2014-05-14 12:39:12 -04:00
|
|
|
#include <windows.h>
|
|
|
|
|
#include "dxwnd.h"
|
|
|
|
|
#include "dxwcore.hpp"
|
|
|
|
|
|
2016-06-26 12:46:13 -04:00
|
|
|
void *IATPatch(HMODULE module, DWORD ordinal, char *dll, void *apiproc, const char *apiname, void *hookproc)
|
2014-05-14 12:39:12 -04:00
|
|
|
{
|
|
|
|
|
PIMAGE_NT_HEADERS pnth;
|
|
|
|
|
PIMAGE_IMPORT_DESCRIPTOR pidesc;
|
|
|
|
|
DWORD base, rva;
|
|
|
|
|
PSTR impmodule;
|
|
|
|
|
PIMAGE_THUNK_DATA ptaddr;
|
|
|
|
|
PIMAGE_THUNK_DATA ptname;
|
|
|
|
|
PIMAGE_IMPORT_BY_NAME piname;
|
|
|
|
|
DWORD oldprotect;
|
|
|
|
|
void *org;
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch: module=%x ordinal=%x dll=%s\n", module, ordinal, dll);
|
2014-05-14 12:39:12 -04:00
|
|
|
|
|
|
|
|
base = (DWORD)module;
|
|
|
|
|
org = 0; // by default, ret = 0 => API not found
|
|
|
|
|
|
|
|
|
|
__try{
|
|
|
|
|
pnth = PIMAGE_NT_HEADERS(PBYTE(base) + PIMAGE_DOS_HEADER(base)->e_lfanew);
|
|
|
|
|
if(!pnth) {
|
|
|
|
|
OutTraceH("IATPatch: ERROR no PNTH at %d\n", __LINE__);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
rva = pnth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
|
|
|
|
|
if(!rva) {
|
|
|
|
|
OutTraceH("IATPatch: ERROR no RVA at %d\n", __LINE__);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
pidesc = (PIMAGE_IMPORT_DESCRIPTOR)(base + rva);
|
|
|
|
|
|
|
|
|
|
while(pidesc->FirstThunk){
|
|
|
|
|
impmodule = (PSTR)(base + pidesc->Name);
|
2016-06-26 12:46:13 -04:00
|
|
|
//OutTraceH("IATPatch: analyze impmodule=%s\n", impmodule);
|
|
|
|
|
char *fname = impmodule;
|
|
|
|
|
for(; *fname; fname++); for(; !*fname; fname++);
|
2014-05-14 12:39:12 -04:00
|
|
|
|
2016-12-03 11:45:15 -05:00
|
|
|
if(!lstrcmpi(dll, impmodule)) {
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch: dll=%s found at %x\n", dll, impmodule);
|
2016-12-03 11:45:15 -05:00
|
|
|
|
|
|
|
|
ptaddr = (PIMAGE_THUNK_DATA)(base + (DWORD)pidesc->FirstThunk);
|
|
|
|
|
ptname = (pidesc->OriginalFirstThunk) ? (PIMAGE_THUNK_DATA)(base + (DWORD)pidesc->OriginalFirstThunk) : NULL;
|
|
|
|
|
|
|
|
|
|
while(ptaddr->u1.Function){
|
2016-06-26 12:46:13 -04:00
|
|
|
// OutTraceH("IATPatch: address=%x ptname=%x\n", ptaddr->u1.AddressOfData, ptname);
|
2016-12-03 11:45:15 -05:00
|
|
|
|
|
|
|
|
if (ptname){
|
|
|
|
|
// examining by function name
|
|
|
|
|
if(!IMAGE_SNAP_BY_ORDINAL(ptname->u1.Ordinal)){
|
|
|
|
|
piname = (PIMAGE_IMPORT_BY_NAME)(base + (DWORD)ptname->u1.AddressOfData);
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch: BYNAME ordinal=%x address=%x name=%s hint=%x\n", ptaddr->u1.Ordinal, ptaddr->u1.AddressOfData, (char *)piname->Name, piname->Hint);
|
2016-12-03 11:45:15 -05:00
|
|
|
if(!lstrcmpi(apiname, (char *)piname->Name)) break;
|
|
|
|
|
}
|
|
|
|
|
else{
|
|
|
|
|
if(ordinal && (IMAGE_ORDINAL32(ptname->u1.Ordinal) == ordinal)) { // skip unknow ordinal 0
