Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <stdio.h>
- #include <alloca.h>
- typedef void (* FNPTR )( );
- bool HotPatch( FNPTR oldProc,FNPTR newProc,FNPTR* ppOrigFn )
- {
- bool result = false;
- DWORD oldProtect = 0;
- WORD* pJumpBack = ( WORD* ) oldProc;
- BYTE* pLongJump = ( ( BYTE* ) oldProc - 5);
- DWORD* pLongJumpAdr = ( ( DWORD* ) oldProc - 1 );
- // Change protection
- VirtualProtect( pLongJump,20,PAGE_EXECUTE_WRITECOPY,&oldProtect );
- if( ( 0xFF8B == *pJumpBack ) && ( 0x90 == *pLongJump ) && ( 0x90909090 == *pLongJumpAdr ) ) {
- // Long jump
- *pLongJump = 0xE9;
- *pLongJumpAdr = ( ( DWORD ) newProc ) - ( ( DWORD ) oldProc );
- /*
- The first byte of a SHORT Jump is always EB and the second is a relative offset
- from 00h to 7Fh for Forward jumps, and from 80h to FFh for Reverse (or Backward) jumps.
- Unlike Forward Jumps, the seemingly largest offset byte here actually
- indicates the shortest backward jump.
- Do short jump back -7 (back 5, plus two for this jump), yielding two's complement 0xF9
- */
- *pJumpBack = 0xF9EB;
- if( ppOrigFn )
- *ppOrigFn = ( FNPTR ) ( ( ( BYTE* ) oldProc ) + 2 );
- result = true;
- }
- VirtualProtect( pLongJump,20,oldProtect,&oldProtect );
- return result;
- }
- // the original fn ptr, not "ppOrigFn" from HotPatch
- bool HotUnpatch( FNPTR oldProc )
- {
- bool result = false;
- DWORD oldProtect = 0;
- WORD* pJumpBack = ( WORD* ) oldProc;
- VirtualProtect( pJumpBack,2,PAGE_EXECUTE_WRITECOPY,&oldProtect );
- if( 0xF9EB == *pJumpBack ) {
- // Remove the jump back
- *pJumpBack = 0xFF8B; // mov edi, edi
- result = true;
- }
- VirtualProtect( pJumpBack,2,oldProtect,&oldProtect );
- return result;
- }
- typedef int ( WINAPI * MSGBOXFN )( HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType );
- static MSGBOXFN volatile pfnOrigMessageBox = 0;
- static CRITICAL_SECTION cs;
- int WINAPI OurMessageBox( HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType) {
- // Too lazy to deallocate, but this can be dangerous with long strings ...
- char* message = ( char* ) alloca( strlen( lpText ) + 20 );
- strcpy( message,"Tampering message: " );
- strcat( message,lpText );
- EnterCriticalSection( &cs );
- int rv = pfnOrigMessageBox( hWnd,message,lpCaption,uType );
- LeaveCriticalSection( &cs );
- return rv;
- }
- extern "C" __declspec( dllexport ) void HotpatchMessageBox( ) {
- InitializeCriticalSection( &cs );
- MessageBox( NULL,"This is your last message without tampering","You'll see",MB_OK );
- EnterCriticalSection( &cs );
- HotPatch( ( FNPTR ) &MessageBox,( FNPTR ) &OurMessageBox,( FNPTR* ) &pfnOrigMessageBox );
- LeaveCriticalSection( &cs );
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement