void addhook(uintptr_t address, hook_function function)
{
if (!_hookTableAddress)
{
size_t size = _maxHooks * HOOK_BYTE_COUNT;
# ifdef _WIN32
_hookTableAddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
# else
_hookTableAddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (_hookTableAddress == MAP_FAILED)
{
perror("mmap");
exit(1);
}
# endif // _WIN32
}
if (_hookTableOffset > _maxHooks)
{
return;
}
uint32_t hookaddress = (uint32_t)((uint64_t)(_hookTableAddress)&0xFFFFFFFF) + (_hookTableOffset * HOOK_BYTE_COUNT);
uint8_t data[9];
int32_t i = 0;
data[i++] = 0xE9; // jmp
write_address_strictalias(&data[i], hookaddress - address - i - 4);
i += 4;
data[i++] = 0xC3; // retn
# ifdef _WIN32
WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0);
# else
// We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data
int32_t err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE);
if (err != 0)
{
perror("mprotect");
}
memcpy((void*)address, data, i);
err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC);
if (err != 0)
{
perror("mprotect");
}
# endif // _WIN32
hookfunc(hookaddress, (uintptr_t)function, 0);
_hookTableOffset++;
}
void addhook(int address, int newaddress, int stacksize, int registerargs[], int registersreturned, int eaxDestinationRegister)
{
if (!g_hooktableaddress) {
size_t size = g_maxhooks * 100;
#ifdef __WINDOWS__
g_hooktableaddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
#else
g_hooktableaddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (g_hooktableaddress == MAP_FAILED)
{
perror("mmap");
exit(1);
}
#endif // __WINDOWS__
}
if (g_hooktableoffset > g_maxhooks) {
return;
}
unsigned int hookaddress = (unsigned int)g_hooktableaddress + (g_hooktableoffset * 100);
char data[9];
int i = 0;
data[i++] = 0xE9; // jmp
write_address_strictalias(&data[i], hookaddress - address - i - 4);
i += 4;
data[i++] = 0xC3; // retn
#ifdef __WINDOWS__
WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0);
#else
// We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data
int err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE);
if (err != 0)
{
perror("mprotect");
}
memcpy((void *)address, data, i);
err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC);
if (err != 0)
{
perror("mprotect");
}
#endif // __WINDOWS__
hookfunc(hookaddress, newaddress, stacksize, registerargs, registersreturned, eaxDestinationRegister);
g_hooktableoffset++;
}
void hookfunc(int address, int newaddress, int stacksize, int registerargs[], int registersreturned, int eaxDestinationRegister)
{
int i = 0;
char data[100];
registersreturned |= eaxDestinationRegister;
int registerssaved = 7;
int n = registersreturned;
for (; n; registerssaved--) {
n &= n - 1;
}
int numrargs = 0;
for (int j = 0; ; j++) {
if (registerargs[j] != END) {
numrargs++;
} else {
break;
}
}
int rargssize = numrargs * 4;
if (!(registersreturned & EAX)) {
data[i++] = 0x50; // push eax
}
if (!(registersreturned & EBX)) {
data[i++] = 0x53; // push ebx
}
if (!(registersreturned & ECX)) {
data[i++] = 0x51; // push ecx
}
if (!(registersreturned & EDX)) {
data[i++] = 0x52; // push edx
}
if (!(registersreturned & EBP)) {
data[i++] = 0x55; // push ebp
}
if (!(registersreturned & ESI)) {
data[i++] = 0x56; // push esi
}
if (!(registersreturned & EDI)) {
data[i++] = 0x57; // push edi
}
data[i++] = 0x50; //push eax
data[i++] = 0x89; //mov eax, esp
data[i++] = 0xE0;
data[i++] = 0x83; //sub eax, (0xC + numargs*4) & 0xF
data[i++] = 0xE8;
data[i++] = (0xC + numrargs * 4) & 0xF;
data[i++] = 0x83; //and eax, 0xC
data[i++] = 0xE0;
data[i++] = 0x0C;
data[i++] = 0xA3; //mov [0x9ABDA8], eax
data[i++] = 0xA8;
data[i++] = 0xBD;
data[i++] = 0x9A;
data[i++] = 0x00;
data[i++] = 0x58; //pop eax
data[i++] = 0x2B; //sub esp, [0x9ABDA8]
data[i++] = 0x25;
data[i++] = 0xA8;
data[i++] = 0xBD;
data[i++] = 0x9A;
data[i++] = 0x00;
// work out distance to nearest 0xC
// (esp - numargs * 4) & 0xC
// move to align - 4
// save that amount
if (numrargs > 0) {
// push the registers to be on the stack to access as arguments
for (signed int j = numrargs - 1; j >= 0; j--) {
switch (registerargs[j]) {
case EAX: data[i++] = 0x50; break;
case EBX: data[i++] = 0x53; break;
case ECX: data[i++] = 0x51; break;
case EDX: data[i++] = 0x52; break;
case ESI: data[i++] = 0x56; break;
case EDI: data[i++] = 0x57; break;
case EBP: data[i++] = 0x55; break;
}
}
}
data[i++] = 0xE8; // call
write_address_strictalias(&data[i], newaddress - address - i - 4);
