1627 lines
58 KiB
C++
1627 lines
58 KiB
C++
|
//========= Copyright <20> 1996-2002, Valve LLC, All rights reserved. ============
|
|||
|
//
|
|||
|
// Purpose: Actual code for our d3d main interface wrapper
|
|||
|
//
|
|||
|
// $NoKeywords: $
|
|||
|
//=============================================================================
|
|||
|
|
|||
|
#include "tier0/memdbgoff.h"
|
|||
|
|
|||
|
#include "winlite.h"
|
|||
|
typedef __int16 int16;
|
|||
|
typedef unsigned __int16 uint16;
|
|||
|
typedef __int32 int32;
|
|||
|
typedef unsigned __int32 uint32;
|
|||
|
typedef __int64 int64;
|
|||
|
typedef unsigned __int64 uint64;
|
|||
|
typedef char tchar;
|
|||
|
|
|||
|
#define DEBUG_ENABLE_ERROR_STREAM 0
|
|||
|
#define DEBUG_ENABLE_DETOUR_RECORDING 0
|
|||
|
|
|||
|
// Suppress having to include of tier0 Assert functions
|
|||
|
// #define DBG_H
|
|||
|
// #define Assert( ... ) ( (void) 0 )
|
|||
|
// #define Msg( ... ) ( (void) 0 )
|
|||
|
// #define AssertMsg( ... ) ( (void) 0 )
|
|||
|
// #define AssertMsg3( ... ) ( (void) 0 )
|
|||
|
|
|||
|
#include "tier0/basetypes.h"
|
|||
|
// #include "tier0/threadtools.h"
|
|||
|
#include "detourfunc.h"
|
|||
|
#include "disassembler.h"
|
|||
|
#include <map>
|
|||
|
#include <vector>
|
|||
|
#include <set>
|
|||
|
|
|||
|
|
|||
|
// Define this to do verbose logging of detoured calls
|
|||
|
//#define DEBUG_LOG_DETOURED_CALLS
|
|||
|
|
|||
|
#if DEBUG_ENABLE_ERROR_STREAM
|
|||
|
|
|||
|
// We dump error messages that we want the steam client to be able to read here
|
|||
|
#pragma pack( push, 1 )
|
|||
|
struct ErrorStreamMsg_t
|
|||
|
{
|
|||
|
uint32 unStrLen;
|
|||
|
char rgchError[1024];
|
|||
|
};
|
|||
|
#pragma pack( pop )
|
|||
|
CSharedMemStream *g_pDetourErrorStream = NULL;
|
|||
|
static inline void Log( char const *, ... ) {}
|
|||
|
|
|||
|
#else
|
|||
|
|
|||
|
#define Log( ... ) ( (void) 0 )
|
|||
|
|
|||
|
#endif
|
|||
|
|
|||
|
#pragma pack( push, 1 ) // very important as we use structs to pack asm instructions together
|
|||
|
// Structure that we pack ASM jump code into for hooking function calls
|
|||
|
typedef struct
|
|||
|
{
|
|||
|
BYTE m_JmpOpCode[2]; // 0xFF 0x25 = jmp ptr qword
|
|||
|
DWORD m_JumpPtrOffset; // offset to jump to the qword ptr (0)
|
|||
|
uint64 m_QWORDTarget; // address to jump to
|
|||
|
} JumpCodeDirectX64_t;
|
|||
|
|
|||
|
// This relative jump is valid in x64 and x86
|
|||
|
typedef struct
|
|||
|
{
|
|||
|
BYTE m_JmpOpCode; // 0xE9 = near jmp( dword )
|
|||
|
int32 m_JumpOffset; // offset to jump to
|
|||
|
} JumpCodeRelative_t;
|
|||
|
#pragma pack( pop )
|
|||
|
|
|||
|
// Structure to save information about hooked functions that we may need later (ie, for unhooking)
|
|||
|
#define MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH 48
|
|||
|
typedef struct
|
|||
|
{
|
|||
|
BYTE *m_pFuncHookedAddr;
|
|||
|
BYTE *m_pTrampolineRealFunc;
|
|||
|
BYTE *m_pTrampolineEntryPoint;
|
|||
|
int32 m_nOriginalPreambleLength;
|
|||
|
BYTE m_rgOriginalPreambleCode[ MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH ];
|
|||
|
} HookData_t;
|
|||
|
|
|||
|
class CDetourLock
|
|||
|
{
|
|||
|
public:
|
|||
|
CDetourLock()
|
|||
|
{
|
|||
|
InitializeCriticalSection( &m_cs );
|
|||
|
}
|
|||
|
~CDetourLock()
|
|||
|
{
|
|||
|
DeleteCriticalSection( &m_cs );
|
|||
|
}
|
