API tools faq
paste
View difference between Paste ID: YZh4u8Zw and ZdXztf76
SHOW: | | - or go back to the newest paste.
1
#define WIN32_LEAN_AND_MEAN
2
#include <windows.h>
3-
#define SIZE 6
3+
4
#define MH_DEFTRAMPOLINE(pFuncName) \

5-
typedef int (WINAPI *pMessageBoxW)(HWND, LPCWSTR, LPCWSTR, UINT);

5+
	BYTE *orig_##pFuncName; BYTE *tramp_##pFuncName

6-
int WINAPI MyMessageBoxW(HWND, LPCWSTR, LPCWSTR, UINT);

6+
#define MH_ALLOCTRAMPOLINE(pTrampolinePtr, bSize) \

7
	pTrampolinePtr = (BYTE*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bSize+5)

8-
void BeginRedirect(LPVOID);

8+
#define MH_FREETRAMOLINE(pTrampolinePtr) \

9
	HeapFree(GetProcessHeap(), 0, pTrampolinePtr)

10-
pMessageBoxW pOrigMBAddress = NULL;

10+
11-
BYTE oldBytes[SIZE] = {0};

11+
/*returns pointer to trampoline function*/

12-
BYTE JMP[SIZE] = {0};

12+
BYTE *MH_TrampolineAdd(BYTE *pOrigFunc, BYTE *pNewFunc, BYTE *pTrampolineFunc, BYTE bSize)

13-
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;

13+
14
	BYTE bTemp;

15-
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)

15+
	DWORD dwOldProt;

16
	VirtualProtect((void*)pTrampolineFunc, bSize+5, PAGE_EXECUTE_READWRITE, &dwOldProt);

17-
    switch(Reason)

17+
	VirtualProtect((void*)pOrigFunc, bSize, PAGE_EXECUTE_READWRITE, &dwOldProt);

18-
    {

18+
	bTemp = bSize;

19-
    case DLL_PROCESS_ATTACH:

19+
	while (bTemp-- > 0) pTrampolineFunc[bTemp] = pOrigFunc[bTemp];

20-
        pOrigMBAddress = (pMessageBoxW)

20+
	pTrampolineFunc += bSize;

21-
            GetProcAddress(GetModuleHandle("user32.dll"), 

21+
	pTrampolineFunc[0] = 0xE9; //JMP [rel16/32]

22-
                           "MessageBoxW");

22+
	*(DWORD*)(pTrampolineFunc+1) = (DWORD)((pOrigFunc+bSize - pTrampolineFunc) - 5);

23-
        if(pOrigMBAddress != NULL)

23+
	pOrigFunc[0] = 0xE9; //JMP [rel16/32]

24-
            BeginRedirect(MyMessageBoxW);    

24+
	*(DWORD*)(pOrigFunc+1) = (DWORD)((pNewFunc - pOrigFunc) - 5);

25-
        break;

25+
	bTemp = 5; while (bTemp++ < bSize) pOrigFunc[bTemp] = 0x90;

26-
    case DLL_PROCESS_DETACH:

26+
	VirtualProtect((void*)pOrigFunc, bSize, dwOldProt, &dwOldProt);

27-
        memcpy(pOrigMBAddress, oldBytes, SIZE);

27+
	return (pTrampolineFunc - bSize);

28-
    case DLL_THREAD_ATTACH:

28+
29-
    case DLL_THREAD_DETACH:

29+
30-
        break;

30+
/*returns pointer to trampoline function*/

31-
    }

31+
BYTE *MH_TrampolineRemove(BYTE *pOrigFunc, BYTE *pTrampolineFunc, BYTE bSize)

32-
    return TRUE;

32+
33
	DWORD dwOldProt;

34
	VirtualProtect((void*)pOrigFunc, bSize, PAGE_EXECUTE_READWRITE, &dwOldProt);

35-
void BeginRedirect(LPVOID newFunction)

35+
	while (bSize-- > 0) pOrigFunc[bSize] = pTrampolineFunc[bSize];

36
	VirtualProtect((void*)pOrigFunc, bSize, dwOldProt, &dwOldProt);

37-
    BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3};

37+
	return pTrampolineFunc;

38-
    memcpy(JMP, tempJMP, SIZE);

38+
39-
    DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5);

39+
40-
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, 

40+
MH_DEFTRAMPOLINE(MessageBoxW);

41-
                    PAGE_EXECUTE_READWRITE, &oldProtect);

41+
typedef int (WINAPI *_MessageBoxW)(HWND, LPCTSTR, LPCTSTR, UINT);

42-
    memcpy(oldBytes, pOrigMBAddress, SIZE);

42+
_MessageBoxW o

43-
    memcpy(&JMP[1], &JMPSize, 4);

43+
int WINAPI new_MessageBoxW(HWND hwnd, LPCTSTR text, LPCTSTR title, UINT utype)

44-
    memcpy(pOrigMBAddress, JMP, SIZE);

44+
45-
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);

45+
	char *newTitle = NULL;

46
	newTitle = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lstrlenW(title) + 15);

47
	lstrcpyW(newTitle, L"=|MicroHook|= "); if (title != NULL) lstrcatW(newTitle, title);

48-
int  WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uiType)

48+
	int ret = ((_MessageBoxW)(tramp_MessageBoxW))(hwnd, text, newTitle, utype);

49
	MessageBoxW(0, L"WTF HOOKED", 0, 0);

50-
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, myProtect, NULL);

50+
	HeapFree(GetProcessHeap(), 0, newTitle);

51-
    memcpy(pOrigMBAddress, oldBytes, SIZE);

51+
	return ret;

52-
    int retValue = MessageBoxW(hWnd, lpText, lpCaption, uiType);

52+
53-
    memcpy(pOrigMBAddress, JMP, SIZE);

53+
54-
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);

54+
BOOL WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpvReserved)

55-
    return retValue;

55+
56
	if (dwReason == DLL_PROCESS_ATTACH)

57
	{

58
		orig_MessageBoxW = (BYTE*)GetProcAddress(LoadLibraryA("user32.dll"), "MessageBoxW");

59
		MH_ALLOCTRAMPOLINE(tramp_MessageBoxW, 5);

60
		MH_TrampolineAdd(orig_MessageBoxW, (BYTE*)&new_MessageBoxW, tramp_MessageBoxW, 5);

61
	}

62
	else if (dwReason == DLL_PROCESS_DETACH)

63
	{

64
		MH_TrampolineRemove(orig_MessageBoxW, tramp_MessageBoxW, 5);

65
		MH_FREETRAMOLINE(tramp_MessageBoxW);

66
	}

67
	return (BOOL)1;

68
}
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!