i += 4;
// returnlocation:
switch (eaxDestinationRegister) {
case EBX:
// mov ebx, eax
data[i++] = 0x8B;
data[i++] = 0xD8;
break;
case ECX:
// mov ecx, eax
data[i++] = 0x8B;
data[i++] = 0xC8;
break;
case EDX:
// mov ecx, eax
data[i++] = 0x8B;
data[i++] = 0xD0;
break;
case ESI:
// mov ecx, eax
data[i++] = 0x8B;
data[i++] = 0xF0;
break;
case EDI:
// mov ecx, eax
data[i++] = 0x8B;
data[i++] = 0xF8;
break;
case EBP:
// mov ecx, eax
data[i++] = 0x8B;
data[i++] = 0xE8;
break;
}
data[i++] = 0x83; // sub esp, x
data[i++] = 0xEC;
data[i++] = (signed char)(stacksize * -4) - rargssize;
data[i++] = 0x03; //add esp, [0x9ABDA8]
data[i++] = 0x25;
data[i++] = 0xA8;
data[i++] = 0xBD;
data[i++] = 0x9A;
data[i++] = 0x00;
if (!(registersreturned & EDI)) {
data[i++] = 0x5F; // pop edi
}
if (!(registersreturned & ESI)) {
data[i++] = 0x5E; // pop esi
}
if (!(registersreturned & EBP)) {
data[i++] = 0x5D; // pop ebp
}
if (!(registersreturned & EDX)) {
data[i++] = 0x5A; // pop edx
}
if (!(registersreturned & ECX)) {
data[i++] = 0x59; // pop ecx
}
if (!(registersreturned & EBX)) {
data[i++] = 0x5B; // pop ebx
}
if (!(registersreturned & EAX)) {
data[i++] = 0x58; // pop eax
}
data[i++] = 0xC3; // retn
#ifdef __WINDOWS__
WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0);
#else
// We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data
memcpy((void *)address, data, i);
#endif // __WINDOWS__
}
static void hookfunc(uintptr_t address, uintptr_t hookAddress, int32_t stacksize)
{
int32_t i = 0;
uint8_t data[HOOK_BYTE_COUNT] = {};
uintptr_t registerAddress = (uintptr_t)&gHookRegisters;
data[i++] = 0x89; // mov [gHookRegisters], eax
data[i++] = (0b000 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress);
i += 4;
data[i++] = 0x89; // mov [gHookRegisters + 4], ebx
data[i++] = (0b011 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 4);
i += 4;
data[i++] = 0x89; // mov [gHookRegisters + 8], ecx
data[i++] = (0b001 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 8);
i += 4;
data[i++] = 0x89; // mov [gHookRegisters + 12], edx
data[i++] = (0b010 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 12);
i += 4;
data[i++] = 0x89; // mov [gHookRegisters + 16], esi
data[i++] = (0b110 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 16);
i += 4;
data[i++] = 0x89; // mov [gHookRegisters + 20], edi
data[i++] = (0b111 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 20);
i += 4;
data[i++] = 0x89; // mov [gHookRegisters + 24], ebp
data[i++] = (0b101 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 24);
i += 4;
// work out distance to nearest 0xC
// (esp - numargs * 4) & 0xC
// move to align - 4
// save that amount
// push the registers to be on the stack to access as arguments
data[i++] = 0x68; // push gHookRegisters
write_address_strictalias(&data[i], registerAddress);
i += 4;
data[i++] = 0xE8; // call
write_address_strictalias(&data[i], hookAddress - address - i - 4);
i += 4;
data[i++] = 0x83; // add esp, 4
data[i++] = 0xC4;
data[i++] = 0x04;
data[i++] = 0x25; // and eax,0xff
data[i++] = 0xff;
data[i++] = 0x00;
data[i++] = 0x00;
data[i++] = 0x00;
data[i++] = 0xc1; // shl eax, 8
data[i++] = 0xe0;
data[i++] = 0x08;
data[i++] = 0x9e; // sahf
data[i++] = 0x9c; // pushf
data[i++] = 0x8B; // mov eax, [gHookRegisters]
data[i++] = (0b000 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress);
i += 4;
data[i++] = 0x8B; // mov ebx, [gHookRegisters + 4]
data[i++] = (0b011 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 4);
i += 4;
data[i++] = 0x8B; // mov ecx, [gHookRegisters + 8]
data[i++] = (0b001 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 8);
i += 4;
data[i++] = 0x8B; // mov edx, [gHookRegisters + 12]
data[i++] = (0b010 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 12);
i += 4;
data[i++] = 0x8B; // mov esi, [gHookRegisters + 16]
data[i++] = (0b110 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 16);
i += 4;
data[i++] = 0x8B; // mov edi, [gHookRegisters + 20]
data[i++] = (0b111 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 20);
i += 4;
data[i++] = 0x8B; // mov ebp, [gHookRegisters + 24]
data[i++] = (0b101 << 3) | 0b101;
write_address_strictalias(&data[i], registerAddress + 24);
i += 4;
data[i++] = 0x9d; // popf
data[i++] = 0xC3; // retn
# ifdef _WIN32
WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0);
# else
// We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data
memcpy((void*)address, data, i);
# endif // _WIN32
}