|||
|
|
|||
|
void Lock()
|
|||
|
{
|
|||
|
EnterCriticalSection( &m_cs );
|
|||
|
}
|
|||
|
void Unlock()
|
|||
|
{
|
|||
|
LeaveCriticalSection( &m_cs );
|
|||
|
}
|
|||
|
|
|||
|
private:
|
|||
|
|
|||
|
CRITICAL_SECTION m_cs;
|
|||
|
|
|||
|
// Private and unimplemented to prevent copying
|
|||
|
CDetourLock( const CDetourLock& );
|
|||
|
CDetourLock& operator=( const CDetourLock& );
|
|||
|
};
|
|||
|
|
|||
|
class GetLock
|
|||
|
{
|
|||
|
public:
|
|||
|
GetLock( CDetourLock& lock )
|
|||
|
: m_lock( lock )
|
|||
|
{
|
|||
|
m_lock.Lock();
|
|||
|
}
|
|||
|
~GetLock()
|
|||
|
{
|
|||
|
m_lock.Unlock();
|
|||
|
}
|
|||
|
|
|||
|
private:
|
|||
|
GetLock( const GetLock& );
|
|||
|
GetLock& operator=( const GetLock& );
|
|||
|
|
|||
|
CDetourLock& m_lock;
|
|||
|
};
|
|||
|
|
|||
|
CDetourLock g_mapLock;
|
|||
|
|
|||
|
// todo: add marker here so we can find this from VAC
|
|||
|
// Set to keep track of all the functions we have hooked
|
|||
|
std::map<void *, HookData_t> g_mapHookedFunctions;
|
|||
|
|
|||
|
#if DEBUG_ENABLE_ERROR_STREAM
|
|||
|
// Set to keep track of functions we already reported failures hooking
|
|||
|
std::set<void * > g_mapAlreadyReportedDetourFailures;
|
|||
|
#endif
|
|||
|
|
|||
|
|
|||
|
// We need at most this many bytes in our allocated trampoline regions, see comments below on HookFunc:
|
|||
|
// - 14 (5 on x86) for jump to real detour address
|
|||
|
// - 32 for copied code (really should be less than this, 5-12?, but leave some space)
|
|||
|
// - 14 (5 on x86) for jump back into body of real function after copied code
|
|||
|
#define BYTES_FOR_TRAMPOLINE_ALLOCATION 64
|
|||
|
|
|||
|
// todo: add some way to find and interpret these from VAC
|
|||
|
// Tracking for allocated trampoline memory ready to be used by future hooks
|
|||
|
std::vector< void *> g_vecTrampolineRegionsReady;
|
|||
|
|
|||
|
std::vector< void *> g_vecTrampolinesAllocated;
|
|||
|
|
|||
|
std::set< const void * > g_setBlacklistedTrampolineSearchAddresses;
|
|||
|
|
|||
|
class CTrampolineRegionMutex
|
|||
|
{
|
|||
|
public:
|
|||
|
CTrampolineRegionMutex()
|
|||
|
{
|
|||
|
m_hMutex = ::CreateMutexA( NULL, FALSE, NULL );
|
|||
|
}
|
|||
|
|
|||
|
bool BLock( DWORD dwTimeout )
|
|||
|
{
|
|||
|
if( WaitForSingleObject( m_hMutex, dwTimeout ) != WAIT_OBJECT_0 )
|
|||
|
{
|
|||
|
return false;
|
|||
|
}
|
|||
|
return true;
|
|||
|
}
|
|||
|
|
|||
|
void Release()
|
|||
|
{
|
|||
|
ReleaseMutex( m_hMutex );
|
|||
|
}
|
|||
|
|
|||
|
private:
|
|||
|
HANDLE m_hMutex;
|
|||
|
|
|||
|
// Private and unimplemented to prevent copying
|
|||
|
CTrampolineRegionMutex( const CTrampolineRegionMutex& );
|
|||
|
CTrampolineRegionMutex& operator=( const CTrampolineRegionMutex& );
|
|||
|
};
|
|||
|
CTrampolineRegionMutex g_TrampolineRegionMutex;
|
|||
|
|
|||
|
|
|||
|
static inline DWORD GetSystemPageSize()
|
|||
|
{
|
|||
|
static DWORD dwSystemPageSize = 0;
|
|||
|
if ( !dwSystemPageSize )
|
|||
|
{
|
|||
|
SYSTEM_INFO sysInfo;
|
|||
|
::GetSystemInfo( &sysInfo );
|
|||
|
dwSystemPageSize = sysInfo.dwPageSize;
|
|||
|
Log( "System page size: %u\n", dwSystemPageSize );
|
|||
|
}
|
|||
|
return dwSystemPageSize;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Function to find an existing trampoline region we've allocated near
|
|||
|
// the area we need it.
