#pragma once #ifndef _DETOURS_H_ #define _DETOURS_H_ #pragma comment(lib, "detours") #ifndef GUID_DEFINED #define GUID_DEFINED typedef struct _GUID { DWORD Data1; WORD Data2; WORD Data3; BYTE Data4[ 8 ]; } GUID; #endif #if defined(__cplusplus) #ifndef _REFGUID_DEFINED #define _REFGUID_DEFINED #define REFGUID const GUID & #endif #else #ifndef _REFGUID_DEFINED #define _REFGUID_DEFINED #define REFGUID const GUID * const #endif #endif #ifdef __cplusplus extern "C" { #endif #define DETOUR_INSTRUCTION_TARGET_NONE ((PBYTE)0) #define DETOUR_INSTRUCTION_TARGET_DYNAMIC ((PBYTE)~0ul) #define DETOUR_TRAMPOLINE_SIZE 32 #define DETOUR_SECTION_HEADER_SIGNATURE 0x00727444 #define DETOUR_TRAMPOLINE(trampoline,target) \ static PVOID __fastcall _Detours_GetVA_##target(VOID) \ { \ return ⌖ \ } \ \ __declspec(naked) trampoline \ { \ __asm { nop };\ __asm { nop };\ __asm { call _Detours_GetVA_##target };\ __asm { jmp eax };\ __asm { ret };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ } #define DETOUR_TRAMPOLINE_EMPTY(trampoline) \ __declspec(naked) trampoline \ { \ __asm { nop };\ __asm { nop };\ __asm { xor eax, eax };\ __asm { mov eax, [eax] };\ __asm { ret };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ __asm { nop };\ } #pragma pack(push, 8) typedef struct _DETOUR_SECTION_HEADER { DWORD cbHeaderSize; DWORD nSignature; DWORD nDataOffset; DWORD cbDataSize; DWORD nOriginalImportVirtualAddress; DWORD nOriginalImportSize; DWORD nOriginalBoundImportVirtualAddress; DWORD nOriginalBoundImportSize; DWORD nOriginalIatVirtualAddress; DWORD nOriginalIatSize; DWORD nOriginalSizeOfImage; DWORD nReserve; } DETOUR_SECTION_HEADER, *PDETOUR_SECTION_HEADER; typedef struct _DETOUR_SECTION_RECORD { DWORD cbBytes; DWORD nReserved; GUID guid; } DETOUR_SECTION_RECORD, *PDETOUR_SECTION_RECORD; #pragma pack(pop) #define DETOUR_SECTION_HEADER_DECLARE(cbSectionSize) \ { \ sizeof(DETOUR_SECTION_HEADER),\ DETOUR_SECTION_HEADER_SIGNATURE,\ sizeof(DETOUR_SECTION_HEADER),\ (cbSectionSize),\ \ 0,\ 0,\ 0,\ 0,\ \ 0,\ 0,\ 0,\ 0,\ } typedef BOOL (CALLBACK *PF_DETOUR_BINARY_BYWAY_CALLBACK)(PVOID pContext, PCHAR pszFile, PCHAR *ppszOutFile); typedef BOOL (CALLBACK *PF_DETOUR_BINARY_FILE_CALLBACK)(PVOID pContext, PCHAR pszOrigFile, PCHAR pszFile, PCHAR *ppszOutFile); typedef BOOL (CALLBACK *PF_DETOUR_BINARY_SYMBOL_CALLBACK)(PVOID pContext, DWORD nOrdinal, PCHAR pszOrigSymbol, PCHAR pszSymbol, PCHAR *ppszOutSymbol); typedef BOOL (CALLBACK *PF_DETOUR_BINARY_FINAL_CALLBACK)(PVOID pContext); typedef BOOL (CALLBACK *PF_DETOUR_BINARY_EXPORT_CALLBACK)(PVOID pContext, DWORD nOrdinal, PCHAR pszName, PBYTE pbCode); typedef VOID * PDETOUR_BINARY; typedef VOID * PDETOUR_LOADED_BINARY; PBYTE WINAPI DetourFunction(PBYTE pbTargetFunction, PBYTE pbDetourFunction); BOOL WINAPI DetourFunctionWithEmptyTrampoline(PBYTE pbTrampoline, PBYTE pbTarget, PBYTE pbDetour); BOOL WINAPI DetourFunctionWithEmptyTrampolineEx(PBYTE