void addhook(uintptr_t address, hook_function function)
{
if (!_hookTableAddress)
{
size_t size = _maxHooks * HOOK_BYTE_COUNT;
# ifdef _WIN32
_hookTableAddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
# else
_hookTableAddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (_hookTableAddress == MAP_FAILED)
{
perror("mmap");
exit(1);
}
# endif // _WIN32
}
if (_hookTableOffset > _maxHooks)
{
return;
}
uint32_t hookaddress = (uint32_t)((uint64_t)(_hookTableAddress)&0xFFFFFFFF) + (_hookTableOffset * HOOK_BYTE_COUNT);
uint8_t data[9];
int32_t i = 0;
data[i++] = 0xE9; // jmp
write_address_strictalias(&data[i], hookaddress - address - i - 4);
i += 4;
data[i++] = 0xC3; // retn
# ifdef _WIN32
WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0);
# else
// We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data
int32_t err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE);
if (err != 0)
{
perror("mprotect");
}
memcpy((void*)address, data, i);
err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC);
if (err != 0)
{
perror("mprotect");
}
# endif // _WIN32
hookfunc(hookaddress, (uintptr_t)function, 0);
_hookTableOffset++;
}
void addhook(int address, int newaddress, int stacksize, int registerargs[], int registersreturned, int eaxDestinationRegister)
{
if (!g_hooktableaddress) {
size_t size = g_maxhooks * 100;
#ifdef __WINDOWS__
g_hooktableaddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
#else
g_hooktableaddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (g_hooktableaddress == MAP_FAILED)
{
perror("mmap");
exit(1);
}
#endif // __WINDOWS__
}
if (g_hooktableoffset > g_maxhooks) {
return;
}
unsigned int hookaddress = (unsigned int)g_hooktableaddress + (g_hooktableoffset * 100);
char data[9];
int i = 0;
data[i++] = 0xE9; // jmp
write_address_strictalias(&data[i], hookaddress - address - i - 4);
i += 4;
data[i++] = 0xC3; // retn
#ifdef __WINDOWS__
WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0);
#else
// We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data
int err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE);
if (err != 0)
{
perror("mprotect");
}
memcpy((void *)address, data, i);
err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC);
if (err != 0)
{
perror("mprotect");
}
#endif // __WINDOWS__
hookfunc(hookaddress, newaddress, stacksize, registerargs, registersreturned, eaxDestinationRegister);
g_hooktableoffset++;
}
// 入口
extern "C" void __declspec(dllexport) DLLjump()
{
// debug privilege
seDebugPrivilege();
// DLL
HINSTANCE hDLL = LoadLibrary(L"user32.dll");
// MessageBoxA的地址
unsigned msgbox_addr = (unsigned) GetProcAddress(hDLL, "MessageBoxA");
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldProtect;
//查询函数所在的内存页的信息
VirtualQuery((void*) msgbox_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
// 请求修改权限
VirtualProtect((PDWORD) mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
hookfunc((unsigned) msgbox_addr, (unsigned) &originalMoved, (unsigned) &originalBypassed, 7, GetCurrentProcessId());
}
