42 lines
1.3 KiB
C++
Raw Normal View History

2024-10-03 14:53:59 +08:00
#include "Kincaid.h"
namespace
{
bool _1()
{
// .text:0000000140230D80 mov rsi, rax
// .text:0000000140230D83 mov edx, 1
// .text:0000000140230D88 mov rcx, rdi
// .text:0000000140230D8B call sub_1402B35B0
// .text:0000000140230D90 lea ebx, [rax-1]
// .text:0000000140230D93 mov edx, 2
// .text:0000000140230D98 mov rcx, rdi
// .text:0000000140230D9B call sub_1402B35B0
BYTE b1[] = {
0x48, 0x8b, 0xf0,
0xba, 0x01, 0x00, 0x00, 0x00,
0x48, 0x8b, 0xcf,
0xe8, XX4,
0x8d, 0x58, 0xff,
0xba, 0x02, 0x00, 0x00, 0x00,
0x48, 0x8b, 0xcf,
0xe8, XX4};
auto addr = MemDbg::findBytes(b1, sizeof(b1), processStartAddress, processStopAddress);
if (addr == 0)
return false;
2024-05-12 23:43:56 +08:00
HookParam hp;
2024-10-03 14:53:59 +08:00
hp.address = addr;
hp.type = USING_STRING | CODEC_UTF8;
hp.offset = get_reg(regs::rax);
hp.text_fun = [](hook_stack *stack, HookParam *hp, uintptr_t *data, uintptr_t *split, size_t *len)
{
*data = stack->rax;
if (stack->retaddr == (DWORD)-1)
*len = strlen((char *)*data);
2024-05-12 23:43:56 +08:00
};
2024-10-03 14:53:59 +08:00
return NewHook(hp, "Kincaid");
2024-05-12 23:43:56 +08:00
}
}
2024-10-03 14:53:59 +08:00
bool Kincaid::attach_function()
{
2024-05-12 23:43:56 +08:00
return _1();
}