pbTrampoline, PBYTE pbTarget, PBYTE pbDetour, PBYTE *ppbRealTrampoline, PBYTE *ppbRealTarget, PBYTE *ppbRealDetour); BOOL WINAPI DetourFunctionWithTrampoline(PBYTE pbTrampoline, PBYTE pbDetour); BOOL WINAPI DetourFunctionWithTrampolineEx(PBYTE pbTrampoline, PBYTE pbDetour, PBYTE *ppbRealTrampoline, PBYTE *ppbRealTarget); BOOL WINAPI DetourRemove(PBYTE pbTrampoline, PBYTE pbDetour); PBYTE WINAPI DetourFindFunction(PCHAR pszModule, PCHAR pszFunction); PBYTE WINAPI DetourGetFinalCode(PBYTE pbCode, BOOL fSkipJmp); PBYTE WINAPI DetourCopyInstruction(PBYTE pbDst, PBYTE pbSrc, PBYTE *ppbTarget); PBYTE WINAPI DetourCopyInstructionEx(PBYTE pbDst, PBYTE pbSrc, PBYTE *ppbTarget, LONG *plExtra); HMODULE WINAPI DetourEnumerateModules(HMODULE hModuleLast); PBYTE WINAPI DetourGetEntryPoint(HMODULE hModule); BOOL WINAPI DetourEnumerateExports(HMODULE hModule, PVOID pContext, PF_DETOUR_BINARY_EXPORT_CALLBACK pfExport); PBYTE WINAPI DetourFindPayload(HMODULE hModule, REFGUID rguid, DWORD *pcbData); DWORD WINAPI DetourGetSizeOfPayloads(HMODULE hModule); BOOL WINAPI DetourBinaryBindA(PCHAR pszFile, PCHAR pszDll, PCHAR pszPath); BOOL WINAPI DetourBinaryBindW(PWCHAR pwzFile, PWCHAR pwzDll, PWCHAR pwzPath); #ifdef UNICODE #define DetourBinaryBind DetourBinaryBindW #else #define DetourBinaryBind DetourBinaryBindA #endif PDETOUR_BINARY WINAPI DetourBinaryOpen(HANDLE hFile); PBYTE WINAPI DetourBinaryEnumeratePayloads(PDETOUR_BINARY pBinary, GUID *pGuid, DWORD *pcbData, DWORD *pnIterator); PBYTE WINAPI DetourBinaryFindPayload(PDETOUR_BINARY pBinary, REFGUID rguid, DWORD *pcbData); PBYTE WINAPI DetourBinarySetPayload(PDETOUR_BINARY pBinary, REFGUID rguid, PBYTE pbData, DWORD cbData); BOOL WINAPI DetourBinaryDeletePayload(PDETOUR_BINARY pBinary, REFGUID rguid); BOOL WINAPI DetourBinaryPurgePayloads(PDETOUR_BINARY pBinary); BOOL WINAPI DetourBinaryResetImports(PDETOUR_BINARY pBinary); BOOL WINAPI DetourBinaryEditImports(PDETOUR_BINARY pBinary, PVOID pContext, PF_DETOUR_BINARY_BYWAY_CALLBACK pfByway, PF_DETOUR_BINARY_FILE_CALLBACK pfFile, PF_DETOUR_BINARY_SYMBOL_CALLBACK pfSymbol, PF_DETOUR_BINARY_FINAL_CALLBACK pfFinal); BOOL WINAPI DetourBinaryWrite(PDETOUR_BINARY pBinary, HANDLE hFile); BOOL WINAPI DetourBinaryClose(PDETOUR_BINARY pBinary); LPTOP_LEVEL_EXCEPTION_FILTER WINAPI DetourFirstChanceExceptionFilter(LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelFilter); typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEA) (LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEW) (LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); BOOL WINAPI DetourCreateProcessWithDllA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, LPCSTR lpDllName, PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); BOOL WINAPI DetourCreateProcessWithDllW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, LPCWSTR lpDllName, PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); #ifdef