Option ExplicitPrivate Declare Function IsBadWritePtr Lib "kernel32" _

1. Option Explicit
2.  
3. Private Declare Function IsBadWritePtr Lib "kernel32" _
4. (ByVal lp As Long, ByVal ucb As Long) As Long
5. Private Declare Function VirtualProtect Lib "kernel32" _
6. (ByVal lpAddress As Long, ByVal dwSize As Long, _
7. ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
8. Private Declare Function VirtualAlloc Lib "kernel32" _
9. (ByVal lpAddress As Long, ByVal dwSize As Long, _
10. ByVal flAllocationType As Long, _
11. ByVal flProtect As Long) As Long
12. Private Declare Function VirtualFree Lib "kernel32" _
13. (ByVal lpAddress As Long, ByVal dwSize As Long, _
14. ByVal dwFreeType As Long) As Long
15. Const PAGE_EXECUTE_READWRITE = &H40
16. Const MEM_COMMIT = &H1000
17. Const MEM_RESERVE = &H2000
18. Const MEM_RELEASE = &H8000&
19. Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
20. Private Declare Function FlushInstructionCache Lib "kernel32" _
21. (ByVal hProcess As Long, lpBaseAddress As Any, _
22. ByVal dwSize As Long) As Long
23. Private Declare Sub CopyLong Lib "kernel32" Alias "RtlMoveMemory" _
24. (Destination As Any, Source As Any, _
25. Optional ByVal length As Long = 4)
26. Const S_OK = &H0&
27. Private Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongPtr
28.  
29. Private lngCodeLen As Long
30. Private pProc As Long
31. Private HookProc As Long
32. Private tmp As Long
33. Private proc As LongPtr
34. Private Declare Sub OutputDebugString Lib "kernel32" Alias "OutputDebugStringW" (ByVal lpOutputString As Long)
35. Private Declare PtrSafe Function SysAllocString Lib "OleAut32" (ByVal psz As LongPtr) As LongPtr
36.  
37. Sub Main()
38.  
39. 'mov eax, 0
40. 'jmp eax
41. Const CODE_T = "000000B890E0FF00"
42. Dim Code() As Long
43. Dim i As Long
44.  
45. HookProc = VBA.Int(AddressOf MidStmtHook)
46.  
47. ReDim Code(0 To (Len(CODE_T) - 1) \ 8)
48. For i = 0 To UBound(Code)
49. Code(i) = "&H" & Mid$(CODE_T, 1 + i * 8, 8)
50. Next
51.  
52. lngCodeLen = (UBound(Code) + 1) * 4
53. pProc = VirtualAlloc(0, lngCodeLen, MEM_RESERVE Or MEM_COMMIT, _
54. PAGE_EXECUTE_READWRITE)
55. If pProc = 0 Then Err.Raise 7
56. tmp = VirtualAlloc(0, lngCodeLen, MEM_RESERVE Or MEM_COMMIT, _
57. PAGE_EXECUTE_READWRITE)
58. If tmp = 0 Then Err.Raise 7
59.  
60. CopyLong ByVal pProc, Code(0), lngCodeLen
61. CopyLong ByVal pProc + 1, HookProc
62.  
63. FlushInstructionCache GetCurrentProcess(), ByVal pProc, lngCodeLen
64.  
65. proc = GetModuleHandle("vbe7.dll")
66. If proc = 0 Then Exit Sub
67. 'Debug.Print Hex$(proc)
68.  
69. proc = proc + &H1FAF1D
70. 'Debug.Print Hex$(proc)
71.  
72. '退避
73. CopyLong ByVal tmp, ByVal proc, lngCodeLen
74.  
75.  
76. 'Hookスタート
77. ForceCopyLong proc, pProc
78.  
79. Dim buf As String
80. buf = "かきくけこ"
81. Mid(buf, 3) = "か"
82. MsgBox buf
83. EndHook
84. Mid(buf, 3) = "か"
85. MsgBox buf
86.  
87. End Sub
88.  
89.  
90. ' フック終了
91. Sub EndHook()
92.  
93. ForceCopyLong proc, tmp
94. VirtualFree pProc, 0, MEM_RELEASE
95. VirtualFree tmp, 0, MEM_RELEASE
96.  
97. End Sub
98.  
99. Private Function MidStmtHook(ByVal arg5&, ByVal arg4&, ByVal length&, ByVal start&, ByRef stringvar&) As Long
100.  
101. Dim s$
102. s = "あいうえお"
103. ' CopyLong ByVal stringvar, ByVal StrPtr(s), LenB(s)
104. stringvar = SysAllocString(StrPtr(s))
105.  
106. End Function
107.  
108. Private Function ForceCopyLong(ByVal Address As Long, _
109. ByVal Value As Long) As Boolean
110. Dim lngOld As Long
111. If IsBadWritePtr(Address, lngCodeLen) Then
112. If VirtualProtect(Address, lngCodeLen, _
113. PAGE_EXECUTE_READWRITE, lngOld) = 0 Then
114. Exit Function
115. End If
116. CopyLong ByVal Address, ByVal Value, lngCodeLen
117. VirtualProtect Address, lngCodeLen, lngOld, lngOld
118. Else
119. CopyLong ByVal Address, ByVal Value, lngCodeLen
120. End If
121. ForceCopyLong = True
122. End Function