Advertisement
Guest User

Thread-safe DLL injection

a guest
Dec 1st, 2012
99
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 2.69 KB | None | 0 0
  1. #include <windows.h>
  2. #include <stdio.h>
  3. #include <alloca.h>
  4.  
  5. typedef void (* FNPTR )( );
  6.  
  7. bool HotPatch( FNPTR oldProc,FNPTR newProc,FNPTR* ppOrigFn )
  8. {
  9.     bool result = false;
  10.     DWORD oldProtect = 0;
  11.  
  12.     WORD* pJumpBack = ( WORD* ) oldProc;
  13.     BYTE* pLongJump = ( ( BYTE* ) oldProc - 5);
  14.     DWORD* pLongJumpAdr = ( ( DWORD* ) oldProc - 1 );
  15.  
  16.     // Change protection
  17.     VirtualProtect( pLongJump,20,PAGE_EXECUTE_WRITECOPY,&oldProtect );
  18.  
  19.     if( ( 0xFF8B == *pJumpBack ) && ( 0x90 == *pLongJump ) && ( 0x90909090 == *pLongJumpAdr ) ) {
  20.     // Long jump
  21.         *pLongJump = 0xE9;
  22.         *pLongJumpAdr = ( ( DWORD ) newProc ) - ( ( DWORD ) oldProc );
  23.     /*
  24.      The first byte of a SHORT Jump is always EB and the second is a relative offset
  25.      from 00h to 7Fh for Forward jumps, and from 80h to FFh for Reverse (or Backward) jumps.
  26.      Unlike Forward Jumps, the seemingly largest offset byte here actually
  27.      indicates the shortest backward jump.
  28.      Do short jump back -7 (back 5, plus two for this jump), yielding two's complement 0xF9
  29.     */
  30.         *pJumpBack = 0xF9EB;
  31.  
  32.         if( ppOrigFn )
  33.             *ppOrigFn = ( FNPTR ) ( ( ( BYTE* ) oldProc ) + 2 );
  34.         result = true;
  35.     }
  36.     VirtualProtect( pLongJump,20,oldProtect,&oldProtect );
  37.  
  38.     return result;
  39. }
  40.  
  41. // the original fn ptr, not "ppOrigFn" from HotPatch
  42. bool HotUnpatch( FNPTR oldProc )
  43. {
  44.     bool result = false;
  45.     DWORD oldProtect = 0;
  46.     WORD* pJumpBack = ( WORD* ) oldProc;
  47.  
  48.     VirtualProtect( pJumpBack,2,PAGE_EXECUTE_WRITECOPY,&oldProtect );
  49.  
  50.     if( 0xF9EB == *pJumpBack ) {
  51.     // Remove the jump back
  52.         *pJumpBack = 0xFF8B;        // mov edi, edi
  53.         result = true;
  54.     }
  55.  
  56.     VirtualProtect( pJumpBack,2,oldProtect,&oldProtect );
  57.  
  58.     return result;
  59. }
  60.  
  61. typedef int ( WINAPI * MSGBOXFN )( HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType );
  62.  
  63. static MSGBOXFN volatile pfnOrigMessageBox = 0;
  64. static CRITICAL_SECTION cs;
  65.  
  66. int WINAPI OurMessageBox( HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType) {
  67.     // Too lazy to deallocate, but this can be dangerous with long strings ...
  68.     char* message = ( char* ) alloca( strlen( lpText ) + 20 );
  69.     strcpy( message,"Tampering message: " );
  70.     strcat( message,lpText );
  71.     EnterCriticalSection( &cs );
  72.     int rv = pfnOrigMessageBox( hWnd,message,lpCaption,uType );
  73.     LeaveCriticalSection( &cs );
  74.  
  75.     return rv;
  76. }
  77.  
  78.  
  79. extern "C" __declspec( dllexport ) void HotpatchMessageBox( ) {
  80.     InitializeCriticalSection( &cs );
  81.     MessageBox( NULL,"This is your last message without tampering","You'll see",MB_OK );
  82.     EnterCriticalSection( &cs );
  83.     HotPatch( ( FNPTR ) &MessageBox,( FNPTR ) &OurMessageBox,( FNPTR* ) &pfnOrigMessageBox );
  84.     LeaveCriticalSection( &cs );
  85. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement