2018-07-25 21:48:18 -07:00
|
|
|
#include "misc.h"
|
2018-08-23 11:53:23 -04:00
|
|
|
#include "const.h"
|
2018-12-01 15:55:32 -05:00
|
|
|
#include "host/util.h"
|
2018-07-25 21:48:18 -07:00
|
|
|
#include <Psapi.h>
|
2018-10-11 12:58:30 -04:00
|
|
|
#include <QTextStream>
|
2018-07-25 21:48:18 -07:00
|
|
|
|
2018-08-25 16:02:16 -04:00
|
|
|
namespace
|
2018-07-25 21:48:18 -07:00
|
|
|
{
|
2018-08-25 16:02:16 -04:00
|
|
|
std::optional<HookParam> ParseRCode(QString RCode)
|
2018-07-25 21:48:18 -07:00
|
|
|
{
|
2018-08-25 16:02:16 -04:00
|
|
|
HookParam hp = {};
|
|
|
|
hp.type |= DIRECT_READ;
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
// {S|Q|V}
|
2018-08-25 16:02:16 -04:00
|
|
|
switch (RCode.at(0).unicode())
|
|
|
|
{
|
|
|
|
case L'S':
|
|
|
|
break;
|
|
|
|
case L'Q':
|
|
|
|
hp.type |= USING_STRING | USING_UNICODE;
|
|
|
|
break;
|
|
|
|
case L'V':
|
|
|
|
hp.type |= USING_STRING | USING_UTF8;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return {};
|
|
|
|
}
|
|
|
|
RCode.remove(0, 1);
|
2018-10-11 12:58:30 -04:00
|
|
|
|
2018-10-30 20:50:50 -04:00
|
|
|
// [codepage#]
|
|
|
|
QRegularExpressionMatch codepage = QRegularExpression("^([0-9]+)#").match(RCode);
|
|
|
|
if (codepage.hasMatch())
|
|
|
|
{
|
|
|
|
hp.codepage = codepage.captured(1).toInt();
|
|
|
|
RCode.remove(0, codepage.captured(0).length());
|
|
|
|
}
|
|
|
|
|
2018-10-11 12:58:30 -04:00
|
|
|
// [*deref_offset|0]
|
|
|
|
if (RCode.at(0).unicode() == L'0') RCode.remove(0, 1); // Legacy
|
|
|
|
QRegularExpressionMatch deref = QRegularExpression("^\\*(\\-?[[:xdigit:]]+)").match(RCode);
|
|
|
|
if (deref.hasMatch())
|
2018-08-26 22:21:15 -04:00
|
|
|
{
|
|
|
|
hp.type |= DATA_INDIRECT;
|
2018-10-11 12:58:30 -04:00
|
|
|
hp.index = deref.captured(1).toInt(nullptr, 16);
|
|
|
|
RCode.remove(0, deref.captured(0).length());
|
2018-08-26 22:21:15 -04:00
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
// @addr
|
|
|
|
QRegularExpressionMatch address = QRegularExpression("^@([[:xdigit:]]+)$").match(RCode);
|
|
|
|
if (!address.hasMatch()) return {};
|
|
|
|
hp.address = address.captured(1).toULongLong(nullptr, 16);
|
2018-08-25 16:02:16 -04:00
|
|
|
return hp;
|
2018-07-25 21:48:18 -07:00
|
|
|
}
|
2018-08-25 16:02:16 -04:00
|
|
|
|
|
|
|
std::optional<HookParam> ParseHCode(QString HCode)
|
2018-07-25 21:48:18 -07:00
|
|
|
{
|
2018-08-25 16:02:16 -04:00
|
|
|
HookParam hp = {};
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
// {A|B|W|S|Q|V}
|
2018-08-25 16:02:16 -04:00
|
|
|
switch (HCode.at(0).unicode())
|
|
|
|
{
|
|
|
|
case L'S':
|
|
|
|
hp.type |= USING_STRING;
|
|
|
|
break;
|