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
BYTE * GetTrampolineRegionNearAddress( const void *pAddressToFindNear )
|
|||
|
{
|
|||
|
if ( !g_TrampolineRegionMutex.BLock( 1000 ) )
|
|||
|
Log( "Couldn't get trampoline region lock, will continue possibly unsafely.\n" );
|
|||
|
|
|||
|
BYTE *pTrampolineAddress = NULL;
|
|||
|
|
|||
|
// First, see if we can find a trampoline address to use in range in our already allocated set
|
|||
|
std::vector<void *>::iterator iter;
|
|||
|
for( iter = g_vecTrampolineRegionsReady.begin(); iter != g_vecTrampolineRegionsReady.end(); ++iter )
|
|||
|
{
|
|||
|
int64 qwAddress = (int64)(*iter);
|
|||
|
int64 qwOffset = qwAddress - (int64)pAddressToFindNear;
|
|||
|
if ( qwOffset < 0 && qwOffset > LONG_MIN || qwOffset > 0 && qwOffset+BYTES_FOR_TRAMPOLINE_ALLOCATION < LONG_MAX )
|
|||
|
{
|
|||
|
pTrampolineAddress = (BYTE*)qwAddress;
|
|||
|
//Log( "Using already allocated trampoline block at %I64d, distance is %I64d\n", qwAddress, qwOffset );
|
|||
|
g_vecTrampolineRegionsReady.erase( iter );
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
g_TrampolineRegionMutex.Release();
|
|||
|
|
|||
|
return pTrampolineAddress;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Return trampoline address for use, maybe we failed detours and didn't end up using
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void ReturnTrampolineAddress( BYTE *pTrampolineAddress )
|
|||
|
{
|
|||
|
if ( !g_TrampolineRegionMutex.BLock( 1000 ) )
|
|||
|
Log( "Couldn't get trampoline region lock, will continue possibly unsafely.\n" );
|
|||
|
|
|||
|
g_vecTrampolineRegionsReady.push_back( pTrampolineAddress );
|
|||
|
|
|||
|
g_TrampolineRegionMutex.Release();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Function to allocate new trampoline regions near a target address, call
|
|||
|
// only if GetTrampolineRegionNearAddress doesn't return you any existing region to use.
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void AllocateNewTrampolineRegionsNearAddress( const void *pAddressToAllocNear )
|
|||
|
{
|
|||
|
if ( !g_TrampolineRegionMutex.BLock( 1000 ) )
|
|||
|
Log( "Couldn't get trampoline region lock, will continue possibly unsafely.\n" );
|
|||
|
|
|||
|
// Check we didn't blacklist trying to allocate regions near this address because no memory could be found already,
|
|||
|
// otherwise we can keep trying and trying and perf is awful
|
|||
|
if ( g_setBlacklistedTrampolineSearchAddresses.find( pAddressToAllocNear ) != g_setBlacklistedTrampolineSearchAddresses.end() )
|
|||
|
{
|
|||
|
g_TrampolineRegionMutex.Release();
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
// Get handle to process
|
|||
|
HANDLE hProc = GetCurrentProcess();
|
|||
|
|
|||
|
// First, need to know system page size, determine now if we haven't before
|
|||
|
DWORD dwSystemPageSize = GetSystemPageSize();
|
|||
|
|
|||
|
BYTE * pTrampolineAddress = NULL;
|
|||
|
if ( pAddressToAllocNear == NULL )
|
|||
|
{
|
|||
|
//Log( "Allocating trampoline page at random location\n" );
|
|||
|
pTrampolineAddress = (BYTE *)VirtualAllocEx( hProc, NULL, dwSystemPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
|
|||
|
if ( !pTrampolineAddress )
|
|||
|
{
|
|||
|
Log ( "Failed allocating memory during hooking: %d\n", GetLastError() );
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
g_vecTrampolinesAllocated.push_back( pTrampolineAddress );
|
|||
|
}
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
//Log( "Allocating trampoline page at targeted location\n" );
|
|||
|
|
|||
|
// Ok, we'll search for the closest page that is free and within +/- 2 gigs from our code.
