +61,7 @@ skipCompressedDoNothing=0 skipLoadDllDoLoad=0 skipLoadDllDoNothing=0 advancedInfobar=0 -[Obsidium x86] +[Obsidium x86/x64] DLLNormal=1 DLLStealth=0 DLLUnload=0 @@ -84,6 +85,7 @@ NtSetInformationThreadHook=0 NtUserBuildHwndListHook=1 NtUserFindWindowExHook=1 NtUserQueryWindowHook=1 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -101,7 +103,7 @@ RemoveEPBreak=0 SkipEPOutsideCode=1 X64Fix=1 WindowTitle=Obsidium -[Themida x86] +[Themida x86/x64] DLLNormal=1 DLLStealth=0 DLLUnload=0 @@ -127,6 +129,7 @@ NtUserBlockInputHook=0 NtUserBuildHwndListHook=1 NtUserFindWindowExHook=1 NtUserQueryWindowHook=1 +NtUserGetForegroundWindowHook=1 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -170,6 +173,7 @@ NtUserBlockInputHook=0 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=1 PebBeingDebugged=1 @@ -212,6 +216,7 @@ NtSetInformationProcessHook=0 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=1 @@ -272,6 +277,7 @@ NtUserBlockInputHook=0 NtUserBuildHwndListHook=0 NtUserFindWindowExHook=0 NtUserQueryWindowHook=0 +NtUserGetForegroundWindowHook=0 NtYieldExecutionHook=0 OutputDebugStringHook=0 PebBeingDebugged=0 diff --git a/HookLibrary/Export.def b/HookLibrary/Export.def index d16be8b6..c9b1879e 100644 --- a/HookLibrary/Export.def +++ b/HookLibrary/Export.def @@ -26,6 +26,7 @@ HookedNtUserBlockInput HookedNtUserBuildHwndList HookedNtUserBuildHwndList_Eight HookedNtUserFindWindowEx +HookedNtUserGetForegroundWindow HookedNtUserQueryWindow HookedNtYieldExecution HookedOutputDebugStringA diff --git a/HookLibrary/HookMain.h b/HookLibrary/HookMain.h index 015a75eb..fee4031e 100644 --- a/HookLibrary/HookMain.h +++ b/HookLibrary/HookMain.h @@ -56,13 +56,16 @@ typedef struct _HOOK_DLL_DATA { //Native user32.dll/win32u.dll functions ULONG_PTR NtUserBlockInputVA; ULONG_PTR NtUserQueryWindowVA; + ULONG_PTR NtUserGetForegroundWindowVA; ULONG_PTR NtUserBuildHwndListVA; ULONG_PTR NtUserFindWindowExVA; ULONG_PTR NtUserGetClassNameVA; ULONG_PTR NtUserInternalGetWindowTextVA; + ULONG_PTR NtUserGetThreadStateVA; BOOLEAN EnableNtUserBlockInputHook; BOOLEAN EnableNtUserQueryWindowHook; + BOOLEAN EnableNtUserGetForegroundWindowHook; BOOLEAN EnableNtUserBuildHwndListHook; BOOLEAN EnableNtUserFindWindowExHook; BOOLEAN EnableNtSetDebugFilterStateHook; @@ -142,11 +145,14 @@ typedef struct _HOOK_DLL_DATA { DWORD NtUserBuildHwndListBackupSize; t_NtUserQueryWindow dNtUserQueryWindow; DWORD NtUserQueryWindowBackupSize; + t_NtUserGetForegroundWindow dNtUserGetForegroundWindow; + DWORD NtUserGetForegroundWindowBackupSize; t_NtUserQueryWindow NtUserQueryWindow; t_NtUserGetClassName NtUserGetClassName; t_NtUserInternalGetWindowText NtUserInternalGetWindowText; + t_NtUserGetThreadState NtUserGetThreadState; DWORD dwProtectedProcessId; BOOLEAN EnableProtectProcessId; diff --git a/HookLibrary/HookedFunctions.cpp b/HookLibrary/HookedFunctions.cpp index f1d7ab34..2c1827b3 100644 --- a/HookLibrary/HookedFunctions.cpp +++ b/HookLibrary/HookedFunctions.cpp @@ -947,6 +947,16 @@ HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo) return HookDllData.dNtUserQueryWindow(hwnd, WindowInfo); } +HWND NTAPI HookedNtUserGetForegroundWindow() +{ + HWND Hwnd = HookDllData.dNtUserGetForegroundWindow(); + if (Hwnd != nullptr && IsWindowBad(Hwnd)) + { + Hwnd = (HWND)HookDllData.NtUserGetThreadState(THREADSTATE_ACTIVEWINDOW); + } + return Hwnd; +} + //WIN XP: CreateThread -> CreateRemoteThread -> NtCreateThread NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended) { @@ -1124,7 +1134,7 @@ NTSTATUS NTAPI HookedNtResumeThread(HANDLE ThreadHandle, PULONG PreviousSuspendC { DumpMalware(dwProcessId); TerminateProcessByProcessId(dwProcessId); //terminate it - DbgPrint("Malware called ResumeThread"); + DbgPrint((PCH)"Malware called ResumeThread"); DbgBreakPoint(); return STATUS_SUCCESS; } diff --git a/HookLibrary/HookedFunctions.h b/HookLibrary/HookedFunctions.h index b82eb8fa..a62c0e67 100644 --- a/HookLibrary/HookedFunctions.h +++ b/HookLibrary/HookedFunctions.h @@ -47,6 +47,7 @@ NTSTATUS NTAPI HookedNtUserBuildHwndList_Eight(HDESK hDesktop, HWND hwndParent, NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended); NTSTATUS NTAPI HookedNtCreateThreadEx(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PUSER_THREAD_START_ROUTINE StartRoutine,PVOID Argument,ULONG CreateFlags,ULONG_PTR ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,PPS_ATTRIBUTE_LIST AttributeList); HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo); +HWND NTAPI HookedNtUserGetForegroundWindow(); BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt); diff --git a/InjectorCLI/ApplyHooking.cpp b/InjectorCLI/ApplyHooking.cpp index cbe2261b..285d7268 100644 --- a/InjectorCLI/ApplyHooking.cpp +++ b/InjectorCLI/ApplyHooking.cpp @@ -50,6 +50,7 @@ t_NtUserBlockInput _NtUserBlockInput = 0; t_NtUserBuildHwndList _NtUserBuildHwndList = 0; t_NtUserFindWindowEx _NtUserFindWindowEx = 0; t_NtUserQueryWindow _NtUserQueryWindow = 0; +t_NtUserGetForegroundWindow _NtUserGetForegroundWindow = 0; t_NtSetInformationThread _NtSetInformationThread = 0; t_NtQuerySystemInformation _NtQuerySystemInformation = 0; @@ -406,28 +407,33 @@ bool ApplyUserHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD void * HookedNtUserBuildHwndList = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserBuildHwndList") + imageBase); void * HookedNtUserBuildHwndList_Eight = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserBuildHwndList_Eight") + imageBase); void * HookedNtUserQueryWindow = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserQueryWindow") + imageBase); + void * HookedNtUserGetForegroundWindow = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtUserGetForegroundWindow") + imageBase); - g_log.LogDebug(L"ApplyUserHook -> HookedNtUserBlockInput %p HookedNtUserFindWindowEx %p HookedNtUserBuildHwndList %p HookedNtUserBuildHwndList_Eight %p HookedNtUserQueryWindow %p", + g_log.LogDebug(L"ApplyUserHook -> HookedNtUserBlockInput %p HookedNtUserFindWindowEx %p HookedNtUserBuildHwndList %p HookedNtUserBuildHwndList_Eight %p HookedNtUserQueryWindow %p HookedNtUserGetForegroundWindow %p", HookedNtUserBlockInput, HookedNtUserFindWindowEx, HookedNtUserBuildHwndList, HookedNtUserBuildHwndList_Eight, - HookedNtUserQueryWindow); + HookedNtUserQueryWindow, + HookedNtUserGetForegroundWindow); _NtUserBlockInput = (t_NtUserBlockInput)hdd->NtUserBlockInputVA; _NtUserFindWindowEx = (t_NtUserFindWindowEx)hdd->NtUserFindWindowExVA; _NtUserBuildHwndList = (t_NtUserBuildHwndList)hdd->NtUserBuildHwndListVA; _NtUserQueryWindow = (t_NtUserQueryWindow)hdd->NtUserQueryWindowVA; + _NtUserGetForegroundWindow = (t_NtUserGetForegroundWindow)hdd->NtUserGetForegroundWindowVA; hdd->NtUserQueryWindow = _NtUserQueryWindow; hdd->NtUserGetClassName = (t_NtUserGetClassName)hdd->NtUserGetClassNameVA; hdd->NtUserInternalGetWindowText = (t_NtUserInternalGetWindowText)hdd->NtUserInternalGetWindowTextVA; + hdd->NtUserGetThreadState = (t_NtUserGetThreadState)hdd->NtUserGetThreadStateVA; - g_log.LogDebug(L"ApplyUserHook -> _NtUserBlockInput %p _NtUserFindWindowEx %p _NtUserBuildHwndList %p _NtUserQueryWindow %p", + g_log.LogDebug(L"ApplyUserHook -> _NtUserBlockInput %p _NtUserFindWindowEx %p _NtUserBuildHwndList %p _NtUserQueryWindow %p _NtUserGetForegroundWindow %p", _NtUserBlockInput, _NtUserFindWindowEx, _NtUserBuildHwndList, - _NtUserQueryWindow); + _NtUserQueryWindow, + _NtUserGetForegroundWindow); if (hdd->EnableNtUserBlockInputHook) { @@ -454,6 +460,11 @@ bool ApplyUserHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD g_log.LogDebug(L"ApplyUserHook -> Hooking NtUserQueryWindow"); HOOK_NATIVE(NtUserQueryWindow); } + if (hdd->EnableNtUserGetForegroundWindowHook) + { + g_log.LogDebug(L"ApplyUserHook -> Hooking NtUserGetForegroundWindow"); + HOOK_NATIVE(NtUserGetForegroundWindow); + } hdd->isUserDllHooked = TRUE; @@ -736,18 +747,21 @@ void RestoreUserHooks(HOOK_DLL_DATA * hdd, HANDLE hProcess) RESTORE_JMP(NtUserFindWindowEx); RESTORE_JMP(NtUserBuildHwndList); RESTORE_JMP(NtUserQueryWindow); + RESTORE_JMP(NtUserGetForegroundWindow); } #else RESTORE_JMP(NtUserBlockInput); RESTORE_JMP(NtUserFindWindowEx); RESTORE_JMP(NtUserBuildHwndList); RESTORE_JMP(NtUserQueryWindow); + RESTORE_JMP(NtUserGetForegroundWindow); #endif FREE_HOOK(NtUserBlockInput); FREE_HOOK(NtUserFindWindowEx); FREE_HOOK(NtUserBuildHwndList); FREE_HOOK(NtUserQueryWindow); + FREE_HOOK(NtUserGetForegroundWindow); hdd->isUserDllHooked = FALSE; } diff --git a/InjectorCLI/CliMain.cpp b/InjectorCLI/CliMain.cpp index 8e958c13..4dbaf259 100644 --- a/InjectorCLI/CliMain.cpp +++ b/InjectorCLI/CliMain.cpp @@ -306,6 +306,7 @@ void ReadSettings() g_hdd.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; g_hdd.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; g_hdd.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; + g_hdd.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; g_hdd.EnableNtYieldExecutionHook = g_settings.opts().hookNtYieldExecution; g_hdd.EnableOutputDebugStringHook = g_settings.opts().hookOutputDebugStringA; g_hdd.EnablePebBeingDebugged = g_settings.opts().fixPebBeingDebugged; diff --git a/PluginGeneric/Injector.cpp b/PluginGeneric/Injector.cpp index d350c0e1..9ac306c2 100644 --- a/PluginGeneric/Injector.cpp +++ b/PluginGeneric/Injector.cpp @@ -34,8 +34,10 @@ void ReadNtApiInformation(HOOK_DLL_DATA *hdd) "NtUserBuildHwndList", "NtUserFindWindowEx", "NtUserQueryWindow", + "NtUserGetForegroundWindow", "NtUserGetClassName", - "NtUserInternalGetWindowText" })) + "NtUserInternalGetWindowText", + "NtUserGetThreadState" })) { g_log.LogError(L"Failed