Merge branch 'master' of https://github.com/martona/mhook

Author: poizan42

.gitignore

@@ -0,0 +1,29 @@
+
+#ignore thumbnails created by windows
+Thumbs.db
+#Ignore files build by Visual Studio
+*.obj
+*.exe
+*.pdb
+*.user
+*.aps
+*.pch
+*.vspscc
+*_i.c
+*_p.c
+*.ncb
+*.suo
+*.tlb
+*.tlh
+*.bak
+*.cache
+*.ilk
+*.log
+[Bb]in
+[Dd]ebug*/
+*.lib
+*.sbr
+obj/
+[Rr]elease*/
+_ReSharper*/
+[Tt]est[Rr]esult*

COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2007-2008, Marton Anka
+Copyright (c) 2007-2014, Marton Anka
 Portions Copyright (c) 2007, Matt Conover
 
 Permission is hereby granted, free of charge, to any person obtaining a copy 

mhook-lib/mhook.cpp

@@ -188,13 +188,14 @@ static PBYTE SkipJumps(PBYTE pbCode) {
 	PBYTE pbOrgCode = pbCode;
 #ifdef _M_IX86_X64
 #ifdef _M_IX86
-	if (pbCode[0] == 0x8b && pbCode[1] == 0xff) //mov edi,edi: hot patch point
+	//mov edi,edi: hot patch point
+	if (pbCode[0] == 0x8b && pbCode[1] == 0xff)
 		pbCode += 2;
 	// push ebp; mov ebp, esp; pop ebp;
 	// "collapsed" stackframe generated by MSVC
-	if (pbCode[0] == 0x55 && pbcode[1] == 0x8b && pbCode[2] == 0xec && pbCode[3] == 0x5d)
+	if (pbCode[0] == 0x55 && pbCode[1] == 0x8b && pbCode[2] == 0xec && pbCode[3] == 0x5d)
 		pbCode += 4;
-#endif
+#endif	
 	if (pbCode[0] == 0xff && pbCode[1] == 0x25) {
 #ifdef _M_IX86
 		// on x86 we have an absolute pointer...
@@ -206,6 +207,11 @@ static PBYTE SkipJumps(PBYTE pbCode) {
 		INT32 lOffset = *(INT32 *)&pbCode[2];
 		// ... that shows us an absolute pointer
 		return SkipJumps(*(PBYTE*)(pbCode + 6 + lOffset));
+	} else if (pbCode[0] == 0x48 && pbCode[1] == 0xff && pbCode[2] == 0x25) {
+		// or we can have the same with a REX prefix
+		INT32 lOffset = *(INT32 *)&pbCode[3];
+		// ... that shows us an absolute pointer
+		return SkipJumps(*(PBYTE*)(pbCode + 7 + lOffset));
 #endif
 	} else if (pbCode[0] == 0xe9) {
 		// here the behavior is identical, we have...
@@ -567,7 +573,7 @@ static DWORD DisassembleAndSkip(PVOID pFunction, DWORD dwMinLen, MHOOKS_PATCHDAT
 
 		ODPRINTF((L"mhooks: DisassembleAndSkip: Disassembling %p", pLoc));
 		while ( (dwRet < dwMinLen) && (pins = GetInstruction(&dis, (ULONG_PTR)pLoc, pLoc, dwFlags)) ) {
-			ODPRINTF(("mhooks: DisassembleAndSkip: %p: %s", pLoc, pins->String));
+			ODPRINTF(("mhooks: DisassembleAndSkip: %p:(0x%2.2x) %s", pLoc, pins->Length, pins->String));
 			if (pins->Type == ITYPE_RET		) break;
 			if (pins->Type == ITYPE_BRANCH	) break;
 			if (pins->Type == ITYPE_BRANCHCC) break;
@@ -679,15 +685,13 @@ BOOL Mhook_SetHook(PVOID *ppSystemFunction, PVOID pHookFunction) {
 		pTrampoline = TrampolineAlloc((PBYTE)pSystemFunction, patchdata.nLimitUp, patchdata.nLimitDown);
 		if (pTrampoline) {
 			ODPRINTF((L"mhooks: Mhook_SetHook: allocated structure at %p", pTrampoline));
-			// open ourselves so we can VirtualProtectEx
-			HANDLE hProc = GetCurrentProcess();
 			DWORD dwOldProtectSystemFunction = 0;
 			DWORD dwOldProtectTrampolineFunction = 0;
 			// set the system function to PAGE_EXECUTE_READWRITE
-			if (VirtualProtectEx(hProc, pSystemFunction, dwInstructionLength, PAGE_EXECUTE_READWRITE, &dwOldProtectSystemFunction)) {
+			if (VirtualProtect(pSystemFunction, dwInstructionLength, PAGE_EXECUTE_READWRITE, &dwOldProtectSystemFunction)) {
 				ODPRINTF((L"mhooks: Mhook_SetHook: readwrite set on system function"));
 				// mark our trampoline buffer to PAGE_EXECUTE_READWRITE
-				if (VirtualProtectEx(hProc, pTrampoline, sizeof(MHOOKS_TRAMPOLINE), PAGE_EXECUTE_READWRITE, &dwOldProtectTrampolineFunction)) {
+				if (VirtualProtect(pTrampoline, sizeof(MHOOKS_TRAMPOLINE), PAGE_EXECUTE_READWRITE, &dwOldProtectTrampolineFunction)) {
 					ODPRINTF((L"mhooks: Mhook_SetHook: readwrite set on trampoline structure"));
 
