Simple Assembly Hooking

Hey guys, first post, just releasing my personal code for assembly hooking, hope you guys put it to good use.

Source:

Code:

typedef struct
{
	BOOL hooked;
	INT_PTR origAddress;
	INT_PTR hookAddress;
	BYTE origAsm[6];
	BYTE hookedAsm[6];
} HOOK;

BOOL HookFunction( HOOK* hook )
{
	if( hook->hooked )
		return TRUE;

	DWORD oldProtection;
	DWORD numBytes;

	if( *(INT_PTR*)(hook->hookedAsm + 1) == 0 )
	{
		hook->hookedAsm[0] = 0xe9; // jmp
		hook->hookedAsm[5] = 0xc3; // retn

		INT_PTR relativeAddress = hook->hookAddress - hook->origAddress - 5;
		*(INT_PTR*)(hook->hookedAsm + 1) = relativeAddress;
	}

	VirtualProtect( (LPVOID)hook->origAddress, 6, PAGE_READWRITE, &oldProtection );

	if( !ReadProcessMemory( GetCurrentProcess(), (LPVOID)hook->origAddress, hook->origAsm, 6, &numBytes ) || numBytes != 6 )
		return FALSE;

	numBytes = 0;

	if( !WriteProcessMemory( GetCurrentProcess(), (LPVOID)hook->origAddress, hook->hookedAsm, 6, &numBytes ) || numBytes != 6 )
		return FALSE;

	VirtualProtect( (LPVOID)hook->origAddress, 6, oldProtection, NULL );

	hook->hooked = TRUE;

	return TRUE;
}

BOOL UnhookFunction( HOOK* hook )
{
	if( !hook->hooked )
		return TRUE;

	DWORD oldProtection;
	DWORD numBytes;

	VirtualProtect( (LPVOID)hook->origAddress, 6, PAGE_READWRITE, &oldProtection );

	if( !WriteProcessMemory( GetCurrentProcess(), (LPVOID)hook->origAddress, hook->origAsm, 6, &numBytes ) || numBytes != 6 )
		return FALSE;

	VirtualProtect( (LPVOID)hook->origAddress, 6, oldProtection, NULL );

	hook->hooked = FALSE;

	return TRUE;
}

Example usage:

Code:

static HOOK hkLoadLibraryA;

extern "C" HMODULE WINAPI LoadLibraryAHook( LPCSTR lpLibFileName )
{
	UnhookFunction( &hkLoadLibraryA );
	HMODULE returned = LoadLibraryA( lpLibFileName );
	HookFunction( &hkLoadLibraryA );

	// Own code goes here

	return returned;
}

void Hook()
{
	hkLoadLibraryA.origAddress = (INT_PTR)LoadLibraryA;
	hkLoadLibraryA.hookAddress = (INT_PTR)LoadLibraryAHook;
	HookFunction( &hkLoadLibraryA );
}

IM PRETTY SURE...

That HackShield Blocks RPM and WPM so you may have to change that to memcpy()

Do you know if they've disabled ntdll functions? These?

Originally Posted by gnm

Do you know if they've disabled ntdll functions? These?

yes, hackshield hooks zwOpenProcess(), zwReadProcessMemory(), zwWriteProcessMemory(), zwVirtualAllocEx(), psCreateSystemThread(), psCreateThread(), zwImpersonateThread().

I'm sure about those, there are probably more. The result is that you can't use their userland versions either, since they are actually these functions but exported through ntdll.dll and ntoskrnl.exe.

Yah, they hook those, switch em over to memcpy()

hmmm this just gave me a idea

So that pretty much means no threads. Which means I'll have to hook IDirect3DDevice9::EndScene, do all my calculations and rendering, then call the real IDirect3DDevice9::EndScene.

@gnm
can you help me with my code for a hook?

Simple Assembly Hooking

Hey guys, first post, just releasing my personal code for assembly hooking, hope you guys put it to good use.

Source:

Code:

typedef struct
{
	BOOL hooked;
	INT_PTR origAddress;
	INT_PTR hookAddress;
	BYTE origAsm[6];
	BYTE hookedAsm[6];
} HOOK;

BOOL HookFunction( HOOK* hook )
{
	if( hook->hooked )
		return TRUE;

	DWORD oldProtection;
	DWORD numBytes;

	if( *(INT_PTR*)(hook->hookedAsm + 1) == 0 )
	{
		hook->hookedAsm[0] = 0xe9; // jmp
		hook->hookedAsm[5] = 0xc3; // retn

		INT_PTR relativeAddress = hook->hookAddress - hook->origAddress - 5;
		*(INT_PTR*)(hook->hookedAsm + 1) = relativeAddress;
	}

	VirtualProtect( (LPVOID)hook->origAddress, 6, PAGE_READWRITE, &oldProtection );

	if( !ReadProcessMemory( GetCurrentProcess(), (LPVOID)hook->origAddress, hook->origAsm, 6, &numBytes ) || numBytes != 6 )
		return FALSE;

	numBytes = 0;

	if( !WriteProcessMemory( GetCurrentProcess(), (LPVOID)hook->origAddress, hook->hookedAsm, 6, &numBytes ) || numBytes != 6 )
		return FALSE;

	VirtualProtect( (LPVOID)hook->origAddress, 6, oldProtection, NULL );

	hook->hooked = TRUE;

	return TRUE;
}

BOOL UnhookFunction( HOOK* hook )
{
	if( !hook->hooked )
		return TRUE;

	DWORD oldProtection;
	DWORD numBytes;

	VirtualProtect( (LPVOID)hook->origAddress, 6, PAGE_READWRITE, &oldProtection );

	if( !WriteProcessMemory( GetCurrentProcess(), (LPVOID)hook->origAddress, hook->origAsm, 6, &numBytes ) || numBytes != 6 )
		return FALSE;

	VirtualProtect( (LPVOID)hook->origAddress, 6, oldProtection, NULL );

	hook->hooked = FALSE;

	return TRUE;
}

Example usage:

Code:

static HOOK hkLoadLibraryA;

extern "C" HMODULE WINAPI LoadLibraryAHook( LPCSTR lpLibFileName )
{
	UnhookFunction( &hkLoadLibraryA );
	HMODULE returned = LoadLibraryA( lpLibFileName );
	HookFunction( &hkLoadLibraryA );

	// Own code goes here

	return returned;
}

void Hook()
{
	hkLoadLibraryA.origAddress = (INT_PTR)LoadLibraryA;
	hkLoadLibraryA.hookAddress = (INT_PTR)LoadLibraryAHook;
	HookFunction( &hkLoadLibraryA );
}

IM PRETTY SURE...

That HackShield Blocks RPM and WPM so you may have to change that to memcpy()

Do you know if they've disabled ntdll functions? These?

Originally Posted by gnm

Do you know if they've disabled ntdll functions? These?

Yah, they hook those, switch em over to memcpy()

hmmm this just gave me a idea

So that pretty much means no threads. Which means I'll have to hook IDirect3DDevice9::EndScene, do all my calculations and rendering, then call the real IDirect3DDevice9::EndScene.

@gnm
can you help me with my code for a hook?

Simple Assembly Hooking

Post a Reply

Similar Threads

Tags for this Thread

Simple Assembly Hooking

Post a Reply

Similar Threads

Tags for this Thread