forked from Public-Mirror/Textractor
finish removeing ntdll dependence in core hijacking code
This commit is contained in:
parent
c3707de5b5
commit
4b70c62d64
@ -436,10 +436,9 @@ int TextHook::UnsafeInsertHookCode()
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify hp.address.
|
// Verify hp.address.
|
||||||
MEMORY_BASIC_INFORMATION info = {};
|
if (!IthGetMemoryRange((LPCVOID)hp.address, nullptr, nullptr))
|
||||||
NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr);
|
{
|
||||||
if (info.Type & PAGE_NOACCESS) {
|
ConsoleOutput("NextHooker: FAILED: cannot access requested memory");
|
||||||
ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access");
|
|
||||||
return no;
|
return no;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -453,7 +452,7 @@ int TextHook::UnsafeInsertHookCode()
|
|||||||
BYTE inst[] = // jichi 9/27/2013: Why 8? Only 5 bytes will be written using NtWriteVirtualMemory
|
BYTE inst[] = // jichi 9/27/2013: Why 8? Only 5 bytes will be written using NtWriteVirtualMemory
|
||||||
{
|
{
|
||||||
0xe9, 0, 0, 0, 0, // jmp recover
|
0xe9, 0, 0, 0, 0, // jmp recover
|
||||||
0, 0, 0 // ???
|
0xcc, 0xcc, 0xcc // int3
|
||||||
};
|
};
|
||||||
void* relRecover = (void*)(recover - (BYTE*)hp.address - 5);
|
void* relRecover = (void*)(recover - (BYTE*)hp.address - 5);
|
||||||
memcpy(inst + 1, &relRecover, sizeof(void*));
|
memcpy(inst + 1, &relRecover, sizeof(void*));
|
||||||
@ -495,24 +494,13 @@ int TextHook::UnsafeInsertHookCode()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Insert hook and flush instruction cache.
|
|
||||||
enum {c8 = 0xcccccccc};
|
DWORD old;
|
||||||
DWORD int3[] = {c8, c8};
|
LPVOID addr = (void*)hp.address;
|
||||||
DWORD t = 0x100,
|
VirtualProtect(addr, sizeof(inst), PAGE_EXECUTE_READWRITE, &old);
|
||||||
old,
|
memcpy(addr, inst, hp.recover_len);
|
||||||
len;
|
FlushInstructionCache(GetCurrentProcess(), addr, hp.recover_len);
|
||||||
// jichi 9/27/2013: Overwrite the memory with inst
|
|
||||||
// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html
|
|
||||||
// See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html
|
|
||||||
DWORD addr = hp.address;
|
|
||||||
NtProtectVirtualMemory(GetCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
|
|
||||||
NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
|
|
||||||
len = hp.recover_len - 5;
|
|
||||||
if (len)
|
|
||||||
NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
|
|
||||||
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
|
|
||||||
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)::hookman, 0x1000);
|
|
||||||
//ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed");
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -538,14 +526,9 @@ int TextHook::RemoveHookCode()
|
|||||||
return no;
|
return no;
|
||||||
|
|
||||||
DWORD l = hp.hook_len;
|
DWORD l = hp.hook_len;
|
||||||
//with_seh({ // jichi 9/17/2013: might crash ><
|
|
||||||
// jichi 12/25/2013: Actually, __try cannot catch such kind of exception
|
memcpy((void*)hp.address, original, hp.recover_len);
|
||||||
ITH_TRY {
|
FlushInstructionCache(GetCurrentProcess(), (void*)hp.address, hp.recover_len);
|
||||||
NtWriteVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
|
|
||||||
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
|
|
||||||
}
|
|
||||||
ITH_EXCEPT {}
|
|
||||||
//});
|
|
||||||
return yes;
|
return yes;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -76,19 +76,16 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
|
|||||||
|
|
||||||
// jichi 9/25/2013: Interprocedural communication with vnrsrv.
|
// jichi 9/25/2013: Interprocedural communication with vnrsrv.
|
||||||
hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section);
|
hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section);
|
||||||
::hookman = nullptr;
|
::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0, 0, HOOK_BUFFER_SIZE);
|
||||||
NtMapViewOfSection(hSection, NtCurrentProcess(),
|
|
||||||
(LPVOID *)&::hookman, 0, hook_buff_len, 0, &hook_buff_len, ViewUnmap, 0,
|
|
||||||
PAGE_EXECUTE_READWRITE);
|
|
||||||
// Artikash 6/20/2018: This crashes certain games (https://vndb.org/v7738). No idea why.
|
|
||||||
//::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, HOOK_SECTION_SIZE / 2);
|
|
||||||
|
|
||||||
::processStartAddress = (DWORD)GetModuleHandleW(nullptr);
|
::processStartAddress = ::processStopAddress = (DWORD)GetModuleHandleW(nullptr);
|
||||||
|
|
||||||
// Artikash 7/1/2018: No idea how the everliving fuck this works, but it finds the process stop address.
|
MEMORY_BASIC_INFORMATION info;
|
||||||
PROCESS_BASIC_INFORMATION info;
|
do
|
||||||
NtQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, &info, sizeof(PROCESS_BASIC_INFORMATION), 0);
|
{
|
||||||
::processStopAddress = ::processStartAddress + ((LDR_DATA_TABLE_ENTRY*)&info.PebBaseAddress->Ldr->InLoadOrderModuleList.Flink->Flink)->SizeOfImage;
|
VirtualQuery((void*)::processStopAddress, &info, sizeof(info));
|
||||||
|
::processStopAddress = (DWORD)info.BaseAddress + info.RegionSize;
|
||||||
|
} while (info.Protect);
|
||||||
|
|
||||||
{
|
{
|
||||||
wchar_t hm_mutex[0x100];
|
wchar_t hm_mutex[0x100];
|
||||||
|
@ -60,14 +60,13 @@ DWORD SearchPattern(DWORD base, DWORD base_length, LPCVOID search, DWORD search_
|
|||||||
|
|
||||||
DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size)
|
DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size)
|
||||||
{
|
{
|
||||||
DWORD r;
|
|
||||||
MEMORY_BASIC_INFORMATION info;
|
MEMORY_BASIC_INFORMATION info;
|
||||||
NtQueryVirtualMemory(NtCurrentProcess(), const_cast<LPVOID>(mem), MemoryBasicInformation, &info, sizeof(info), &r);
|
VirtualQuery(mem, &info, sizeof(info));
|
||||||
if (base)
|
if (base)
|
||||||
*base = (DWORD)info.BaseAddress;
|
*base = (DWORD)info.BaseAddress;
|
||||||
if (size)
|
if (size)
|
||||||
*size = info.RegionSize;
|
*size = info.RegionSize;
|
||||||
return (info.Type&PAGE_NOACCESS) == 0;
|
return info.Protect;
|
||||||
}
|
}
|
||||||
|
|
||||||
inline DWORD GetHash(LPSTR str)
|
inline DWORD GetHash(LPSTR str)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user