 					// create our trampoline function
@@ -719,7 +723,7 @@ BOOL Mhook_SetHook(PVOID *ppSystemFunction, PVOID pHookFunction) {
 						pbCode = pTrampoline->codeJumpToHookFunction;
 						pbCode = EmitJump(pbCode, (PBYTE)pHookFunction);
 						ODPRINTF((L"mhooks: Mhook_SetHook: created reverse trampoline"));
-						FlushInstructionCache(hProc, pTrampoline->codeJumpToHookFunction, 
+						FlushInstructionCache(GetCurrentProcess(), pTrampoline->codeJumpToHookFunction, 
 							pbCode - pTrampoline->codeJumpToHookFunction);
 
 						// update the API itself
@@ -738,16 +742,16 @@ BOOL Mhook_SetHook(PVOID *ppSystemFunction, PVOID pHookFunction) {
 					pTrampoline->pHookFunction = (PBYTE)pHookFunction;
 
 					// flush instruction cache and restore original protection
-					FlushInstructionCache(hProc, pTrampoline->codeTrampoline, dwInstructionLength);
-					VirtualProtectEx(hProc, pTrampoline, sizeof(MHOOKS_TRAMPOLINE), dwOldProtectTrampolineFunction, &dwOldProtectTrampolineFunction);
+					FlushInstructionCache(GetCurrentProcess(), pTrampoline->codeTrampoline, dwInstructionLength);
+					VirtualProtect(pTrampoline, sizeof(MHOOKS_TRAMPOLINE), dwOldProtectTrampolineFunction, &dwOldProtectTrampolineFunction);
 				} else {
-					ODPRINTF((L"mhooks: Mhook_SetHook: failed VirtualProtectEx 2: %d", gle()));
+					ODPRINTF((L"mhooks: Mhook_SetHook: failed VirtualProtect 2: %d", gle()));
 				}
 				// flush instruction cache and restore original protection
-				FlushInstructionCache(hProc, pSystemFunction, dwInstructionLength);
-				VirtualProtectEx(hProc, pSystemFunction, dwInstructionLength, dwOldProtectSystemFunction, &dwOldProtectSystemFunction);
+				FlushInstructionCache(GetCurrentProcess(), pSystemFunction, dwInstructionLength);
+				VirtualProtect(pSystemFunction, dwInstructionLength, dwOldProtectSystemFunction, &dwOldProtectSystemFunction);
 			} else {
-				ODPRINTF((L"mhooks: Mhook_SetHook: failed VirtualProtectEx 1: %d", gle()));
+				ODPRINTF((L"mhooks: Mhook_SetHook: failed VirtualProtect 1: %d", gle()));
 			}
 			if (pTrampoline->pSystemFunction) {
 				// this is what the application will use as the entry point
@@ -780,19 +784,17 @@ BOOL Mhook_Unhook(PVOID *ppHookedFunction) {
 		// make sure nobody's executing code where we're about to overwrite a few bytes
 		SuspendOtherThreads(pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode);
 		ODPRINTF((L"mhooks: Mhook_Unhook: found struct at %p", pTrampoline));
-		// open ourselves so we can VirtualProtectEx
-		HANDLE hProc = GetCurrentProcess();
 		DWORD dwOldProtectSystemFunction = 0;
 		// make memory writable
-		if (VirtualProtectEx(hProc, pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode, PAGE_EXECUTE_READWRITE, &dwOldProtectSystemFunction)) {
+		if (VirtualProtect(pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode, PAGE_EXECUTE_READWRITE, &dwOldProtectSystemFunction)) {
 			ODPRINTF((L"mhooks: Mhook_Unhook: readwrite set on system function"));
 			PBYTE pbCode = (PBYTE)pTrampoline->pSystemFunction;
 			for (DWORD i = 0; i<pTrampoline->cbOverwrittenCode; i++) {
 				pbCode[i] = pTrampoline->codeUntouched[i];
 			}
 			// flush instruction cache and make memory unwritable
-			FlushInstructionCache(hProc, pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode);
-			VirtualProtectEx(hProc, pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode, dwOldProtectSystemFunction, &dwOldProtectSystemFunction);
+			FlushInstructionCache(GetCurrentProcess(), pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode);
+			VirtualProtect(pTrampoline->pSystemFunction, pTrampoline->cbOverwrittenCode, dwOldProtectSystemFunction, &dwOldProtectSystemFunction);
 			// return the original function pointer
 			*ppHookedFunction = pTrampoline->pSystemFunction;
 			bRet = TRUE;
@@ -801,7 +803,7 @@ BOOL Mhook_Unhook(PVOID *ppHookedFunction) {
 			TrampolineFree(pTrampoline, FALSE);
 			ODPRINTF((L"mhooks: Mhook_Unhook: unhook successful"));
 		} else {
-			ODPRINTF((L"mhooks: Mhook_Unhook: failed VirtualProtectEx 1: %d", gle()));
+			ODPRINTF((L"mhooks: Mhook_Unhook: failed VirtualProtect 1: %d", gle()));
 		}
 		// make the other guys runnable
 		ResumeOtherThreads();