private static void HookSessionOnHookTriggered(object sender, HookEventArgs e)
{
Console.WriteLine("--- [Hook callback] ---");
Console.WriteLine("[Registers]");
for (int i = 0; i < 9; i++)
{
var register = (RegisterX86)i;
Console.WriteLine("{0}: {1:X8}", register.ToString().ToLowerInvariant(), e.Registers[i]);
}
var esp = (IntPtr)e.Registers[(int)RegisterX86.Esp];
Console.WriteLine("[Stack]");
var data = _hookSession.ReadMemory(esp, 4 * sizeof(int));
for (int i = 0; i < 4 * sizeof(int); i += sizeof(int))
{
Console.WriteLine($"esp+{i:00}: {BitConverter.ToUInt32(data, i):X8}");
}
Console.WriteLine("Changing esp+4 to 0x1234");
_hookSession.WriteMemory(esp + 4, BitConverter.GetBytes(0x1234));
Console.WriteLine("--- [End hook callback] ---");
}
private static void HookSessionOnHookTriggered(object sender, HookEventArgs e)
{
Console.WriteLine("MessageBoxA was called!");
var esp = (IntPtr)e.Registers[(int)RegisterX86.Esp];
var rawStackData = _hookSession.ReadMemory(esp, 5 * sizeof(uint));
var stackEntries = new uint[5];
for (int i = 0; i < stackEntries.Length; i++)
{
stackEntries[i] = BitConverter.ToUInt32(rawStackData, i * sizeof(int));
}
var message = BytesToZeroTerminatedString(_hookSession.ReadMemory((IntPtr)stackEntries[2], 100));
var title = BytesToZeroTerminatedString(_hookSession.ReadMemory((IntPtr)stackEntries[3], 100));
Console.WriteLine("Arguments:");
Console.WriteLine($"- hWnd: {stackEntries[1]:X8}");
Console.WriteLine($"- lpText: \"{message}\"");
Console.WriteLine($"- lpCaption: \"{title}\"");
Console.WriteLine($"- uType: {stackEntries[4]:X8}");
}
public HookParameters Detect(HookSession session, IntPtr address)
{
var fixups = new List <ushort>();
// Longest x86 instruction possible is 15 bytes. We need 5 bytes at least for a call.
// Therefore, in the worst case scenario, we need to read 4 + 15 bytes worth of instructions.
var reader = new MemoryStreamReader(session.ReadMemory(address, 4 + 15));
var disassembler = new X86Disassembler(reader, address.ToInt64());
while (reader.Position - reader.StartPosition < 5)
{
var next = disassembler.ReadNextInstruction();
if (next.OpCode.Op1 == X86OpCodes.Jmp_Rel1632.Op1 ||
next.OpCode.Op1 == X86OpCodes.Call_Rel1632.Op1)
{
int offset = (int)(reader.Position - address.ToInt64() - 4);
fixups.Add((ushort)offset);
}
}
return(new HookParameters((int)reader.Position, fixups));
}