to find user32.dll/win32u.dll syscalls!"); return; @@ -43,17 +45,21 @@ void ReadNtApiInformation(HOOK_DLL_DATA *hdd) hdd->NtUserBlockInputVA = user32Loader.GetUserSyscallVa("NtUserBlockInput"); hdd->NtUserQueryWindowVA = user32Loader.GetUserSyscallVa("NtUserQueryWindow"); + hdd->NtUserGetForegroundWindowVA = user32Loader.GetUserSyscallVa("NtUserGetForegroundWindow"); hdd->NtUserBuildHwndListVA = user32Loader.GetUserSyscallVa("NtUserBuildHwndList"); hdd->NtUserFindWindowExVA = user32Loader.GetUserSyscallVa("NtUserFindWindowEx"); hdd->NtUserGetClassNameVA = user32Loader.GetUserSyscallVa("NtUserGetClassName"); hdd->NtUserInternalGetWindowTextVA = user32Loader.GetUserSyscallVa("NtUserInternalGetWindowText"); + hdd->NtUserGetThreadStateVA = user32Loader.GetUserSyscallVa("NtUserGetThreadState"); g_log.LogInfo(L"Loaded VA for NtUserBlockInput = 0x%p", hdd->NtUserBlockInputVA); g_log.LogInfo(L"Loaded VA for NtUserQueryWindow = 0x%p", hdd->NtUserQueryWindowVA); + g_log.LogInfo(L"Loaded VA for NtUserGetForegroundWindow = 0x%p", hdd->NtUserGetForegroundWindowVA); g_log.LogInfo(L"Loaded VA for NtUserBuildHwndList = 0x%p", hdd->NtUserBuildHwndListVA); g_log.LogInfo(L"Loaded VA for NtUserFindWindowEx = 0x%p", hdd->NtUserFindWindowExVA); g_log.LogInfo(L"Loaded VA for NtUserGetClassName = 0x%p", hdd->NtUserGetClassNameVA); g_log.LogInfo(L"Loaded VA for NtUserInternalGetWindowText = 0x%p", hdd->NtUserInternalGetWindowTextVA); + g_log.LogInfo(L"Loaded VA for NtUserGetThreadState = 0x%p", hdd->NtUserGetThreadStateVA); } #ifndef _WIN64 @@ -641,6 +647,7 @@ void FillHookDllData(HANDLE hProcess, HOOK_DLL_DATA *hdd) hdd->EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; hdd->EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; hdd->EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; + hdd->EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; hdd->EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState; hdd->EnableGetTickCountHook = g_settings.opts().hookGetTickCount; hdd->EnableGetTickCount64Hook = g_settings.opts().hookGetTickCount64; diff --git a/PluginGeneric/OptionsDialog.cpp b/PluginGeneric/OptionsDialog.cpp index 4be177b0..98a33590 100644 --- a/PluginGeneric/OptionsDialog.cpp +++ b/PluginGeneric/OptionsDialog.cpp @@ -119,6 +119,7 @@ static void UpdateOptions(HWND hWnd, const scl::Settings *settings) CheckDlgButton(hWnd, IDC_NTUSERFINDWINDOWEX, opts->hookNtUserFindWindowEx); CheckDlgButton(hWnd, IDC_NTUSERBUILDHWNDLIST, opts->hookNtUserBuildHwndList); CheckDlgButton(hWnd, IDC_NTUSERQUERYWINDOW, opts->hookNtUserQueryWindow); + CheckDlgButton(hWnd, IDC_NTUSERGETFOREGROUNDWINDOW, opts->hookNtUserGetForegroundWindow); CheckDlgButton(hWnd, IDC_NTSETDEBUGFILTERSTATE, opts->hookNtSetDebugFilterState); CheckDlgButton(hWnd, IDC_NTCLOSE, opts->hookNtClose); CheckDlgButton(hWnd, IDC_NTCREATETHREADEX, opts->hookNtCreateThreadEx); @@ -208,6 +209,7 @@ void SaveOptions(HWND hWnd, scl::Settings *settings) opts->hookNtUserBlockInput = (IsDlgButtonChecked(hWnd, IDC_NTUSERBLOCKINPUT) == BST_CHECKED); opts->hookNtUserBuildHwndList = (IsDlgButtonChecked(hWnd, IDC_NTUSERBUILDHWNDLIST) == BST_CHECKED); opts->hookNtUserQueryWindow = (IsDlgButtonChecked(hWnd, IDC_NTUSERQUERYWINDOW) == BST_CHECKED); + opts->hookNtUserGetForegroundWindow = (IsDlgButtonChecked(hWnd, IDC_NTUSERGETFOREGROUNDWINDOW) == BST_CHECKED); opts->hookNtSetDebugFilterState = (IsDlgButtonChecked(hWnd, IDC_NTSETDEBUGFILTERSTATE) == BST_CHECKED); opts->hookNtClose = (IsDlgButtonChecked(hWnd, IDC_NTCLOSE) == BST_CHECKED); opts->hookNtCreateThreadEx = (IsDlgButtonChecked(hWnd, IDC_NTCREATETHREADEX) == BST_CHECKED); @@ -362,6 +364,12 @@ HWND CreateTooltips(HWND hDlg) L"The windows API GetWindowThreadProcessId calls this internally.\r\n" L"This is used to hide the debugger process." }, + { + IDC_NTUSERGETFOREGROUNDWINDOW, + L"This is a system call function in user32.dll.\r\n" + L"The windows API GetForegroundWindow calls this internally.\r\n" + L"The debugger window will be hidden." + }, { IDC_NTSETDEBUGFILTERSTATE, L"ScyllaHide returns always STATUS_ACCESS_DENIED.\r\n" diff --git a/Scylla/Settings.cpp b/Scylla/Settings.cpp index 3e1cd3cd..d0b414da 100644 --- a/Scylla/Settings.cpp +++ b/Scylla/Settings.cpp @@ -85,6 +85,7 @@ void scl::Settings::LoadProfile(const wchar_t *file, const wchar_t *name, Profil profile->hookNtUserBuildHwndList = IniLoadNum(file, name, L"NtUserBuildHwndListHook", 1); profile->hookNtUserFindWindowEx = IniLoadNum(file, name, L"NtUserFindWindowExHook", 1); profile->hookNtUserQueryWindow = IniLoadNum(file, name, L"NtUserQueryWindowHook", 1); + profile->hookNtUserGetForegroundWindow = IniLoadNum(file, name, L"NtUserGetForegroundWindowHook", 1); profile->hookNtYieldExecution = IniLoadNum(file, name, L"NtYieldExecutionHook", 1); profile->hookOutputDebugStringA = IniLoadNum(file, name, L"OutputDebugStringHook", 1); @@ -161,6 +162,7 @@ bool scl::Settings::SaveProfile(const wchar_t *file, const wchar_t *name, const success &= IniSaveNum(file, name, L"NtUserBuildHwndListHook", profile->hookNtUserBuildHwndList); success &= IniSaveNum(file, name, L"NtUserFindWindowExHook", profile->hookNtUserFindWindowEx); success &= IniSaveNum(file, name, L"NtUserQueryWindowHook", profile->hookNtUserQueryWindow); + success &= IniSaveNum(file, name, L"NtUserGetForegroundWindowHook", profile->hookNtUserGetForegroundWindow); success &= IniSaveNum(file, name, L"NtYieldExecutionHook", profile->hookNtYieldExecution); success &= IniSaveNum(file, name, L"OutputDebugStringHook", profile->hookOutputDebugStringA); diff --git a/Scylla/Settings.h b/Scylla/Settings.h index fa64c87e..20cc0536 100644 --- a/Scylla/Settings.h +++ b/Scylla/Settings.h @@ -36,6 +36,7 @@ namespace scl BOOL hookNtUserBuildHwndList; BOOL hookNtUserFindWindowEx; BOOL hookNtUserQueryWindow; + BOOL hookNtUserGetForegroundWindow; BOOL hookNtYieldExecution; BOOL hookOutputDebugStringA; BOOL fixPebBeingDebugged; @@ -128,6 +129,7 @@ namespace scl profile_.hookNtUserBuildHwndList || profile_.hookNtUserFindWindowEx || profile_.hookNtUserQueryWindow || + profile_.hookNtUserGetForegroundWindow || profile_.hookNtYieldExecution || profile_.hookOutputDebugStringA || profile_.preventThreadCreation || diff --git a/ScyllaHideIDAProPlugin/IdaServerClient.cpp b/ScyllaHideIDAProPlugin/IdaServerClient.cpp index 7d77af56..fc73aa47 100644 --- a/ScyllaHideIDAProPlugin/IdaServerClient.cpp +++ b/ScyllaHideIDAProPlugin/IdaServerClient.cpp @@ -73,6 +73,7 @@ bool SendEventToServer(unsigned long notif_code, unsigned long ProcessId) idaExchange.