UNICODE #define DetourCreateProcessWithDll DetourCreateProcessWithDllW #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEW #else #define DetourCreateProcessWithDll DetourCreateProcessWithDllA #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEA #endif BOOL WINAPI DetourContinueProcessWithDllA(HANDLE hProcess, LPCSTR lpDllName); BOOL WINAPI DetourContinueProcessWithDllW(HANDLE hProcess, LPCWSTR lpDllName); #ifdef UNICODE #define DetourContinueProcessWithDll DetourContinueProcessWithDllW #else #define DetourContinueProcessWithDll DetourContinueProcessWithDllA #endif #ifdef __cplusplus } #endif #define ContinueProcessWithDll DetourContinueProcessWithDll #define ContinueProcessWithDllA DetourContinueProcessWithDllA #define ContinueProcessWithDllW DetourContinueProcessWithDllW #define CreateProcessWithDll DetourCreateProcessWithDll #define CreateProcessWithDllA DetourCreateProcessWithDllA #define CreateProcessWithDllW DetourCreateProcessWithDllW #define DETOUR_TRAMPOLINE_WO_TARGET DETOUR_TRAMPOLINE_EMPTY #define DetourBinaryPurgePayload DetourBinaryPurgePayloads #define DetourEnumerateExportsForInstance DetourEnumerateExports #define DetourEnumerateInstances DetourEnumerateModules #define DetourFindEntryPointForInstance DetourGetEntryPoint #define DetourFindFinalCode DetourGetFinalCode #define DetourFindPayloadInBinary DetourFindPayload #define DetourGetSizeOfBinary DetourGetSizeOfPayloads #define DetourRemoveWithTrampoline DetourRemove #define PCREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINE #define PCREATE_PROCESS_ROUTINEA PDETOUR_CREATE_PROCESS_ROUTINEA #define PCREATE_PROCESS_ROUTINEW PDETOUR_CREATE_PROCESS_ROUTINEW #ifdef __cplusplus #ifdef DETOURS_INTERNAL #ifdef IMAGEAPI typedef LPAPI_VERSION (NTAPI *PF_ImagehlpApiVersionEx)(LPAPI_VERSION AppVersion); typedef BOOL (NTAPI *PF_SymInitialize)(IN HANDLE hProcess, IN LPSTR UserSearchPath, IN BOOL fInvadeProcess); typedef DWORD (NTAPI *PF_SymSetOptions)(IN DWORD SymOptions); typedef DWORD (NTAPI *PF_SymGetOptions)(VOID); typedef BOOL (NTAPI *PF_SymLoadModule)(IN HANDLE hProcess, IN HANDLE hFile, IN PSTR ImageName, IN PSTR ModuleName, IN DWORD BaseOfDll, IN DWORD SizeOfDll); typedef BOOL (NTAPI *PF_SymGetModuleInfo)(IN HANDLE hProcess, IN DWORD dwAddr, OUT PIMAGEHLP_MODULE ModuleInfo); typedef BOOL (NTAPI *PF_SymGetSymFromName)(IN HANDLE hProcess, IN LPSTR Name, OUT PIMAGEHLP_SYMBOL Symbol); typedef BOOL (NTAPI *PF_BindImage)(IN LPSTR pszImageName, IN LPSTR pszDllPath, IN LPSTR pszSymbolPath); typedef struct _DETOUR_SYM_INFO { HANDLE hProcess; HMODULE hImageHlp; PF_ImagehlpApiVersionEx pfImagehlpApiVersionEx; PF_SymInitialize pfSymInitialize; PF_SymSetOptions pfSymSetOptions; PF_SymGetOptions pfSymGetOptions; PF_SymLoadModule pfSymLoadModule; PF_SymGetModuleInfo pfSymGetModuleInfo; PF_SymGetSymFromName pfSymGetSymFromName; PF_BindImage