MHSAntiAntiCheat

LPFUNC_HOOK_INFO CreateFuncHookInfo()


Creates a structure that can be used to store hook information from calls to GetFuncHookInfo. This must be destroyed with DestroyFuncHookInfo


LPHOOK_INFO CreateHookInfo()


Creates a structure that can be used to store hook information from calls to GetHookInfo. This must be destroyed with DestroyHookInfo


VOID DestroyFuncHookInfo(
    LPFUNC_HOOK_INFO lpfhiInfo)


Destroys a FUNC_HOOK_INFO structure previously created by CreateFuncHookInfo.


VOID DestroyHookInfo(
    LPHOOK_INFO lphiInfo)


Destroys a HOOK_INFO structure previously created by CreateHookInfo.


MHS_ADDRESS GetCurrentSdtFuncAddress(
    DWORD dwFuncId)


Returns the address of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values. This is the current address of the function, which may be different from the value returned by GetSdtFuncAddress if the System Service Decriptor Table (SSDT) is hooked. If the specified function ID is not available on the current operating system this returns MHS_NULL.


MHS_ADDRESS GetCurrentSdtTableAddress()


Returns the current address of the System Service Descriptor Table (SSDT), which may be different from the value returned by GetSdtTableAddress if there are hooks in place.


MHS_ADDRESS GetFuncHookCall(
    LPFUNC_HOOK_INFO lpfhiInfo,
    DWORD dwIndex)


Gets a function call held in the FUNC_HOOK_INFO structure to which lpfhiInfo points. Returns MHS_NULL if the index is out of bounds.


LPHOOK_INFO GetFuncHookHook(
    LPFUNC_HOOK_INFO lpfhiInfo,
    DWORD dwIndex)


Gets a pointer to a hook held in the FUNC_HOOK_INFO structure to which lpfhiInfo points. Returns NULL if the index is out of bounds.


INT GetFuncHookInfo(
    MHS_ADDRESS aAddress,
    LPFUNC_HOOK_INFO lpfhiReturn)


Scans the entire function starting at the specified address for hooks. Returns DS_HOOKFOUND if any hooks are found. If no hook is found, it returns DS_HOOKNOTFOUND. If there is an internal error, DS_FAILURE is returned.
lpfhiReturn is filled with any hooks that are found and all calls the function makes, allowing you to scan all of the functions it calls.
You can use this to scan recursively any number of calls deep to find hooks on functions called by the specified function. If the same FUNC_HOOK_INFO is passed to multiple calls to GetFuncHookInfo, the new data from GetFuncHookInfo will be appended to the existing data already in the structure. This may be desireable in some cases but it is usually recommended to use a FUNC_HOOK_INFO structure in only one call to GetFuncHookInfo.
lpfhiReturn must have been previously created by a call to CreateFuncHookInfo.


DWORD GetFuncHookTotalCalls(
    LPFUNC_HOOK_INFO lpfhiInfo)


Gets the total function calls held in the FUNC_HOOK_INFO structure to which lpfhiInfo points.


DWORD GetFuncHookTotalHooks(
    LPFUNC_HOOK_INFO lpfhiInfo)


Gets the total number of hooks held in the FUNC_HOOK_INFO structure to which lpfhiInfo points.


INT GetHookInfo(
    MHS_ADDRESS aAddress,
    LPHOOK_INFO lphiReturn)


If a hook at the specified address if found, this function fills the HOOK_INFO structure to which lphiReturn points with information regarding the hook and returns DS_HOOKFOUND. If no hook is found, it returns DS_HOOKNOTFOUND. If there is an internal error, DS_FAILURE is returned.
lphiReturn must point to a HOOK_INFO structure created by CreateHookInfo. The same structure can be used in multiple calls to this function.
This can be used to get hook information from kernel RAM.


MHS_ADDRESS GetKernelProcAddress(
    const CHAR * pcFunc)


Gets the address of the specified function from the loaded kernel module or Hal.dll.


CHAR * GetNtOsKrnlName(
    CHAR * pcRet)


Fills pcRet with the name of the loaded kernel module and returns pcRet, allowing it to be used as a parameter to another function. pcRet will be an empty string if the name of the kernel module can not be obtained.


CHAR * GetNtOsKrnlPath(
    CHAR * pcRet)


Fills pcRet with the path of the loaded kernel module and returns pcRet, allowing it to be used as a parameter to another function. pcRet will be an empty string if the path to the kernel module can not be obtained.


DWORD GetNtOsKrnlRange(
    MHS_ADDRESS * paStart,
    MHS_ADDRESS * paEnd)


Fills the MHS_ADDRESS to which paStart and paEnd point with the starting and ending addresses of the loaded kernel executable inclusively and returns the size of the loaded module. paStart and paEnd can be NULL.


MHS_ADDRESS GetProcAddress(
    const CHAR * pcModule,
    const CHAR * pcFunc)


Gets the actual address of a function in a loaded module. pcModule can be either a module name or a path to a module. If the function can not be found, MHS_NULL is returned.

Because exports can be forwarded to other modules, the return address is not guaranteed to be within the range of the module specified. This function works only on user-mode addresses. Use GetKernelProcAddress to get the addresses of kernel functions.


MHS_ADDRESS GetSdtFuncAddress(
    DWORD dwFuncId)


Returns the address of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values. This is the real address of the function. If the specified function ID is not available on the current operating system this returns MHS_NULL.


DWORD GetSdtFuncIndex(
    DWORD dwFuncId)


Returns the index of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values.


CHAR * GetSdtFuncName(
    DWORD dwFuncId,
    CHAR * pcRet)


Returns the name of an SDT function inside the System Service Descriptor Table (SSDT). dwFuncId must be one of the SDT_* enumeration values. pcRet will be filled with the name of the function and must be at least 128 characters long.


MHS_ADDRESS GetSdtTableAddress()


Returns the address of the System Service Descriptor Table (SSDT).


DWORD GetSdtTotalFuncs()


Returns the number of SDT functions on the system. This varies per operating system. This should not be confused total number of function IDís, which includes all functions across all operating systems.


Copyright © 2006 Shawn (L. Spiro) Wilcoxen