|
|||
|
int64 qwPageToOffsetFrom = (int64)pAddressToAllocNear - ( (int64)pAddressToAllocNear % dwSystemPageSize );
|
|||
|
|
|||
|
int64 qwPageToTryNegative = qwPageToOffsetFrom - dwSystemPageSize;
|
|||
|
int64 qwPageToTryPositive = qwPageToOffsetFrom + dwSystemPageSize;
|
|||
|
|
|||
|
bool bLoggedFailures = false;
|
|||
|
|
|||
|
while ( !pTrampolineAddress )
|
|||
|
{
|
|||
|
int64 *pqwPageToTry;
|
|||
|
bool bDirectionPositive = false;
|
|||
|
if ( qwPageToOffsetFrom - qwPageToTryNegative < qwPageToTryPositive - qwPageToOffsetFrom )
|
|||
|
{
|
|||
|
pqwPageToTry = &qwPageToTryNegative;
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
pqwPageToTry = &qwPageToTryPositive;
|
|||
|
bDirectionPositive = true;
|
|||
|
}
|
|||
|
|
|||
|
//Log( "Real func at: %I64d, checking %I64d\n", (int64)pFuncToHook, (*pqwPageToTry) );
|
|||
|
MEMORY_BASIC_INFORMATION memInfo;
|
|||
|
if ( !VirtualQuery( (void *)(*pqwPageToTry), &memInfo, sizeof( memInfo ) ) )
|
|||
|
{
|
|||
|
if ( !bLoggedFailures )
|
|||
|
{
|
|||
|
Log( "VirtualQuery failures\n" );
|
|||
|
bLoggedFailures = true;
|
|||
|
}
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
if ( memInfo.State == MEM_FREE )
|
|||
|
{
|
|||
|
pTrampolineAddress = (BYTE *)VirtualAllocEx( hProc, (void*)(*pqwPageToTry), dwSystemPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
|
|||
|
if ( !pTrampolineAddress )
|
|||
|
{
|
|||
|
// Skip this page, another thread may have alloced it while we tried or something, just find the next usuable one
|
|||
|
if ( bDirectionPositive )
|
|||
|
qwPageToTryPositive += dwSystemPageSize;
|
|||
|
else
|
|||
|
qwPageToTryNegative -= dwSystemPageSize;
|
|||
|
continue;
|
|||
|
}
|
|||
|
g_vecTrampolinesAllocated.push_back( pTrampolineAddress );
|
|||
|
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// Increment page and try again, we can skip ahead RegionSize bytes because
|
|||
|
// we know all pages in that region have identical info.
|
|||
|
if ( bDirectionPositive )
|
|||
|
qwPageToTryPositive += memInfo.RegionSize;
|
|||
|
else
|
|||
|
qwPageToTryNegative -= memInfo.RegionSize;
|
|||
|
|
|||
|
if ( qwPageToTryPositive + dwSystemPageSize >= (int64)pAddressToAllocNear + LONG_MAX
|
|||
|
&& qwPageToTryNegative <= (int64)pAddressToAllocNear - LONG_MIN )
|
|||
|
{
|
|||
|
Log ( "Could not find page for trampoline in +/- 2GB range of function to hook\n" );
|
|||
|
g_setBlacklistedTrampolineSearchAddresses.insert( pAddressToAllocNear );
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// If we succeeded allocating a trampoline page, then track the extra pages for later use
|
|||
|
if ( pTrampolineAddress )
|
|||
|
{
|
|||
|
// Track the extra space in the page for future use
|
|||
|
BYTE *pNextTrampolineAddress = pTrampolineAddress;
|
|||
|
while ( pNextTrampolineAddress <= pTrampolineAddress+dwSystemPageSize-BYTES_FOR_TRAMPOLINE_ALLOCATION )
|
|||
|
{
|
|||
|
g_vecTrampolineRegionsReady.push_back( pNextTrampolineAddress );
|
|||
|
pNextTrampolineAddress += BYTES_FOR_TRAMPOLINE_ALLOCATION;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
g_TrampolineRegionMutex.Release();
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: RegregisterTrampolines
|
|||
|
// when we first allocated these trampolines, our VirtualAlloc/Protect
|
|||
|
// monitoring wasnt set up, just re-protect them and that will get them
|
|||
|
// recorded so we know they are ours
|
|||
|
// could use this code to remove write permission from them
|
|||
|
// except that we will redo a bunch of hooking on library load ( PerformHooking )
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void RegregisterTrampolines()
|
|||
|
{
|
|||
|
if ( !g_TrampolineRegionMutex.BLock( 1000 ) )
|
|||
|
Log( "Couldn't get trampoline region lock, will continue possibly unsafely.\n" );
|
|||
|
|
|||
|
// First, need to know system page size, determine now if we haven't before
|
|||
|
DWORD dwSystemPageSize = GetSystemPageSize();
|
|||
|
|
|||
|
std::vector<void *>::iterator iter;
|
|||
|
for( iter = g_vecTrampolinesAllocated.begin(); iter != g_vecTrampolinesAllocated.end(); ++iter )
|
|||
|
{
|
|||
|
DWORD flOldProtect;
|
|||
|
VirtualProtect( *iter, dwSystemPageSize, PAGE_EXECUTE_READWRITE, &flOldProtect );
|
|||
|
}
|
|||
|
|
|||
|
g_TrampolineRegionMutex.Release();
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Check if a given address range is fully covered by executable pages
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
static bool BIsAddressRangeExecutable( const void *pAddress, size_t length )
|
|||
|
{
|
|||
|
MEMORY_BASIC_INFORMATION memInfo;
|
|||
|
if ( !VirtualQuery( (const void *)pAddress, &memInfo, sizeof( memInfo ) ) )
|
|||
|
return false;
|
|||
|
|
|||
|
if ( memInfo.State != MEM_COMMIT )
|
|||
|
return false;
|
|||
|
|
|||
|
if ( memInfo.Protect != PAGE_EXECUTE && memInfo.Protect != PAGE_EXECUTE_READ &&
|
|||
|
memInfo.Protect != PAGE_EXECUTE_READWRITE && memInfo.Protect != PAGE_EXECUTE_WRITECOPY )
|
|||
|
{
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
uintp lastAddress = (uintp)pAddress + length - 1;
|
|||
|
uintp lastInRegion = (uintp)memInfo.BaseAddress + memInfo.RegionSize - 1;
|
|||
|
if ( lastAddress <= lastInRegion )
|
|||
|
return true;
|
|||
|
|
|||
|
// Start of this address range is executable. But what about subsequent regions?
