Untitled

SUBMITTED BY: Guest

DATE: Feb. 4, 2014, 8:58 p.m.

FORMAT: C#

SIZE: 2.7 kB

Raw Download

HITS: 757

Report
  1. /* Terminology:
  2. *
  3. * fish = function to patch
  4. * hook = patch to apply
  5. * coolbox = overwritten bytes and stack fixer
  6. * scales = memory security flags
  7. */
  9. #include <stdlib.h>
  10. #include <stdio.h>
  11. #include <assert.h>
  12. #include <stdint.h>
  13. #include <string.h>
  14. #include <windows.h>
  15. #include "hooks.h"
  16. #include "ollydisasm/disasm.h"
  17. /*register int *stackp asm ("esp");
  18. register int *basep asm ("ebp");*/
  20. unsigned long CleanBiteOff(const uint8_t *ptr, size_t amount); // how many bytes should i overwrite to fit a jump and not leave garbage behind
  22. int attachRawHook(uintptr_t fish, uintptr_t hook)
  23. {
  25. #define JMP_SIZE 5
  26. unsigned long safeSize = CleanBiteOff((uint8_t*)fish, JMP_SIZE);
  28. uint8_t *overwrite = malloc(safeSize);
  30. overwrite[0] = 0xE9;//call e8 -- jmp e9
  31. for (int i = JMP_SIZE; i < safeSize; i++)
  32. overwrite[i] = 0x90;
  34. DWORD oldScales, newScales;
  35. //__asm("int $3");
  36. uint8_t* coolbox;
  37. #define XCHG_SIZE 13
  38. #define FOOTER_SIZE 2*JMP_SIZE+XCHG_SIZE
  39. if ((coolbox = VirtualAlloc(NULL, safeSize + FOOTER_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
  40. return __HOOK_VIRTUALALLOC_COOLBOX;
  41. uintptr_t relative = (uintptr_t)coolbox + safeSize - fish;
  43. memcpy(&overwrite[1], &relative, JMP_SIZE-1);
  44. memcpy(coolbox, (void*)(fish), safeSize);
  45. relative = -relative;
  46. /*
  47. push ecx
  48. mov ecx, %coolbox
  49. xchg dword [esp+4], ecx
  50. xchg dword[esp], ecx
  52. {0x51,0xB9,0,0,0,0,0x87,0x4C,0xE4,0x04,0x87,0x0C,0xE4}
  53. */
  54. #define FOUR_BYTES 0,0,0,0
  55. uint8_t coolboxfooter[FOOTER_SIZE] = {0xE9,FOUR_BYTES,0x51,0xB9,FOUR_BYTES,0x87,0x4C,0xE4,0x04,0x87,0x0C,0xE4, 0xE9/*,FOUR_BYTES*/};
  56. memcpy(&coolboxfooter[1], &relative, JMP_SIZE-1);
  57. memcpy(&coolboxfooter[JMP_SIZE+2], &coolbox, JMP_SIZE-1);
  58. relative = hook - ((uintptr_t)coolbox + safeSize + FOOTER_SIZE);
  59. memcpy(&coolboxfooter[JMP_SIZE+XCHG_SIZE+1], &relative, JMP_SIZE-1);
  60. memcpy(coolbox+safeSize, coolboxfooter, FOOTER_SIZE);
  62. if (VirtualProtect((LPVOID) fish, safeSize, PAGE_READWRITE, &oldScales) == 0)
  63. return __HOOK_PROTECTION_DISABLE;
  65. memcpy((void*)fish, overwrite, safeSize);
  67. if (VirtualProtect((LPVOID)fish, safeSize, oldScales, &newScales) == 0)
  68. return __HOOK_PROTECTION_ENABLE;
  70. return __HOOK_ALL_OK;
  72. }
  73. unsigned long CleanBiteOff(const uint8_t *ptr, size_t amount)
  74. {
  75. static t_disasm disasm;
  76. unsigned long size = 0;
  77. do {size += Disasm(ptr+size, 16, 0x00401AAC, &disasm, DISASM_SIZE);} while(size < amount);
  78. return size;
  79. }
comments powered by Disqus