|
|
|
case L'A':
|
|
|
|
hp.type |= BIG_ENDIAN;
|
|
|
|
hp.length_offset = 1;
|
|
|
|
break;
|
|
|
|
case L'B':
|
|
|
|
hp.length_offset = 1;
|
|
|
|
break;
|
|
|
|
case L'Q':
|
|
|
|
hp.type |= USING_STRING | USING_UNICODE;
|
|
|
|
break;
|
|
|
|
case L'W':
|
|
|
|
hp.type |= USING_UNICODE;
|
|
|
|
hp.length_offset = 1;
|
|
|
|
break;
|
|
|
|
case L'V':
|
|
|
|
hp.type |= USING_STRING | USING_UTF8;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return {};
|
|
|
|
}
|
2018-07-25 21:48:18 -07:00
|
|
|
HCode.remove(0, 1);
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
// [N]
|
2018-08-25 16:02:16 -04:00
|
|
|
if (HCode.at(0).unicode() == L'N')
|
2018-07-25 21:48:18 -07:00
|
|
|
{
|
2018-08-25 16:02:16 -04:00
|
|
|
hp.type |= NO_CONTEXT;
|
|
|
|
HCode.remove(0, 1);
|
2018-07-25 21:48:18 -07:00
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
|
2018-10-30 20:50:50 -04:00
|
|
|
// [codepage#]
|
|
|
|
QRegularExpressionMatch codepage = QRegularExpression("^([0-9]+)#").match(HCode);
|
|
|
|
if (codepage.hasMatch())
|
|
|
|
{
|
|
|
|
hp.codepage = codepage.captured(1).toInt();
|
|
|
|
HCode.remove(0, codepage.captured(0).length());
|
|
|
|
}
|
|
|
|
|
2018-10-11 12:58:30 -04:00
|
|
|
// data_offset
|
|
|
|
QRegularExpressionMatch dataOffset = QRegularExpression("^\\-?[[:xdigit:]]+").match(HCode);
|
|
|
|
if (!dataOffset.hasMatch()) return {};
|
|
|
|
hp.offset = dataOffset.captured(0).toInt(nullptr, 16);
|
|
|
|
HCode.remove(0, dataOffset.captured(0).length());
|
|
|
|
|
|
|
|
// [*deref_offset1]
|
|
|
|
QRegularExpressionMatch deref1 = QRegularExpression("^\\*(\\-?[[:xdigit:]]+)").match(HCode);
|
|
|
|
if (deref1.hasMatch())
|
2018-08-25 16:02:16 -04:00
|
|
|
{
|
|
|
|
hp.type |= DATA_INDIRECT;
|
2018-10-11 12:58:30 -04:00
|
|
|
hp.index = deref1.captured(1).toInt(nullptr, 16);
|
|
|
|
HCode.remove(0, deref1.captured(0).length());
|
2018-08-25 16:02:16 -04:00
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
// [:split_offset[*deref_offset2]]
|
|
|
|
QRegularExpressionMatch splitOffset = QRegularExpression("^\\:(\\-?[[:xdigit:]]+)").match(HCode);
|
|
|
|
if (splitOffset.hasMatch())
|
2018-08-25 16:02:16 -04:00
|
|
|
{
|
|
|
|
hp.type |= USING_SPLIT;
|
2018-10-11 12:58:30 -04:00
|
|
|
hp.split = splitOffset.captured(1).toInt(nullptr, 16);
|
|
|
|
HCode.remove(0, splitOffset.captured(0).length());
|
|
|
|
|
|
|
|
QRegularExpressionMatch deref2 = QRegularExpression("^\\*(\\-?[[:xdigit:]]+)").match(HCode);
|
|
|
|
if (deref2.hasMatch())
|
2018-08-25 16:02:16 -04:00
|
|
|
{
|
|
|
|
hp.type |= SPLIT_INDIRECT;
|
2018-10-11 12:58:30 -04:00
|
|
|