|
|||
|
return BIsAddressRangeExecutable( (const void*)(lastInRegion + 1), lastAddress - lastInRegion );
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Hook a function (at pRealFunctionAddr) causing calls to it to instead call
|
|||
|
// our own function at pHookFunctionAddr. We'll return a pointer to code that can be
|
|||
|
// called as the original function by our hook code and will have the original unhooked
|
|||
|
// behavior.
|
|||
|
//
|
|||
|
// The nJumpsToFolowBeforeHooking parameter determines what we will do if we find an E9
|
|||
|
// or FF 25 jmp instruction at the beginning of the code to hook. This probably means the
|
|||
|
// function is already hooked. We support both hooking the original address and chaining
|
|||
|
// to the old hook then, or alternatively following the jump and hooking it's target. Sometimes
|
|||
|
// this follow then hook is preferable because other hook code may not chain nicely and may
|
|||
|
// overwrite our hook if we try to put it first (ie, FRAPS & ATI Tray Tools from Guru3d)
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
#pragma warning( push )
|
|||
|
#pragma warning( disable : 4127 ) // conditional expression is constant, from sizeof( intp ) checks
|
|||
|
|
|||
|
static bool HookFuncInternal( BYTE *pRealFunctionAddr, const BYTE *pHookFunctionAddr, void ** ppRealFunctionAdr, BYTE **ppTrampolineAddressToReturn, int nJumpsToFollowBeforeHooking );
|
|||
|
|
|||
|
void * HookFunc( BYTE *pRealFunctionAddr, const BYTE *pHookFunctionAddr, int nJumpsToFollowBeforeHooking /* = 0 */ )
|
|||
|
{
|
|||
|
void *pTrampolineAddr = NULL;
|
|||
|
if ( !HookFuncSafe( pRealFunctionAddr, pHookFunctionAddr, (void **)&pTrampolineAddr, nJumpsToFollowBeforeHooking ) )
|
|||
|
return NULL;
|
|||
|
|
|||
|
return pTrampolineAddr;
|
|||
|
}
|
|||
|
|
|||
|
bool HookFuncSafe( BYTE *pRealFunctionAddr, const BYTE *pHookFunctionAddr, void ** ppRealFunctionAdr, int nJumpsToFollowBeforeHooking /* = 0 */ )
|
|||
|
{
|
|||
|
// If hook setting fails, then the trampoline is not being used, and can be returned to our pool
|
|||
|
BYTE *pTrampolineAddressToReturn = NULL;
|
|||
|
bool bRet = HookFuncInternal( pRealFunctionAddr, pHookFunctionAddr, ppRealFunctionAdr, &pTrampolineAddressToReturn, nJumpsToFollowBeforeHooking );
|
|||
|
|
|||
|
if ( pTrampolineAddressToReturn )
|
|||
|
{
|
|||
|
ReturnTrampolineAddress( pTrampolineAddressToReturn );
|
|||
|
}
|
|||
|
|
|||
|
return bRet;
|
|||
|
}
|
|||
|
|
|||
|
// We detour with the following setup:
|
|||
|
//
|
|||
|
// 1) Allocate some memory within 2G range from the function we are detouring (we search with VirtualQuery to find where to alloc)
|
|||
|
// 2) Place a relative jump E9 opcode (only 5 bytes) at the beginning of the original function to jump to our allocated memory
|
|||
|
// 3) At the start of our allocated memory we place an absolute jump (FF 25, 6 bytes on x86, 14 on x64 because instead of being
|
|||
|
// an absolute dword ptr, it has a relative offset to a qword ptr). This jump goes to our hook function we are detouring to,
|
|||
|
// the E9 at the start of the original function jumps to this, then this goes to the real function which may be more than 2G away.
|
|||
|
// 4) We copy the original 5 bytes + slop for opcode boundaries into the remaining space in our allocated region, after that we place a FF 25 jump
|
|||
|
// jump back to the original function 6 bytes in (or a little more if the opcodes didn't have a boundary at 5 bytes).
