// dllmain.cpp : Defines the entry point for the DLL application.#define _CRT_

1. // dllmain.cpp : Defines the entry point for the DLL application.
2. #define _CRT_SECURE_NO_DEPRECATE
3. #include "stdafx.h"
4. #include "xorkey.h"
5. #include <stdio.h>
6.  
7. HMODULE myModule = NULL;
8.  
9. const char* a = XorString("aaa");
10. int myptr = 0;
11. DWORD dwOld;
12.  
13. void unloadself()
14. {
15.     FreeLibraryAndExitThread(myModule, 0);
16. }
17.  
18. int TrampolinePtr = 0;
19. void _fastcall myHook() {
20.     _asm {
21.         nop //Restore skipped opcode
22.         JMP TrampolinePtr
23.     }
24. }
25.  
26.  
27. extern "C" {  
28.     __declspec(dllexport) void MyCFunc(int ptr);
29. }
30.  
31. void MyCFunc(int ptr) {
32.     myptr = ptr;
33.    
34. }
35. unsigned long MyHandler(EXCEPTION_POINTERS *e)
36. {
37.  
38.     DWORD dwOld;
39.     if (e->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION) {
40.         if (e->ContextRecord->Eip == myptr) // Here we check to see if the instruction pointer is at the place where we want to hook.
41.         {
42.             /*
43.             void* ptr2 = (void*)(e->ContextRecord->Eip + 1);
44.             memcpy(&TrampolinePtr, ptr2, 4);
45.             TrampolinePtr += e->ContextRecord->Eip + 5;
46.             e->ContextRecord->Eip = (DWORD)myHook + 3; //Point EIP to hook handle.
47.             */
48.            
49.             TrampolinePtr = e->ContextRecord->Eip + 1;
50.             e->ContextRecord->Eip = (DWORD)myHook + 3; //Point EIP to hook handle.
51.         }
52.             e->ContextRecord->EFlags |= 0x100; //Set single step flag, causing only one line of code to be executed and then throwing the STATUS_SINGLE_STEP exception.
53.         return EXCEPTION_CONTINUE_EXECUTION; // When we return to the page, it will no longer be PAGE_GUARD'ed, so we rely on single stepping to re-apply it. (If we re-applied it here, we'd never move forward.)
54.     }
55.  
56.     else if (e->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP) // This is now going to return true on the next line of execution within our page, where we re-apply PAGE_GUARD and repeat.
57.     {
58.         VirtualProtect((void*)myptr, 1, PAGE_EXECUTE | PAGE_GUARD, &dwOld);
59.         return EXCEPTION_CONTINUE_EXECUTION;
60.     }
61.     return EXCEPTION_CONTINUE_SEARCH;
62. }
63.  
64. void hackthread() {
65.    
66.     AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)MyHandler);
67.     int setE = 0;
68.     do {
69.         if (myptr != 0 && !setE) {
70.             setE = 1;
71.             VirtualProtect((void*)myptr, 1, PAGE_EXECUTE | PAGE_GUARD, &dwOld);
72.         }
73.         Sleep(1);
74.     } while (1);
75. }
76. BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
77. {
78.     switch (ul_reason_for_call)
79.     {
80.     case DLL_PROCESS_ATTACH:
81.         if (myModule == NULL) {
82.             wchar_t lpFilename[256];
83.             GetModuleFileName(NULL, lpFilename, 256);
84.  
85.             myModule = hModule;
86.             //MessageBox(NULL, lpFilename, lpFilename, MB_OK);
87.             if (wcsstr(lpFilename, L"ConsoleApplication5") != NULL)
88.             {
89.                 // MessageBox(NULL, lpFilename, L"Loading HOTS Module", MB_OK);
90.                 CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hackthread, NULL, NULL, NULL);
91.                 // CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&orbwalker, NULL, NULL,
92.                 // NULL);
93.             }
94.             else
95.             {
96.                 CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&unloadself, NULL, NULL, NULL);
97.             }
98.         }
99.  
100.     case DLL_THREAD_ATTACH:
101.     case DLL_THREAD_DETACH:
102.     case DLL_PROCESS_DETACH:
103.         break;
104.     }
105.     return TRUE;
106. }