From d88d03b560626e43a892e302771bebe3ddfbcc93 Mon Sep 17 00:00:00 2001 From: FunkyFr3sh Date: Mon, 6 Aug 2018 09:33:27 +0200 Subject: [PATCH] new IAT hooking --- src/mouse.c | 120 ++++++++++++++++++++++------------------------------ 1 file changed, 50 insertions(+), 70 deletions(-) diff --git a/src/mouse.c b/src/mouse.c index ef94a90..0ec1322 100644 --- a/src/mouse.c +++ b/src/mouse.c @@ -26,13 +26,6 @@ BOOL mouse_active = FALSE; int yAdjust = 0; -struct hook { char name[32]; void *func; }; -struct hack -{ - char name[32]; - struct hook hooks[MAX_HOOKS]; -}; - BOOL WINAPI fake_GetCursorPos(LPPOINT lpPoint) { POINT pt, realpt; @@ -151,83 +144,67 @@ HCURSOR WINAPI fake_SetCursor(HCURSOR hCursor) return NULL; } -struct hack hacks[] = +void HookIAT(HMODULE hMod, char *moduleName, char *functionName, PROC newFunction) { + if (!hMod || hMod == INVALID_HANDLE_VALUE || !newFunction) + return; + + PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hMod; + if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) + return; + + PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew); + if (pNTHeaders->Signature != IMAGE_NT_SIGNATURE) + return; + + PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pDosHeader + + (DWORD)(pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)); + + if (pImportDescriptor == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeaders) + return; + + while (pImportDescriptor->FirstThunk) { - "user32.dll", + char *impModuleName = (char *)((DWORD)pDosHeader + (DWORD)(pImportDescriptor->Name)); + + if (_stricmp(impModuleName, moduleName) == 0) { - { "GetCursorPos", fake_GetCursorPos }, - { "ClipCursor", fake_ClipCursor }, - { "ShowCursor", fake_ShowCursor }, - { "SetCursor", fake_SetCursor } , - { "", NULL } - } - }, - { - "", - { - { "", NULL } - } - } -}; + PIMAGE_THUNK_DATA pFirstThunk = + (PIMAGE_THUNK_DATA)((DWORD)pDosHeader + (DWORD)pImportDescriptor->FirstThunk); -void hack_iat(struct hack *hck) -{ - int i; - char buf[32]; - struct hook *hk; - DWORD dwWritten; - IMAGE_DOS_HEADER dos_hdr; - IMAGE_NT_HEADERS nt_hdr; - IMAGE_IMPORT_DESCRIPTOR *dir; - IMAGE_THUNK_DATA thunk; - PDWORD ptmp; + PIMAGE_THUNK_DATA pOrigFirstThunk = + (PIMAGE_THUNK_DATA)((DWORD)pDosHeader + (DWORD)pImportDescriptor->OriginalFirstThunk); - HMODULE base = GetModuleHandle(NULL); - HANDLE hProcess = GetCurrentProcess(); - - ReadProcessMemory(hProcess, (void *)base, &dos_hdr, sizeof(IMAGE_DOS_HEADER), &dwWritten); - ReadProcessMemory(hProcess, (void *)((char *)base + dos_hdr.e_lfanew), &nt_hdr, sizeof(IMAGE_NT_HEADERS), &dwWritten); - dir = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (nt_hdr.OptionalHeader.DataDirectory[1].Size)); - ReadProcessMemory(hProcess, (void *)((char *)base + nt_hdr.OptionalHeader.DataDirectory[1].VirtualAddress), dir, nt_hdr.OptionalHeader.DataDirectory[1].Size, &dwWritten); - - while (dir->Name > 0) - { - memset(buf, 0, 32); - ReadProcessMemory(hProcess, (void *)((char *)base + dir->Name), buf, 32, &dwWritten); - if (_stricmp(buf, hck->name) == 0) - { - ptmp = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DWORD) * 64); - ReadProcessMemory(hProcess, (void *)((char *)base + dir->Characteristics), ptmp, sizeof(DWORD) * 64, &dwWritten); - i = 0; - while (*ptmp) + while (pFirstThunk->u1.Function && pOrigFirstThunk->u1.AddressOfData) { - memset(buf, 0, 32); - ReadProcessMemory(hProcess, (void *)((char *)base + (*ptmp) + 2), buf, 32, &dwWritten); + PIMAGE_IMPORT_BY_NAME pImport = + (PIMAGE_IMPORT_BY_NAME)((DWORD)pDosHeader + pOrigFirstThunk->u1.AddressOfData); - hk = &hck->hooks[0]; - while (hk->func) + if ((pOrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0 && + _stricmp((const char *)pImport->Name, functionName) == 0) { - if (_stricmp(hk->name, buf) == 0) + DWORD oldProtect; + MEMORY_BASIC_INFORMATION mbi; + + if (VirtualQuery(&pFirstThunk->u1.Function, &mbi, sizeof(MEMORY_BASIC_INFORMATION))) { - thunk.u1.Function = (DWORD)hk->func; - thunk.u1.Ordinal = (DWORD)hk->func; - thunk.u1.AddressOfData = (DWORD)hk->func; - VirtualProtectEx(hProcess, (void *)((char *)base + dir->FirstThunk + (sizeof(IMAGE_THUNK_DATA) * i)), sizeof(IMAGE_THUNK_DATA), PAGE_EXECUTE_READWRITE, &dwWritten); - WriteProcessMemory(hProcess, (void *)((char *)base + dir->FirstThunk + (sizeof(IMAGE_THUNK_DATA) * i)), &thunk, sizeof(IMAGE_THUNK_DATA), &dwWritten); - mouse_active = TRUE; + if (VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &oldProtect)) + { + pFirstThunk->u1.Function = (DWORD)newFunction; + VirtualProtect(mbi.BaseAddress, mbi.RegionSize, oldProtect, &oldProtect); + } } - hk++; + + break; } - ptmp++; - i++; + pFirstThunk++; + pOrigFirstThunk++; } } - dir++; - } - CloseHandle(hProcess); + pImportDescriptor++; + } } void mouse_lock() @@ -331,6 +308,9 @@ void mouse_unlock() void mouse_init() { - hack_iat(&hacks[0]); + HookIAT(GetModuleHandle(NULL), "user32.dll", "GetCursorPos", (PROC)fake_GetCursorPos); + HookIAT(GetModuleHandle(NULL), "user32.dll", "ClipCursor", (PROC)fake_ClipCursor); + HookIAT(GetModuleHandle(NULL), "user32.dll", "ShowCursor", (PROC)fake_ShowCursor); + HookIAT(GetModuleHandle(NULL), "user32.dll", "SetCursor", (PROC)fake_SetCursor); mouse_active = TRUE; }