Returns the address of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values. This is the current address of the function, which may be different from the value returned by GetSdtFuncAddress if the System Service Decriptor Table (SSDT) is hooked. If the specified function ID is not available on the current operating system this returns MHS_NULL.
MHS_ADDRESS GetCurrentSdtTableAddress()
Returns the current address of the System Service Descriptor Table (SSDT), which may be different from the value returned by GetSdtTableAddress if there are hooks in place.
Gets a pointer to a hook held in the FUNC_HOOK_INFO structure to which lpfhiInfo points. Returns NULL if the index is out of bounds.
INT GetFuncHookInfo(
MHS_ADDRESS aAddress,
LPFUNC_HOOK_INFO lpfhiReturn)
Scans the entire function starting at the specified address for hooks. Returns DS_HOOKFOUND if any hooks are found. If no hook is found, it returns DS_HOOKNOTFOUND. If there is an internal error, DS_FAILURE is returned. lpfhiReturn is filled with any hooks that are found and all calls the function makes, allowing you to scan all of the functions it calls.
You can use this to scan recursively any number of calls deep to find hooks on functions called by the specified function. If the same FUNC_HOOK_INFO is passed to multiple calls to GetFuncHookInfo, the new data from GetFuncHookInfo will be appended to the existing data already in the structure. This may be desireable in some cases but it is usually recommended to use a FUNC_HOOK_INFO structure in only one call to GetFuncHookInfo. lpfhiReturn must have been previously created by a call to CreateFuncHookInfo.
Gets the total number of hooks held in the FUNC_HOOK_INFO structure to which lpfhiInfo points.
INT GetHookInfo(
MHS_ADDRESS aAddress,
LPHOOK_INFO lphiReturn)
If a hook at the specified address if found, this function fills the HOOK_INFO structure to which lphiReturn points with information regarding the hook and returns DS_HOOKFOUND. If no hook is found, it returns DS_HOOKNOTFOUND. If there is an internal error, DS_FAILURE is returned. lphiReturn must point to a HOOK_INFO structure created by CreateHookInfo. The same structure can be used in multiple calls to this function.
This can be used to get hook information from kernel RAM.
Gets the address of the specified function from the loaded kernel module or Hal.dll.
CHAR * GetNtOsKrnlName(
CHAR * pcRet)
Fills pcRet with the name of the loaded kernel module and returns pcRet, allowing it to be used as a parameter to another function. pcRet will be an empty string if the name of the kernel module can not be obtained.
CHAR * GetNtOsKrnlPath(
CHAR * pcRet)
Fills pcRet with the path of the loaded kernel module and returns pcRet, allowing it to be used as a parameter to another function. pcRet will be an empty string if the path to the kernel module can not be obtained.
Fills the MHS_ADDRESS to which paStart and paEnd point with the starting and ending addresses of the loaded kernel executable inclusively and returns the size of the loaded module. paStart and paEnd can be NULL.
Gets the actual address of a function in a loaded module. pcModule can be either a module name or a path to a module. If the function can not be found, MHS_NULL is returned.
Because exports can be forwarded to other modules, the return address is not guaranteed to be within the range of the module specified. This function works only on user-mode addresses. Use GetKernelProcAddress to get the addresses of kernel functions.
MHS_ADDRESS GetSdtFuncAddress(
DWORD dwFuncId)
Returns the address of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values. This is the real address of the function. If the specified function ID is not available on the current operating system this returns MHS_NULL.
DWORD GetSdtFuncIndex(
DWORD dwFuncId)
Returns the index of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values.
Returns the name of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values. pcRet will be filled with the name of the function and must be at least 128 characters long.
MHS_ADDRESS GetSdtTableAddress()
Returns the address of the System Service Descriptor Table (SSDT).
DWORD GetSdtTotalFuncs()
Returns the number of SDT functions on the system. This varies per operating system. This should not be confused total number of function ID’s, which includes all functions across all operating systems.