hp.split_index = deref2.captured(1).toInt(nullptr, 16);
|
|
|
|
HCode.remove(0, deref2.captured(0).length());
|
2018-08-25 16:02:16 -04:00
|
|
|
}
|
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
// @addr[:module[:func]]
|
|
|
|
QStringList addressPieces = HCode.split(":");
|
|
|
|
QRegularExpressionMatch address = QRegularExpression("^@([[:xdigit:]]+)$").match(addressPieces.at(0));
|
|
|
|
if (!address.hasMatch()) return {};
|
|
|
|
hp.address = address.captured(1).toULongLong(nullptr, 16);
|
|
|
|
if (addressPieces.size() > 1)
|
2018-08-25 16:02:16 -04:00
|
|
|
{
|
|
|
|
hp.type |= MODULE_OFFSET;
|
2018-12-13 08:37:37 -05:00
|
|
|
wcscpy_s<MAX_MODULE_SIZE>(hp.module, S(addressPieces.at(1)).c_str());
|
2018-08-25 16:02:16 -04:00
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
if (addressPieces.size() > 2)
|
|
|
|
{
|
|
|
|
hp.type |= FUNCTION_OFFSET;
|
|
|
|
strcpy_s<MAX_MODULE_SIZE>(hp.function, addressPieces.at(2).toStdString().c_str());
|
|
|
|
}
|
|
|
|
|
|
|
|
// ITH has registers offset by 4 vs AGTH: need this to correct
|
|
|
|
if (hp.offset < 0) hp.offset -= 4;
|
|
|
|
if (hp.split < 0) hp.split -= 4;
|
|
|
|
|
2018-08-25 16:02:16 -04:00
|
|
|
return hp;
|
2018-07-25 21:48:18 -07:00
|
|
|
}
|
2018-08-04 18:01:59 -04:00
|
|
|
|
2018-10-30 20:50:50 -04:00
|
|
|
QString GenerateRCode(HookParam hp)
|
|
|
|
{
|
|
|
|
QString RCode = "/R";
|
|
|
|
QTextStream codeBuilder(&RCode);
|
|
|
|
|
|
|
|
if (hp.type & USING_UNICODE) codeBuilder << "Q";
|
|
|
|
else if (hp.type & USING_UTF8) codeBuilder << "V";
|
|
|
|
else codeBuilder << "S";
|
|
|
|
|
2018-11-01 21:59:13 -04:00
|
|
|
if (hp.codepage != 0 && hp.codepage != CP_UTF8) codeBuilder << hp.codepage << "#";
|
2018-10-30 20:50:50 -04:00
|
|
|
|
|
|
|
codeBuilder.setIntegerBase(16);
|
|
|
|
codeBuilder.setNumberFlags(QTextStream::UppercaseDigits);
|
|
|
|
|
|
|
|
if (hp.type & DATA_INDIRECT) codeBuilder << "*" << hp.index;
|
|
|
|
|
|
|
|
codeBuilder << "@" << hp.address;
|
|
|
|
|
|
|
|
return RCode;
|
|
|
|
}
|
|
|
|
|
2018-08-25 16:02:16 -04:00
|
|
|
QString GenerateHCode(HookParam hp, DWORD processId)
|
2018-07-25 21:48:18 -07:00
|
|
|
{
|
2018-10-11 12:58:30 -04:00
|
|
|
QString HCode = "/H";
|
|
|
|
QTextStream codeBuilder(&HCode);
|
|
|
|
|
2018-08-25 16:02:16 -04:00
|
|
|
if (hp.type & USING_UNICODE)
|
|
|
|
{
|
2018-10-11 12:58:30 -04:00
|
|
|
if (hp.type & USING_STRING) codeBuilder << "Q";
|
|
|
|
else codeBuilder << "W";
|
2018-08-25 16:02:16 -04:00
|
|
|
}
|
2018-07-25 21:48:18 -07:00
|
|
|
else
|
2018-08-25 16:02:16 -04:00
|
|
|
{
|
2018-10-11 12:58:30 -04:00
|
|
|
if (hp.type & USING_UTF8) codeBuilder << "V";
|
|
|
