### Manage DLL Hook Lifecycle in DllMain Source: https://context7.com/helixo32/simpleedr/llms.txt Handles the installation and removal of API hooks when the DLL is loaded or unloaded from a process. It uses the Nim stdcall convention to interface with Windows DLL entry points. ```nim proc DllMain(hinstDLL: HINSTANCE, fdwReason: DWORD, lpvReserved: LPVOID): BOOL {.stdcall, exportc, dynlib.} = NimMain() if fdwReason == DLL_PROCESS_ATTACH: var functionToHook = "VirtualProtectEx" var addressToHook = cast[LPVOID](GetProcAddress(GetModuleHandleA("kernel32.dll"), functionToHook)) var addressToRun = cast[LPVOID](myMessageBox) if InitializeHookStruct(functionToHook, addressToHook, addressToRun, addr st): discard InstallHook(addr st) if fdwReason == DLL_PROCESS_DETACH: discard RemoveHook(addr st) return true ``` -------------------------------- ### Nim InstallHook - Activate API Hook with Trampoline Source: https://context7.com/helixo32/simpleedr/llms.txt Installs the API hook by writing trampoline shellcode to the target function's memory. This redirects calls to the specified hook handler. Supports both x86 and x64 architectures. ```nim # x64 Trampoline shellcode (13 bytes): # mov r10, pFunctionToRun # jmp r10 var uTrampoline = @[ byte(0x49), byte(0xBA), byte(0x00), byte(0x00), byte(0x00), byte(0x00), byte(0x00), byte(0x00), byte(0x00), byte(0x00), # mov r10,
byte(0x41), byte(0xFF), byte(0xE2) # jmp r10 ] # Install the hook after initialization if InstallHook(addr st): echo "[+] VirtualProtectEx is now hooked !" # Any call to VirtualProtectEx will now execute myHookHandler instead ``` -------------------------------- ### Nim InitializeHookStruct - Setup API Hook Configuration Source: https://context7.com/helixo32/simpleedr/llms.txt Initializes the HookStructure by resolving function addresses, saving original bytes, and adjusting memory protection for modification. It returns a boolean indicating success and provides diagnostic output. ```nim import winim/com var st: HookStructure # Get the address of VirtualProtectEx from kernel32.dll let functionToHook: string = "VirtualProtectEx" let addressToHook: LPVOID = cast[LPVOID](GetProcAddress(GetModuleHandleA("kernel32.dll"), functionToHook)) let addressToRun: LPVOID = cast[LPVOID](myHookHandler) # Initialize the hook structure if InitializeHookStruct(functionToHook, addressToHook, addressToRun, addr st): echo "[+] Hook structure initialized successfully" # Output shows: # [+] Function to hook: VirtualProtectEx # [+] Address to hook: 0x7FF8ABCD1234 # [+] Address to run: 0x7FF712340000 # [+] Original protection: 32 # [+] Original bytes: \x4C\x8B\xDC\x48\x83\xEC\x58... # [+] Modified bytes: \x49\xBA\x00\x00\x00\x00... else: echo "[-] Failed to initialize structure" ``` -------------------------------- ### Nim RemoveHook - Deactivate API Hook and Restore Original Source: https://context7.com/helixo32/simpleedr/llms.txt Removes an installed API hook by restoring the original function bytes and memory protection. This function is typically used during DLL unload to revert the target function to its normal state. ```nim # Remove the hook and restore original function if RemoveHook(addr st): echo "[+] Original bytes reverted" echo "[+] Original memory protection back" echo "[+] Hook removed !" # VirtualProtectEx now works normally again ``` -------------------------------- ### Injector CLI Usage Source: https://context7.com/helixo32/simpleedr/llms.txt Command-line interface instructions for the SimpleEDR injector, including self-injection testing and continuous process monitoring. ```bash nim c Injector.nim Injector.exe --help Injector.exe -d:"C:\\tools\\SimpleEDR\\SimpleEDR.dll" Injector.exe -d:"C:\\tools\\SimpleEDR\\SimpleEDR.dll" -p:"ChangeMemoryProtection.exe" ``` -------------------------------- ### Verify DLL Injection Status Source: https://context7.com/helixo32/simpleedr/llms.txt Checks if a specific DLL is already loaded in a target process by enumerating its modules using Toolhelp32 snapshots. This prevents redundant injection attempts. ```nim proc CheckEDRLoaded(dwPID: DWORD, dllName: string): bool = var me32: MODULEENTRY32 var all_modules: seq[string] me32.dwSize = cast[DWORD](sizeof(MODULEENTRY32)) let hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID) if Module32First(hModuleSnap, addr me32): while Module32Next(hModuleSnap, addr me32): all_modules.add($me32.szExePath) CloseHandle(hModuleSnap) for module in all_modules: if module == dllName: return true return false ``` -------------------------------- ### Perform Remote DLL Injection Source: https://context7.com/helixo32/simpleedr/llms.txt Injects a DLL into a target process using CreateRemoteThread and LoadLibraryW. It allocates memory in the remote process to store the DLL path before executing the load command. ```nim proc InjectDLL(pid: DWORD, dllName: LPWSTR): bool = let hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid) let pLoadLibraryW = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW") let pAddress = VirtualAllocEx(hProcess, NULL, 512, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE) WriteProcessMemory(hProcess, pAddress, dllName, 512, addr lpNumberOfBytesWritten) let hThread = CreateRemoteThread(hProcess, NULL, 0, cast[LPTHREAD_START_ROUTINE](pLoadLibraryW), pAddress, 0, addr threadId) CloseHandle(hProcess) CloseHandle(hThread) return true ``` -------------------------------- ### Test Hook with Memory Protection Change Source: https://context7.com/helixo32/simpleedr/llms.txt A test application that triggers the hooked VirtualProtectEx function to verify if the EDR correctly intercepts the call. ```nim import winim/lean proc HookTest(): void = Sleep(1000) let rPtr = VirtualAlloc(nil, 1024, MEM_COMMIT, PAGE_READWRITE) var oldProtection: DWORD VirtualProtectEx(GetCurrentProcess(), rPtr, 1024, PAGE_EXECUTE_READ, &oldProtection) MessageBoxA(0, "VirtualProtectEx hook bypassed !", "Congrats !", 0) quit(0) when isMainModule: HookTest() ``` -------------------------------- ### Nim HookStructure - Define API Hook Configuration Source: https://context7.com/helixo32/simpleedr/llms.txt Defines the HookStructure type in Nim to hold all necessary data for managing an API hook, including function names, addresses, original bytes, trampoline shellcode, and memory protection flags. ```nim type HookStructure = object sFunctionToHook : string # Name of the function being hooked pFunctionToHook : LPVOID # Address of the original function pFunctionToRun : LPVOID # Address of the hook handler pOriginalBytes : array[16, byte] # Original function bytes (for unhooking) pModifiedBytes : seq[byte] # Trampoline shellcode dwOldProtection : DWORD # Original memory protection ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.