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch: BYORD ordinal=%x addr=%x\n", ptname->u1.Ordinal, ptaddr->u1.Function);
|
|
|
|
|
//OutTraceH("IATPatch: BYORD GetProcAddress=%x\n", GetProcAddress(GetModuleHandle(dll), MAKEINTRESOURCE(IMAGE_ORDINAL32(ptname->u1.Ordinal))));
|
2016-12-03 11:45:15 -05:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
2016-06-26 12:46:13 -04:00
|
|
|
else {
|
|
|
|
|
// OutTraceH("IATPatch: fname=%s\n", fname);
|
|
|
|
|
if(!lstrcmpi(apiname, fname)) {
|
|
|
|
|
OutTraceH("IATPatch: BYSCAN ordinal=%x address=%x name=%s\n", ptaddr->u1.Ordinal, ptaddr->u1.AddressOfData, fname);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
for(; *fname; fname++); for(; !*fname; fname++);
|
|
|
|
|
}
|
2016-12-03 11:45:15 -05:00
|
|
|
|
|
|
|
|
if (apiproc){
|
|
|
|
|
// examining by function addr
|
|
|
|
|
if(ptaddr->u1.Function == (DWORD)apiproc) break;
|
|
|
|
|
}
|
|
|
|
|
ptaddr ++;
|
|
|
|
|
if (ptname) ptname ++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(ptaddr->u1.Function) {
|
|
|
|
|
org = (void *)ptaddr->u1.Function;
|
|
|
|
|
if(org == hookproc) return 0; // already hooked
|
|
|
|
|
|
|
|
|
|
if(!VirtualProtect(&ptaddr->u1.Function, 4, PAGE_EXECUTE_READWRITE, &oldprotect)) {
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceDW("IATPatch: VirtualProtect error %d at %d\n", GetLastError(), __LINE__);
|
2016-12-03 11:45:15 -05:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ptaddr->u1.Function = (DWORD)hookproc;
|
|
|
|
|
if(!VirtualProtect(&ptaddr->u1.Function, 4, oldprotect, &oldprotect)) {
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceDW("IATPatch: VirtualProtect error %d at %d\n", GetLastError(), __LINE__);
|
2016-12-03 11:45:15 -05:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
if (!FlushInstructionCache(GetCurrentProcess(), &ptaddr->u1.Function, 4)) {
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceDW("IATPatch: FlushInstructionCache error %d at %d\n", GetLastError(), __LINE__);
|
2016-12-03 11:45:15 -05:00
|
|
|
return 0;
|
|
|
|
|
}
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch hook=%s address=%x->%x\n", apiname, org, hookproc);
|
2016-12-03 11:45:15 -05:00
|
|
|
|
|
|
|
|
return org;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
pidesc ++;
|
|
|
|
|
}
|
|
|
|
|
if(!pidesc->FirstThunk) {
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch: PE unreferenced function %s:%s\n", dll, apiname);
|
2016-12-03 11:45:15 -05:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
__except(EXCEPTION_EXECUTE_HANDLER)
|
|
|
|
|
{
|
2016-06-26 12:46:13 -04:00
|
|
|
OutTraceH("IATPatch: EXCEPTION hook=%s:%s Hook Failed.\n", dll, apiname);
|
2016-12-03 11:45:15 -05:00
|
|
|
}
|
|
|
|
|
return org;
|
|
|
|
|
}
|
2016-06-26 12:46:13 -04:00
|
|
|
|
|
|
|
|
void *IATPatch(HMODULE module, char *dll, void *apiproc, const char *apiname, void *hookproc)
|
|
|
|
|
{
|
|
|
|
|
return IATPatch(module, 0, dll, apiproc, apiname, hookproc);
|
|
|
|
|
}
|
