public static bool Hook(ProcessMemory memory, IntPtr funcAddr, TrampolineHeap heap)
{
var objectCode = _nops.ToArray();
var trampolineAddr = heap.Allocate((uint)objectCode.Length);
var jmpToTrampoline = CreateJmpRel32((uint)funcAddr, (uint)trampolineAddr);
var originalCode = memory.ReadBytes(funcAddr, 0x100);
var dasm = IA32Disassembler.Disassemble(originalCode);
var matches = dasm
.TakeWhile(x => ((Opcode[])Enum.GetValues(typeof(Opcode))).Contains(x.Opcode.Opcode))
.ToArray();
var matchSum = matches.Sum(x => x.Size);
var sum = 0;
dasm.TakeWhile(x => (sum += x.Size) < jmpToTrampoline.Length).ToArray();
if (matchSum < sum)
{
return(false);
}
var originalCodeCopy = originalCode.ToArray();
Array.Resize(ref originalCode, sum);
originalCodeCopy = originalCodeCopy.Skip(originalCode.Length).ToArray();
//0x10 8B 4C 24 14 8B 7C 24 0C 8B
if (originalCodeCopy[0] == 0x10 &&
originalCodeCopy[1] == 0x8B &&
originalCodeCopy[2] == 0x4C &&
originalCodeCopy[3] == 0x24 &&
originalCodeCopy[4] == 0x14 &&
originalCodeCopy[5] == 0x8B &&
originalCodeCopy[6] == 0x7C &&
originalCodeCopy[7] == 0x24 &&
originalCodeCopy[8] == 0x0C &&
originalCodeCopy[9] == 0x8B)
{
Console.WriteLine();
}
const int originalCodeOffset = 0x10;
originalCode.CopyTo(objectCode, originalCodeOffset);
var jmpToFuncOffset = (uint)originalCodeOffset + (uint)originalCode.Length + 0x4;
//objectCode[(uint)originalCodeOffset + (uint)originalCode.Length + 1] = 0xCC;
var jmpToFunc = CreateJmpRel32(
(uint)trampolineAddr + jmpToFuncOffset,
(uint)funcAddr + (uint)originalCode.Length);
jmpToFunc.CopyTo(objectCode, jmpToFuncOffset);
memory.Write(trampolineAddr, objectCode);
memory.Write(funcAddr, jmpToTrampoline);
return(true);
}
public bool SetBreakpoint(IntPtr address)
{
if (BreakpointTable.ContainsKey(address))
{
return(false);
}
var buffer = mem.ReadBytes(address, 0x1);
BreakpointTable.Add(address, buffer[0]);
HitTable.Add(address, 0);
mem.Write(address, new byte[] { 0xCC });
return(true);
}
public List <uint> GetFunctionPointers(int count)
{
var pointers = new List <uint>();
var reader = new ProcessMemory(Process);
var context = ProcessMemory.GetContext(ThreadId);
//var pointers = new List<uint> { context.Eip };
uint[] stack = null;
var ptr = IntPtr.Zero;
try
{
ptr = (IntPtr)context.Esp;
}
catch { }
if (ptr != IntPtr.Zero)
{
stack = reader.ReadUInt32s(ptr, count / 4);
}
if (stack == null)
{
return(null);
}
foreach (var p in GetIntPtrs(stack))
{
var bytes = reader.ReadBytes(p, 0x20);
if (bytes == null ||
//IsStackAddress(context, (uint)p) ||
!reader.IsExecutable(p))
{
continue;
}
pointers.Add((uint)p);
//var dasm = new DiStormWrapper().Disassemble(bytes);
}
return(pointers);
}