|
|||
|
// 5) We return a ptr to the original 5 bytes we copied's new address and that is the "real function ptr" that our hook function can call
|
|||
|
// to call the original implementation.
|
|||
|
//
|
|||
|
// This method is good because it works with just 5 bytes overwritten in the original function on both x86 and x64, the only tricky part
|
|||
|
// is that we have to search for a page we can allocate within 2 gigabytes of the function address and if we can't find one we can fail
|
|||
|
// (which would only happen on x64, and doesn't really happen in practice). If it did start to happen more we could fallback to trying to
|
|||
|
// put the full 14 byte FF 25 x64 jmp at the start of the function, but many functions are too short or make calls that can't be easily relocated,
|
|||
|
// or have other code jumping into them at less than 14 bytes, so thats not very safe.
|
|||
|
static bool HookFuncInternal( BYTE *pRealFunctionAddr, const BYTE *pHookFunctionAddr, void ** ppRealFunctionAdr, BYTE **ppTrampolineAddressToReturn, int nJumpsToFollowBeforeHooking )
|
|||
|
{
|
|||
|
if ( !pRealFunctionAddr )
|
|||
|
{
|
|||
|
Log( "Aborting HookFunc because pRealFunctionAddr is null\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
if ( !pHookFunctionAddr )
|
|||
|
{
|
|||
|
Log( "Aborting HookFunc because pHookFunctionAddr is null\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// Make sure we aren't double-hooking a function, in case someone else installed a hook
|
|||
|
// after ours which made us think that our hook was removed when it was really just relocated.
|
|||
|
// UnhookFunc will short-circuit the trampoline and bypass our old hook even if it can't
|
|||
|
// fully undo the jump into our trampoline code.
|
|||
|
UnhookFunc( pRealFunctionAddr, false /*bLogFailures*/ );
|
|||
|
|
|||
|
HANDLE hProc = GetCurrentProcess();
|
|||
|
BYTE *pFuncToHook = pRealFunctionAddr;
|
|||
|
|
|||
|
// See if there is already a hook in place on this code and we have been instructed to follow it and hook
|
|||
|
// the target instead.
|
|||
|
while( nJumpsToFollowBeforeHooking > 0 )
|
|||
|
{
|
|||
|
if ( pFuncToHook[0] == 0xEB )
|
|||
|
{
|
|||
|
int8 * pOffset = (int8 *)(pFuncToHook + 1);
|
|||
|
pFuncToHook = (BYTE*)((intp)pFuncToHook + 2 + *pOffset);
|
|||
|
}
|
|||
|
else if ( pFuncToHook[0] == 0xE9 )
|
|||
|
{
|
|||
|
// Make sure the hook isn't pointing at the same place we are going to detour to (which would mean we've already hooked)
|
|||
|
int32 * pOffset = (int32 *)(pFuncToHook+1);
|
|||
|
pFuncToHook = (BYTE*)((intp)pFuncToHook + 5 + *pOffset);
|
|||
|
}
|
|||
|
#ifdef _WIN64
|
|||
|
else if ( pFuncToHook[0] == 0xFF && pFuncToHook[1] == 0x25 )
|
|||
|
{
|
|||
|
|
|||
|
// On x64 we have a signed 32-bit relative offset to an absolute qword ptr
|
|||
|
int32 * pOffset = (int32 *)(pFuncToHook+2);
|
|||
|
intp *pTarget = (intp*)(pFuncToHook + 6 + *pOffset);
|
|||
|
pFuncToHook = (BYTE*)*pTarget;
|
|||
|
}
|
|||
|
#endif
|
|||
|
else
|
|||
|
{
|
|||
|
// Done, no more chained jumps
|
|||
|
break;
|
|||
|
}
|
|||
|
|
|||
|
--nJumpsToFollowBeforeHooking;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
// If the function pointer isn't marked as executable code, or there isn't enough room for our jump, warn
|
|||
|
if ( !BIsAddressRangeExecutable( pFuncToHook, sizeof( JumpCodeRelative_t ) ) )
|
|||
|
{
|
|||
|
Log( "Warning: hook target starting at %#p covers a non-executable page\n", (void*)pFuncToHook );
|
|||
|
// non-fatal, as system may not be enforcing Data Execution Prevention / hardware NX-bit.
|
|||
|
}
|
|||
|
|
|||
|
// Special blacklist: if the function begins with an unconditional 2-byte jump, it is unhookable!
|
|||
|
// If this becomes necessary, we could follow the jump to see where it goes, and hook there instead.
|
|||
|
if ( (BYTE) pFuncToHook[0] == 0xEB )
|
|||
|
{
|
|||
|
Log( "Warning: hook target starting at %#p begins with uncoditional 2-byte jump, skipping\n", (void*)pFuncToHook );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// This struct will get reused a bunch to compose jumps
|
|||
|
JumpCodeRelative_t sRelativeJumpCode;
|
|||
|
sRelativeJumpCode.m_JmpOpCode = 0xE9;
|
|||
|
//sRelativeJumpCode.m_JumpOffset = ...;
|
|||
|
|
|||
|
// On X64, we use this struct for jumps > +/-2GB
|
|||
|
JumpCodeDirectX64_t sDirectX64JumpCode;
|
|||
|
sDirectX64JumpCode.m_JmpOpCode[0] = 0xFF;
|
|||
|
sDirectX64JumpCode.m_JmpOpCode[1] = 0x25;
|
|||
|
sDirectX64JumpCode.m_JumpPtrOffset = 0;
|
|||
|
//sDirectX64JumpCode.m_QWORDTarget = ...;
|
|||
|
|
|||
|
// We need to figure out if we recognize the preamble for the
|
|||
|
// current function so we can match it up with a good hook code length
|
|||
|
int32 nHookCodeLength = 0;
|
|||
|
BYTE *pOpcode = pFuncToHook;
|
|||
|
bool bParsedRETOpcode = false;
|
|||
|
|
|||
|
BYTE rgCopiedCode[ MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH ];
|
|||
|
|
|||
|
// we just need a minimum of 5 bytes for our hook code
|
|||
|
while ( nHookCodeLength < sizeof( JumpCodeRelative_t ) )
|
|||
|
{
|
|||
|
int nLength;
|
|||
|
EOpCodeOffsetType eOffsetType;
|
|||
|
bool bKnown = ParseOpcode( pOpcode, nLength, eOffsetType );
|
|||
|
|
|||
|
if ( bKnown )
|
|||
|
{
|
|||
|
// Make sure that if we hook a RET, it is the last byte, or followed by only INT 3 or NOP
|
|||
|
// inter-function padding. If this causes hooks to fail, then we need to be smarter
|
|||
|
// about examining relative jumps to determine the boundaries of the function, so
|
|||
|
// that we know if the RET is an early-out and the function continues onward or not.
|
|||
|
// We are trying hard to avoid overwriting the start of another function, in case
|
|||
|
// the target function is very small and there is no padding afterwards.
|
|||
|
if ( bParsedRETOpcode && *pOpcode != 0xCC && *pOpcode != 0x90 )
|
|||
|
{
|
|||
|
Log( "Warning: hook target starting at %#p contains early RET\n", (void*)pFuncToHook );
|
|||
|
// fall through to expanded error reporting below by setting bKnown to false
|
|||
|
bKnown = false;
|
|||
|
}
|
|||
|
|
|||
|
if ( *pOpcode == 0xC3 || *pOpcode == 0xC2 )
|
|||
|
{
|
|||
|
bParsedRETOpcode = true;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
if ( !bKnown ||
|
|||
|
( eOffsetType != k_ENoRelativeOffsets && eOffsetType != k_EDWORDOffsetAtByteTwo && eOffsetType != k_EDWORDOffsetAtByteThree
|
|||
|
&& eOffsetType != k_EBYTEOffsetAtByteTwo && eOffsetType != k_EDWORDOffsetAtByteFour ) )
|
|||
|
{
|
|||
|
#if DEBUG_ENABLE_ERROR_STREAM
|
|||
|
bool bAlreadyReported = true;
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
if ( g_mapAlreadyReportedDetourFailures.find( pFuncToHook ) == g_mapAlreadyReportedDetourFailures.end() )
|
|||
|
{
|
|||
|
bAlreadyReported = false;
|
|||
|
g_mapAlreadyReportedDetourFailures.insert( pFuncToHook );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
ErrorStreamMsg_t msg;
|
|||
|
_snprintf( msg.rgchError, sizeof( msg.rgchError ), "Unknown opcodes for %s at %d bytes for func %#p: %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X\n",
|
|||
|
#ifdef _WIN64
|
|||
|
"AMD64",
|
|||
|
#else
|
|||
|
"X86",
|
|||
|
#endif
|
|||
|
nHookCodeLength,
|
|||
|
pFuncToHook,
|
|||
|
pFuncToHook[0], pFuncToHook[1], pFuncToHook[2], pFuncToHook[3],
|
|||
|
pFuncToHook[4], pFuncToHook[5], pFuncToHook[6], pFuncToHook[7],
|
|||
|
pFuncToHook[8], pFuncToHook[9], pFuncToHook[10], pFuncToHook[11],
|
|||
|
pFuncToHook[12], pFuncToHook[13], pFuncToHook[14], pFuncToHook[15]
|
|||
|
);
|
|||
|
|
|||
|
Log( msg.rgchError );
|
|||
|
|
|||
|
if ( !bAlreadyReported )
|
|||
|
{
|
|||
|
|
|||
|
msg.unStrLen = (uint32)strlen( msg.rgchError );
|
|||
|
if ( !g_pDetourErrorStream )
|
|||
|
g_pDetourErrorStream = new CSharedMemStream( "GameOverlayRender_DetourErrorStream", SHMEMSTREAM_SIZE_ONE_KBYTE*32, 50 );
|
|||
|
|
|||
|
g_pDetourErrorStream->Put( &msg, sizeof( msg.unStrLen ) + msg.unStrLen );
|
|||
|
}
|
|||
|
#endif
|
|||
|
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// make sure we have enough room, we should always have enough unless an opcode is huge!
