From 2eb506165d3d451d9daafdec8b499444bb34351b Mon Sep 17 00:00:00 2001 From: BDKPlayer Date: Mon, 2 Mar 2020 21:42:04 +0100 Subject: Added: x64 minimap text hook --- DetourHook64.cpp | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 DetourHook64.cpp (limited to 'DetourHook64.cpp') diff --git a/DetourHook64.cpp b/DetourHook64.cpp new file mode 100644 index 0000000..0cd0f47 --- /dev/null +++ b/DetourHook64.cpp @@ -0,0 +1,92 @@ +#include "DetourHook64.h" +#include + + + +//Detours x64 functions. The shellcode passed is expected to be relocated already +BYTE* DetourHook64::Hook(BYTE* hookAddress, BYTE* shellcode, int shellcodeSize, uint64_t jmpBack, int length, int pageSize) +{ + //Save original to be able to unhook + this->shellcodeSize = shellcodeSize; + this->hookAddress = hookAddress; + this->pageSize = pageSize; + this->originalBytes = new BYTE[length]; + + + printf("MinimapText - Hook\n"); + + //Make original code writeable (.text segment usually read only). + DWORD oldProtection; + if (!VirtualProtect(hookAddress, length, PAGE_EXECUTE_READWRITE, &oldProtection)) + { + return NULL; //Couldn't make memory writeable + } + printf("MinimapText - VirtualProtect\n"); + + + for (int i = 0; i < length; i++) + { + this->originalBytes[i] = hookAddress[i]; + printf("Original Byte %i: %x\n", i, hookAddress[i]); + } + + + //Create VirtualMemoryPage somewhere (NULL) lets system decide + trampoline = (BYTE*)VirtualAlloc(NULL, pageSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + + printf("MinimapText - trampoline\n"); + + if (!trampoline) + { + return NULL; //Couldn't allocate virtual memory + } + + //Copy shellcode into new memory page + for (int i = 0; i < shellcodeSize; i++) + { + trampoline[i] = shellcode[i]; + } + + //Add jump back to original code into new memory + trampoline[shellcodeSize] = 0xFF; //opcodes = JMP [rip+0] + trampoline[shellcodeSize + 1] = 0x25; //opcodes = JMP [rip+0] + *(uint32_t*)(&trampoline[shellcodeSize + 2]) = 0; //relative distance from RIP (+0) + *(uint64_t*)(&trampoline[shellcodeSize + 2 + 4]) = jmpBack; //destination to jump to + + //Jump to allocated code + hookAddress[0] = 0xFF; //opcodes = JMP [rip+0] + hookAddress[1] = 0x25; //opcodes = JMP [rip+0] + *(uint32_t*)(&hookAddress[2]) = 0; //relative distance from RIP (+0) + *(uint64_t*)(&hookAddress[2 + 4]) = (uint64_t)trampoline; //destination to jump to + + //Restore page protection + if (!VirtualProtect(hookAddress, length, oldProtection, &oldProtection)) + { + VirtualFree(trampoline, pageSize, MEM_RELEASE); + return NULL; //Couldn't restore memory protection + } + + return trampoline; +} + + + +bool DetourHook64::Unhook() +{ + DWORD oldProtection; + if (!VirtualProtect(hookAddress, 14, PAGE_EXECUTE_READWRITE, &oldProtection)) + { + return false; //Couldn't make memory writeable + } + + memcpy(hookAddress, originalBytes, 14); + VirtualFree(trampoline, pageSize, MEM_RELEASE); + delete[] originalBytes; + + if (!VirtualProtect(hookAddress, 14, oldProtection, &oldProtection)) + { + return false; //Couldn't restore memory protection + } + + return true; +} -- cgit v1.2.3