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; idaExchange.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; idaExchange.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; + idaExchange.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; idaExchange.EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState; idaExchange.DllInjectNormal = g_settings.opts().dllNormal; idaExchange.DllInjectStealth = g_settings.opts().dllStealth; diff --git a/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc b/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc index 3836a385..1d6a0f4b 100644 Binary files a/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc and b/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc differ diff --git a/ScyllaHideIDAProPlugin/resource.h b/ScyllaHideIDAProPlugin/resource.h index c3a4bfcb..a0688b98 100644 Binary files a/ScyllaHideIDAProPlugin/resource.h and b/ScyllaHideIDAProPlugin/resource.h differ diff --git a/ScyllaHideIDAServer/IdaServerExchange.h b/ScyllaHideIDAServer/IdaServerExchange.h index 73b9dfab..fb106439 100644 --- a/ScyllaHideIDAServer/IdaServerExchange.h +++ b/ScyllaHideIDAServer/IdaServerExchange.h @@ -120,6 +120,7 @@ typedef struct _IDA_SERVER_EXCHANGE unsigned char EnableNtUserBlockInputHook; unsigned char EnableNtUserQueryWindowHook; + unsigned char EnableNtUserGetForegroundWindowHook; unsigned char EnableNtUserBuildHwndListHook; unsigned char EnableNtUserFindWindowExHook; unsigned char EnableNtSetDebugFilterStateHook; diff --git a/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc b/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc index da7b47bd..6dcd2fc1 100644 Binary files a/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc and b/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc differ diff --git a/ScyllaHideOlly1Plugin/resource.h b/ScyllaHideOlly1Plugin/resource.h index e26e7e46..b29b3c6d 100644 Binary files a/ScyllaHideOlly1Plugin/resource.h and b/ScyllaHideOlly1Plugin/resource.h differ diff --git a/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc b/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc index e836b53a..7b49303a 100644 Binary files a/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc and b/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc differ diff --git a/ScyllaHideOlly2Plugin/resource.h b/ScyllaHideOlly2Plugin/resource.h index 2aae4651..e2c3f268 100644 Binary files a/ScyllaHideOlly2Plugin/resource.h and b/ScyllaHideOlly2Plugin/resource.h differ diff --git a/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc b/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc index 6342740c..c302fbf7 100644 Binary files a/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc and b/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc differ diff --git a/ScyllaHideX64DBGPlugin/resource.h b/ScyllaHideX64DBGPlugin/resource.h index 094dddd8..f2c53a7d 100644 Binary files a/ScyllaHideX64DBGPlugin/resource.h and b/ScyllaHideX64DBGPlugin/resource.h differ