void addhook(uintptr_t address, hook_function function) { if (!_hookTableAddress) { size_t size = _maxHooks * HOOK_BYTE_COUNT; # ifdef _WIN32 _hookTableAddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); # else _hookTableAddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (_hookTableAddress == MAP_FAILED) { perror("mmap"); exit(1); } # endif // _WIN32 } if (_hookTableOffset > _maxHooks) { return; } uint32_t hookaddress = (uint32_t)((uint64_t)(_hookTableAddress)&0xFFFFFFFF) + (_hookTableOffset * HOOK_BYTE_COUNT); uint8_t data[9]; int32_t i = 0; data[i++] = 0xE9; // jmp write_address_strictalias(&data[i], hookaddress - address - i - 4); i += 4; data[i++] = 0xC3; // retn # ifdef _WIN32 WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0); # else // We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data int32_t err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE); if (err != 0) { perror("mprotect"); } memcpy((void*)address, data, i); err = mprotect((void*)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC); if (err != 0) { perror("mprotect"); } # endif // _WIN32 hookfunc(hookaddress, (uintptr_t)function, 0); _hookTableOffset++; }
void addhook(int address, int newaddress, int stacksize, int registerargs[], int registersreturned, int eaxDestinationRegister) { if (!g_hooktableaddress) { size_t size = g_maxhooks * 100; #ifdef __WINDOWS__ g_hooktableaddress = VirtualAllocEx(GetCurrentProcess(), NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); #else g_hooktableaddress = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (g_hooktableaddress == MAP_FAILED) { perror("mmap"); exit(1); } #endif // __WINDOWS__ } if (g_hooktableoffset > g_maxhooks) { return; } unsigned int hookaddress = (unsigned int)g_hooktableaddress + (g_hooktableoffset * 100); char data[9]; int i = 0; data[i++] = 0xE9; // jmp write_address_strictalias(&data[i], hookaddress - address - i - 4); i += 4; data[i++] = 0xC3; // retn #ifdef __WINDOWS__ WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0); #else // We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data int err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_WRITE); if (err != 0) { perror("mprotect"); } memcpy((void *)address, data, i); err = mprotect((void *)0x401000, 0x8a4000 - 0x401000, PROT_READ | PROT_EXEC); if (err != 0) { perror("mprotect"); } #endif // __WINDOWS__ hookfunc(hookaddress, newaddress, stacksize, registerargs, registersreturned, eaxDestinationRegister); g_hooktableoffset++; }
void hookfunc(int address, int newaddress, int stacksize, int registerargs[], int registersreturned, int eaxDestinationRegister) { int i = 0; char data[100]; registersreturned |= eaxDestinationRegister; int registerssaved = 7; int n = registersreturned; for (; n; registerssaved--) { n &= n - 1; } int numrargs = 0; for (int j = 0; ; j++) { if (registerargs[j] != END) { numrargs++; } else { break; } } int rargssize = numrargs * 4; if (!(registersreturned & EAX)) { data[i++] = 0x50; // push eax } if (!(registersreturned & EBX)) { data[i++] = 0x53; // push ebx } if (!(registersreturned & ECX)) { data[i++] = 0x51; // push ecx } if (!(registersreturned & EDX)) { data[i++] = 0x52; // push edx } if (!(registersreturned & EBP)) { data[i++] = 0x55; // push ebp } if (!(registersreturned & ESI)) { data[i++] = 0x56; // push esi } if (!(registersreturned & EDI)) { data[i++] = 0x57; // push edi } data[i++] = 0x50; //push eax data[i++] = 0x89; //mov eax, esp data[i++] = 0xE0; data[i++] = 0x83; //sub eax, (0xC + numargs*4) & 0xF data[i++] = 0xE8; data[i++] = (0xC + numrargs * 4) & 0xF; data[i++] = 0x83; //and eax, 0xC data[i++] = 0xE0; data[i++] = 0x0C; data[i++] = 0xA3; //mov [0x9ABDA8], eax data[i++] = 0xA8; data[i++] = 0xBD; data[i++] = 0x9A; data[i++] = 0x00; data[i++] = 0x58; //pop eax data[i++] = 0x2B; //sub esp, [0x9ABDA8] data[i++] = 0x25; data[i++] = 0xA8; data[i++] = 0xBD; data[i++] = 0x9A; data[i++] = 0x00; // work out distance to nearest 0xC // (esp - numargs * 4) & 0xC // move to align - 4 // save that amount if (numrargs > 0) { // push the registers to be on the stack to access as arguments for (signed int j = numrargs - 1; j >= 0; j--) { switch (registerargs[j]) { case EAX: data[i++] = 0x50; break; case EBX: data[i++] = 0x53; break; case ECX: data[i++] = 0x51; break; case EDX: data[i++] = 0x52; break; case ESI: data[i++] = 0x56; break; case EDI: data[i++] = 0x57; break; case EBP: data[i++] = 0x55; break; } } } data[i++] = 0xE8; // call write_address_strictalias(&data[i], newaddress - address - i - 4); i += 4; // returnlocation: switch (eaxDestinationRegister) { case EBX: // mov ebx, eax data[i++] = 0x8B; data[i++] = 0xD8; break; case ECX: // mov ecx, eax data[i++] = 0x8B; data[i++] = 0xC8; break; case EDX: // mov ecx, eax data[i++] = 0x8B; data[i++] = 0xD0; break; case ESI: // mov ecx, eax data[i++] = 0x8B; data[i++] = 0xF0; break; case EDI: // mov ecx, eax data[i++] = 0x8B; data[i++] = 0xF8; break; case EBP: // mov ecx, eax data[i++] = 0x8B; data[i++] = 0xE8; break; } data[i++] = 0x83; // sub esp, x data[i++] = 0xEC; data[i++] = (signed char)(stacksize * -4) - rargssize; data[i++] = 0x03; //add esp, [0x9ABDA8] data[i++] = 0x25; data[i++] = 0xA8; data[i++] = 0xBD; data[i++] = 0x9A; data[i++] = 0x00; if (!(registersreturned & EDI)) { data[i++] = 0x5F; // pop edi } if (!(registersreturned & ESI)) { data[i++] = 0x5E; // pop esi } if (!(registersreturned & EBP)) { data[i++] = 0x5D; // pop ebp } if (!(registersreturned & EDX)) { data[i++] = 0x5A; // pop edx } if (!(registersreturned & ECX)) { data[i++] = 0x59; // pop ecx } if (!(registersreturned & EBX)) { data[i++] = 0x5B; // pop ebx } if (!(registersreturned & EAX)) { data[i++] = 0x58; // pop eax } data[i++] = 0xC3; // retn #ifdef __WINDOWS__ WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0); #else // We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data memcpy((void *)address, data, i); #endif // __WINDOWS__ }
static void hookfunc(uintptr_t address, uintptr_t hookAddress, int32_t stacksize) { int32_t i = 0; uint8_t data[HOOK_BYTE_COUNT] = {}; uintptr_t registerAddress = (uintptr_t)&gHookRegisters; data[i++] = 0x89; // mov [gHookRegisters], eax data[i++] = (0b000 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress); i += 4; data[i++] = 0x89; // mov [gHookRegisters + 4], ebx data[i++] = (0b011 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 4); i += 4; data[i++] = 0x89; // mov [gHookRegisters + 8], ecx data[i++] = (0b001 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 8); i += 4; data[i++] = 0x89; // mov [gHookRegisters + 12], edx data[i++] = (0b010 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 12); i += 4; data[i++] = 0x89; // mov [gHookRegisters + 16], esi data[i++] = (0b110 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 16); i += 4; data[i++] = 0x89; // mov [gHookRegisters + 20], edi data[i++] = (0b111 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 20); i += 4; data[i++] = 0x89; // mov [gHookRegisters + 24], ebp data[i++] = (0b101 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 24); i += 4; // work out distance to nearest 0xC // (esp - numargs * 4) & 0xC // move to align - 4 // save that amount // push the registers to be on the stack to access as arguments data[i++] = 0x68; // push gHookRegisters write_address_strictalias(&data[i], registerAddress); i += 4; data[i++] = 0xE8; // call write_address_strictalias(&data[i], hookAddress - address - i - 4); i += 4; data[i++] = 0x83; // add esp, 4 data[i++] = 0xC4; data[i++] = 0x04; data[i++] = 0x25; // and eax,0xff data[i++] = 0xff; data[i++] = 0x00; data[i++] = 0x00; data[i++] = 0x00; data[i++] = 0xc1; // shl eax, 8 data[i++] = 0xe0; data[i++] = 0x08; data[i++] = 0x9e; // sahf data[i++] = 0x9c; // pushf data[i++] = 0x8B; // mov eax, [gHookRegisters] data[i++] = (0b000 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress); i += 4; data[i++] = 0x8B; // mov ebx, [gHookRegisters + 4] data[i++] = (0b011 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 4); i += 4; data[i++] = 0x8B; // mov ecx, [gHookRegisters + 8] data[i++] = (0b001 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 8); i += 4; data[i++] = 0x8B; // mov edx, [gHookRegisters + 12] data[i++] = (0b010 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 12); i += 4; data[i++] = 0x8B; // mov esi, [gHookRegisters + 16] data[i++] = (0b110 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 16); i += 4; data[i++] = 0x8B; // mov edi, [gHookRegisters + 20] data[i++] = (0b111 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 20); i += 4; data[i++] = 0x8B; // mov ebp, [gHookRegisters + 24] data[i++] = (0b101 << 3) | 0b101; write_address_strictalias(&data[i], registerAddress + 24); i += 4; data[i++] = 0x9d; // popf data[i++] = 0xC3; // retn # ifdef _WIN32 WriteProcessMemory(GetCurrentProcess(), (LPVOID)address, data, i, 0); # else // We own the pages with PROT_WRITE | PROT_EXEC, we can simply just memcpy the data memcpy((void*)address, data, i); # endif // _WIN32 }