-
Notifications
You must be signed in to change notification settings - Fork 5
/
hook_v2.cpp
78 lines (62 loc) · 2.68 KB
/
hook_v2.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
/*
** Simple MessageBoxA hook using the classic 5 byte relative jump technique with a trampoline.
** The trampoline will be able to bypass the installed hook by executing the saved instructions
** and then calling MessageBoxA + 5 bytes
*/
#include <iostream>
#include <Windows.h>
#pragma comment(lib,"user32.lib")
typedef int (WINAPI *defTrampolineFunc)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
LPVOID trampoline_address;
// The proxy function we will jump to after the hook has been installed
int __stdcall proxy_function(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
std::cout << "----------intercepted call to MessageBoxA----------\n";
std::cout << "Text: " << (LPCSTR)lpText << "\nCaption: " << (LPCSTR)lpCaption << "\n";
// pass to the trampoline with altered arguments which will then return to MessageBoxA
defTrampolineFunc trampoline= (defTrampolineFunc)trampoline_address;
return trampoline(hWnd, "yeet", "yeet", uType);
}
void install_hook()
{
HINSTANCE hinstLib;
VOID *proxy_address;
DWORD *relative_offset;
DWORD *hook_address;
DWORD src;
DWORD dst;
CHAR patch[5]= {0};
char saved_buffer[5]; // buffer to save the original bytes
FARPROC function_address= NULL;
// 1. get memory address of the MessageBoxA function from user32.dll
hinstLib= LoadLibraryA(TEXT("user32.dll"));
function_address= GetProcAddress(hinstLib, "MessageBoxA");
// 2. save the first 5 bytes into saved_buffer
ReadProcessMemory(GetCurrentProcess(), function_address, saved_buffer, 5, NULL);
// 3. overwrite the first 5 bytes with a jump to proxy_function
proxy_address= &proxy_function;
src= (DWORD)function_address + 5;
dst= (DWORD)proxy_address;
relative_offset= (DWORD *)(dst-src);
memcpy(patch, "\xE9", 1);
memcpy(patch + 1, &relative_offset, 4);
WriteProcessMemory(GetCurrentProcess(), (LPVOID)function_address, patch, 5, NULL);
// 4. Build the trampoline
trampoline_address= VirtualAlloc(NULL, 11, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
hook_address= (DWORD *)((DWORD)function_address + 5);
memcpy((BYTE *)trampoline_address, &saved_buffer, 5);
memcpy((BYTE *)trampoline_address + 5, "\x68", 1);
memcpy((BYTE *)trampoline_address + 6, &hook_address, 4);
memcpy((BYTE *)trampoline_address + 10, "\xC3", 1);
}
int main()
{
// call without hook
MessageBoxA(NULL, "hello", "hello", MB_OK);
install_hook();
// call with hook (arguments will be altered through the proxy function)
MessageBoxA(NULL, "hello", "hello", MB_OK);
MessageBoxA(NULL, "um hello?", "helllooo", MB_OK);
MessageBoxA(NULL, "hmmm this", "isn't working", MB_OK);
return 0;
}