void addhook(uintptr_t address, hook_function function) { if (!_hookTableAddress) { size_t size = _maxHooks * HOOK_BYTE_COUNT; # ifdef _WIN32 _hookTableAddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); # else _hookTableAddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (_hookTableAddress == MAP_FAILED) { perror("mmap"); exit(1); } # endif // _WIN32 } if (_hookTableOffset > _maxHooks) { return; } uint32_t hookaddress = (uint32_t)((uint64_t)(_hookTableAddress)&0xFFFFFFFF) + (_hookTableOffset * HOOK_BYTE_COUNT); uint8_t data[9]; int32_t i = 0; data[i++] = 0xE9; // jmp write_address_strictalias(&data[i], hookaddress - address - i - 4); i += 4; data[i++] = 0xC3; // retn # ifdef _WIN32 WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0); # else // We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data int32_t err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE); if (err != 0) { perror("mprotect"); } memcpy((void*)address, data, i); err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC); if (err != 0) { perror("mprotect"); } # endif // _WIN32 hookfunc(hookaddress, (uintptr_t)function, 0); _hookTableOffset++; }
void addhook(int address, int newaddress, int stacksize, int registerargs[], int registersreturned, int eaxDestinationRegister) { if (!g_hooktableaddress) { size_t size = g_maxhooks * 100; #ifdef __WINDOWS__ g_hooktableaddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); #else g_hooktableaddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (g_hooktableaddress == MAP_FAILED) { perror("mmap"); exit(1); } #endif // __WINDOWS__ } if (g_hooktableoffset > g_maxhooks) { return; } unsigned int hookaddress = (unsigned int)g_hooktableaddress + (g_hooktableoffset * 100); char data[9]; int i = 0; data[i++] = 0xE9; // jmp write_address_strictalias(&data[i], hookaddress - address - i - 4); i += 4; data[i++] = 0xC3; // retn #ifdef __WINDOWS__ WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0); #else // We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data int err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE); if (err != 0) { perror("mprotect"); } memcpy((void *)address, data, i); err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC); if (err != 0) { perror("mprotect"); } #endif // __WINDOWS__ hookfunc(hookaddress, newaddress, stacksize, registerargs, registersreturned, eaxDestinationRegister); g_hooktableoffset++; }
// 入口 extern "C" void __declspec(dllexport) DLLjump() { // debug privilege seDebugPrivilege(); // DLL HINSTANCE hDLL = LoadLibrary(L"user32.dll"); // MessageBoxA的地址 unsigned msgbox_addr = (unsigned) GetProcAddress(hDLL, "MessageBoxA"); MEMORY_BASIC_INFORMATION mbi; DWORD dwOldProtect; //查询函数所在的内存页的信息 VirtualQuery((void*) msgbox_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); // 请求修改权限 VirtualProtect((PDWORD) mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect); hookfunc((unsigned) msgbox_addr, (unsigned) &originalMoved, (unsigned) &originalBypassed, 7, GetCurrentProcessId()); }