pfBindImage; } DETOUR_SYM_INFO, *PDETOUR_SYM_INFO; PDETOUR_SYM_INFO DetourLoadImageHlp(VOID); #endif class CDetourEnableWriteOnCodePage { public: CDetourEnableWriteOnCodePage(PBYTE pbCode, LONG cbCode = DETOUR_TRAMPOLINE_SIZE) { m_pbCode = pbCode; m_cbCode = cbCode; m_dwOldPerm = 0; m_hProcess = GetCurrentProcess(); if (m_pbCode && m_cbCode) { if (!FlushInstructionCache(m_hProcess, pbCode, cbCode)) { return; } if (!VirtualProtect(pbCode, cbCode, PAGE_EXECUTE_READWRITE, &m_dwOldPerm)) { return; } } } ~CDetourEnableWriteOnCodePage() { if (m_dwOldPerm && m_pbCode && m_cbCode) { DWORD dwTemp = 0; if (!FlushInstructionCache(m_hProcess, m_pbCode, m_cbCode)) { return; } if (!VirtualProtect(m_pbCode, m_cbCode, m_dwOldPerm, &dwTemp)) { return; } } } BOOL SetPermission(DWORD dwPerms) { if (m_dwOldPerm && m_pbCode && m_cbCode) { m_dwOldPerm = dwPerms; return TRUE; } return FALSE; } BOOL IsValid(VOID) { return m_pbCode && m_cbCode && m_dwOldPerm; } private: HANDLE m_hProcess; PBYTE m_pbCode; LONG m_cbCode; DWORD m_dwOldPerm; }; inline PBYTE DetourGenMovEax(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xB8; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEbx(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xBB; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEcx(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xB9; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEdx(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xBA; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEsi(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xBE; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEdi(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xBF; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEbp(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xBD; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenMovEsp(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0xBC; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenPush(PBYTE pbCode, UINT32 nValue) { *pbCode++ = 0x68; *((UINT32*&)pbCode)++ = nValue; return pbCode; } inline PBYTE DetourGenPushad(PBYTE pbCode) { *pbCode++ = 0x60; return pbCode; } inline PBYTE DetourGenPopad(PBYTE pbCode) { *pbCode++ = 0x61; return pbCode; } inline PBYTE DetourGenJmp(PBYTE pbCode, PBYTE pbJmpDst, PBYTE pbJmpSrc = 0) { if (pbJmpSrc == 0) { pbJmpSrc = pbCode; } *pbCode++ = 0xE9; *((INT32*&)pbCode)++ = pbJmpDst - (pbJmpSrc + 5); return pbCode; } inline PBYTE DetourGenCall(PBYTE pbCode, PBYTE pbJmpDst, PBYTE pbJmpSrc = 0) { if (pbJmpSrc == 0) { pbJmpSrc = pbCode; } *pbCode++ = 0xE8; *((INT32*&)pbCode)++ = pbJmpDst - (pbJmpSrc + 5); return pbCode; } inline PBYTE DetourGenBreak(PBYTE pbCode) { *pbCode++ = 0xcc; return pbCode; } inline PBYTE DetourGenRet(PBYTE pbCode) { *pbCode++ = 0xc3; return pbCode; } inline PBYTE DetourGenNop(PBYTE pbCode) { *pbCode++ = 0x90; return pbCode; } #endif DETOURS_INTERAL #endif #endif