From 7e20d3bbeebb66b33ee393ff8b0738382ce250a7 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Fri, 20 Oct 2017 09:56:24 +0200 Subject: [PATCH] Failed to patch with call + no new line on hook --- Observer/dllmain.cpp | 64 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 13 deletions(-) diff --git a/Observer/dllmain.cpp b/Observer/dllmain.cpp index d03a714..363f209 100644 --- a/Observer/dllmain.cpp +++ b/Observer/dllmain.cpp @@ -26,10 +26,10 @@ Function to patch void __stdcall LogMessageWrapperHook(char* message, size_t message_length) { std::string content(message, message_length); - std::cout << content << std::endl; + std::cout << content; } -__declspec(naked) void TrampolineLogMessageWrapperHook() +__declspec(naked) void TrampolineLogJump() { __asm { @@ -55,6 +55,53 @@ __declspec(naked) void TrampolineLogMessageWrapperHook() } } +__declspec(naked) void TrampolineLogCall() +{ + __asm + { + // Save registers + PUSHAD + + PUSH[esp + 4 + 32 + 8] // Ret address + PUSHAD + shift of 8 + PUSH[esp + 4 + 32 + 4 + 4] // Ret address + PUSHAD + prev. PUSH + shift of 4 + + // Call our hook + CALL LogMessageWrapperHook + + // Restore registers + POPAD + + // Overwrited instructions by the patch + PUSH esi + PUSH[esp + 0xC] // push [esp + 4 + messageLength] + + // Jump back to the function (8 as 4 + 4 for the 2 previous PUSH) + RET + } +} + +void patchJump(unsigned char* addressToPatch) { + // JMP INT32 --- char = 1 octet + *addressToPatch = 0xE9; + *(unsigned int*)(addressToPatch + 1) = (unsigned int)TrampolineLogJump - ((unsigned int)addressToPatch + 5); + std::cout << "[OK] Jump patch written." << std::endl; + + std::cout << "[INF] Patched function: 0x" << std::hex << (int)addressToPatch << std::endl; + std::cout << "[INF] Trampoline function: 0x" << std::hex << ((int)TrampolineLogJump) << std::endl; + std::cout << "[INF] Relative jump: 0x" << std::hex << *(unsigned int*)(addressToPatch + 1) << std::endl; +} + +// DOES NOT WORK CURRENTLY +void patchCall(unsigned char* addressToPatch) { + *addressToPatch = 0xE8; + *(unsigned int*)(addressToPatch + 1) = (unsigned int)TrampolineLogCall - ((unsigned int)addressToPatch + 5); + std::cout << "[OK] Call patch written." << std::endl; + + std::cout << "[INF] Patched function: 0x" << std::hex << (int)addressToPatch << std::endl; + std::cout << "[INF] Trampoline function: 0x" << std::hex << ((int)TrampolineLogCall) << std::endl; + std::cout << "[INF] Relative jump: 0x" << std::hex << *(unsigned int*)(addressToPatch + 1) << std::endl; +} + void initDll() { AllocConsole(); SetConsoleTitleA("Maniaplanet Observer"); @@ -75,7 +122,7 @@ void initDll() { else { std::cout << "[OK] Found the searched opcodes 0x56 0xff" << std::endl; } - + // Enable writing in memory if (!VirtualProtect(addressToPatch, 5, PAGE_EXECUTE_READWRITE, &oldProtection)) { std::cout << "[ERR] Failed to change VirtualProtect BEFORE writing memory" << std::endl; @@ -87,16 +134,7 @@ void initDll() { // Change the instruction by JMP Trampoline - // JMP INT32 --- char = 1 octet - *addressToPatch = 0xE9; - - - *(unsigned int*) (addressToPatch + 1) = (unsigned int) TrampolineLogMessageWrapperHook - ((unsigned int) addressToPatch + 5); - std::cout << "[OK] Memory written." << std::endl; - - std::cout << "[INF] Patched function: 0x" << std::hex << (int)addressToPatch << std::endl; - std::cout << "[INF] Trampoline function: 0x" << std::hex << ((int)TrampolineLogMessageWrapperHook) << std::endl; - std::cout << "[INF] Relative jump: 0x" << std::hex << *(unsigned int*)(addressToPatch + 1) << std::endl; + patchJump(addressToPatch); // Reprotect memory if (!VirtualProtect(addressToPatch, 5, oldProtection, &oldProtection)) {