OldSchoolHack

Registrieren / Anmelden Deutsch

64bit Detour Methode

icon Thema: [Source] 64bit Detour Methode

Anmeldungsdatum: Dez 2011

Beiträge: 97

Benutzer-Bewertung:

2 positiv
0 negativ
CPP Code:
  1. void *DetourFunction(BYTE *pSource, BYTE *pHook, int nLength)
  2. {
  3.    //                           mov   rax   address                                         jmp   rax
  4.    BYTE jmp_opcode[JMPSIZE] = { 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xFF, 0xE0 };
  5.  
  6.    //Allocate memory
  7.    BYTE *trampolin = new BYTE[nLength + JMPSIZE];
  8.  
  9.    //Replace Protection
  10.    DWORD dwOldProtection;
  11.    VirtualProtect(trampolin, nLength + JMPSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtection);
  12.    VirtualProtect(pSource, nLength, PAGE_EXECUTE_READWRITE, &dwOldProtection);
  13.  
  14.    //Copy Original Code into trampolin
  15.    memcpy(trampolin, pSource, nLength);
  16.  
  17.    //Set jmp to Original
  18.    memcpy(jmp_opcode + 2, &pSource, 8);
  19.    memcpy(trampolin + nLength, jmp_opcode, JMPSIZE);
  20.  
  21.    //Fill Original with NOPs
  22.    memset(pSource, 0x90, nLength);
  23.  
  24.    //Set jmp to Hook
  25.    memcpy(jmp_opcode + 2, &pHook, 8);
  26.    memcpy(pSource, jmp_opcode, JMPSIZE);
  27.  
  28.    VirtualProtect(pSource, nLength, dwOldProtection, NULL);
  29.  
  30.    //Return Pointer to Original Code
  31.    return trampolin;
  32. }

Beispiel anhand von NtQueryDirectoryFile:
CPP Code:
  1. HMODULE hModntdll = GetModuleHandle("ntdll.dll");
  2. FARPROC dwAddress = GetProcAddress(hModntdll, "NtQueryDirectoryFile");
  3. oldNtQueryDirectoryFile = (tNtQueryDirectoryFile)(DetourFunction((PBYTE)dwAddress, (PBYTE)hkNtQueryDirectoryFile, 21));

Getestet unter Windows 10 Pro 64bit.