Join Date: Dec 2011
Posts: 97
User-Rating:
|
CPP Code: void *DetourFunction(BYTE *pSource, BYTE *pHook, int nLength) { // mov rax address jmp rax BYTE jmp_opcode[JMPSIZE] = { 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xFF, 0xE0 }; //Allocate memory BYTE *trampolin = new BYTE[nLength + JMPSIZE]; //Replace Protection DWORD dwOldProtection; VirtualProtect(trampolin, nLength + JMPSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtection); VirtualProtect(pSource, nLength, PAGE_EXECUTE_READWRITE, &dwOldProtection); //Copy Original Code into trampolin memcpy(trampolin, pSource, nLength); //Set jmp to Original memcpy(jmp_opcode + 2, &pSource, 8); memcpy(trampolin + nLength, jmp_opcode, JMPSIZE); //Fill Original with NOPs memset(pSource, 0x90, nLength); //Set jmp to Hook memcpy(jmp_opcode + 2, &pHook, 8); memcpy(pSource, jmp_opcode, JMPSIZE); VirtualProtect(pSource, nLength, dwOldProtection, NULL); //Return Pointer to Original Code return trampolin; }
Beispiel anhand von NtQueryDirectoryFile:
CPP Code: HMODULE hModntdll = GetModuleHandle("ntdll.dll"); FARPROC dwAddress = GetProcAddress(hModntdll, "NtQueryDirectoryFile"); oldNtQueryDirectoryFile = (tNtQueryDirectoryFile)(DetourFunction((PBYTE)dwAddress, (PBYTE)hkNtQueryDirectoryFile, 21));
Getestet unter Windows 10 Pro 64bit.
|