|
else if (hp.type & USING_STRING) codeBuilder << "S";
|
|
|
|
else if (hp.type & BIG_ENDIAN) codeBuilder << "A";
|
|
|
|
else codeBuilder << "B";
|
2018-08-25 16:02:16 -04:00
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
if (hp.type & NO_CONTEXT) codeBuilder << "N";
|
|
|
|
|
2018-11-01 21:59:13 -04:00
|
|
|
if (hp.codepage != 0 && hp.codepage != CP_UTF8) codeBuilder << hp.codepage << "#";
|
2018-10-30 20:50:50 -04:00
|
|
|
|
|
|
|
codeBuilder.setIntegerBase(16);
|
|
|
|
codeBuilder.setNumberFlags(QTextStream::UppercaseDigits);
|
|
|
|
|
2018-08-25 16:02:16 -04:00
|
|
|
if (hp.offset < 0) hp.offset += 4;
|
|
|
|
if (hp.split < 0) hp.split += 4;
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
codeBuilder << hp.offset;
|
|
|
|
if (hp.type & DATA_INDIRECT) codeBuilder << "*" << hp.index;
|
|
|
|
if (hp.type & USING_SPLIT) codeBuilder << ":" << hp.split;
|
|
|
|
if (hp.type & SPLIT_INDIRECT) codeBuilder << "*" << hp.split_index;
|
|
|
|
|
|
|
|
// Attempt to make the address relative
|
|
|
|
if (!(hp.type & MODULE_OFFSET))
|
2018-12-01 15:55:32 -05:00
|
|
|
if (AutoHandle<> process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, processId))
|
|
|
|
if (MEMORY_BASIC_INFORMATION info = {}; VirtualQueryEx(process, (LPCVOID)hp.address, &info, sizeof(info)))
|
2018-12-22 16:17:08 -05:00
|
|
|
if (auto moduleName = Util::GetModuleFilename(processId, (HMODULE)info.AllocationBase))
|
2018-12-01 15:55:32 -05:00
|
|
|
{
|
|
|
|
hp.type |= MODULE_OFFSET;
|
|
|
|
hp.address -= (uint64_t)info.AllocationBase;
|
|
|
|
wcscpy_s<MAX_MODULE_SIZE>(hp.module, moduleName->c_str() + moduleName->rfind(L'\\') + 1);
|
|
|
|
}
|
2018-10-11 12:58:30 -04:00
|
|
|
|
|
|
|
codeBuilder << "@" << hp.address;
|
2018-12-13 08:37:37 -05:00
|
|
|
if (hp.type & MODULE_OFFSET) codeBuilder << ":" << S(hp.module);
|
2018-10-11 12:58:30 -04:00
|
|
|
if (hp.type & FUNCTION_OFFSET) codeBuilder << ":" << hp.function;
|
|
|
|
|
|
|
|
return HCode;
|
2018-07-25 21:48:18 -07:00
|
|
|
}
|
|
|
|
}
|
2018-08-04 18:01:59 -04:00
|
|
|
|
2018-08-25 16:02:16 -04:00
|
|
|
std::optional<HookParam> ParseCode(QString code)
|
2018-08-04 18:01:59 -04:00
|
|
|
{
|
2018-08-25 16:02:16 -04:00
|
|
|
if (code.startsWith("/H")) return ParseHCode(code.remove(0, 2));
|
|
|
|
else if (code.startsWith("/R")) return ParseRCode(code.remove(0, 2));
|
|
|
|
else return {};
|
2018-08-04 18:01:59 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
QString GenerateCode(HookParam hp, DWORD processId)
|
|
|
|
{
|
|
|
|
if (hp.type & DIRECT_READ) return GenerateRCode(hp);
|
|
|
|
else return GenerateHCode(hp, processId);
|
|
|
|
}
|