|
|||
|
if ( sizeof( rgCopiedCode ) - nHookCodeLength - nLength < 0 )
|
|||
|
{
|
|||
|
Log( "Not enough room to copy function preamble\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// Copy the bytes into our local buffer
|
|||
|
memcpy( &rgCopiedCode[ nHookCodeLength ], pOpcode, nLength );
|
|||
|
|
|||
|
pOpcode += nLength;
|
|||
|
nHookCodeLength += nLength;
|
|||
|
}
|
|||
|
|
|||
|
// We only account for a max of 32 bytes that needs relocating in our allocated trampoline area
|
|||
|
// if we are over that complain and fail, should never hit this
|
|||
|
if ( nHookCodeLength > MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH )
|
|||
|
{
|
|||
|
Log( "Copied more than MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH bytes to make room for E9 jmp of 5 bytes? Bad opcode parsing?\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
// We need to find/allocate a region for our trampoline that is within +/-2GB of the function we are hooking.
|
|||
|
BYTE *pTrampolineAddress = GetTrampolineRegionNearAddress( pFuncToHook );
|
|||
|
if ( !pTrampolineAddress )
|
|||
|
{
|
|||
|
AllocateNewTrampolineRegionsNearAddress( pFuncToHook );
|
|||
|
pTrampolineAddress = GetTrampolineRegionNearAddress( pFuncToHook );
|
|||
|
}
|
|||
|
// Total failure at this point, couldn't allocate memory close enough.
|
|||
|
if ( !pTrampolineAddress )
|
|||
|
{
|
|||
|
Log( "Error allocating trampoline memory (no memory within +/-2gb? prior failures?)\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
// Store the trampoline address to output parameter so caller can clean up on failure
|
|||
|
*ppTrampolineAddressToReturn = pTrampolineAddress;
|
|||
|
|
|||
|
|
|||
|
// Save the original function preamble so we can restore it later
|
|||
|
HookData_t SavedData;
|
|||
|
memcpy( SavedData.m_rgOriginalPreambleCode, rgCopiedCode, MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH );
|
|||
|
SavedData.m_nOriginalPreambleLength = nHookCodeLength;
|
|||
|
SavedData.m_pFuncHookedAddr = pFuncToHook;
|
|||
|
SavedData.m_pTrampolineRealFunc = NULL;
|
|||
|
SavedData.m_pTrampolineEntryPoint = NULL;
|
|||
|
|
|||
|
// Now fixup any relative offsets in our copied code to account for the new relative base pointer,
|
|||
|
// since the copied code will be executing from the trampoline area instead of its original location
|
|||
|
int nFixupPosition = 0;
|
|||
|
while( nFixupPosition < nHookCodeLength )
|
|||
|
{
|
|||
|
int nLength;
|
|||
|
EOpCodeOffsetType eOffsetType;
|
|||
|
bool bKnown = ParseOpcode( &rgCopiedCode[nFixupPosition], nLength, eOffsetType );
|
|||
|
|
|||
|
if ( !bKnown ||
|
|||
|
( eOffsetType != k_ENoRelativeOffsets && eOffsetType != k_EDWORDOffsetAtByteTwo && eOffsetType != k_EDWORDOffsetAtByteThree
|
|||
|
&& eOffsetType != k_EBYTEOffsetAtByteTwo && eOffsetType != k_EDWORDOffsetAtByteFour ) )
|
|||
|
{
|
|||
|
Log( "Failed parsing copied bytes during detour -- shouldn't happen as this is a second pass: position %d\n"
|
|||
|
"%02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X\n", nFixupPosition,
|
|||
|
rgCopiedCode[0], rgCopiedCode[1], rgCopiedCode[2], rgCopiedCode[3],
|
|||
|
rgCopiedCode[4], rgCopiedCode[5], rgCopiedCode[6], rgCopiedCode[7],
|
|||
|
rgCopiedCode[8], rgCopiedCode[9], rgCopiedCode[10], rgCopiedCode[11],
|
|||
|
rgCopiedCode[12], rgCopiedCode[13], rgCopiedCode[14], rgCopiedCode[15],
|
|||
|
rgCopiedCode[16], rgCopiedCode[17], rgCopiedCode[18], rgCopiedCode[19] );
|
|||
|
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// If there is a relative offset, we need to fix it up according to how far we moved the code
|
|||
|
int iPositionOfDWORDFixup = -1;
|
|||
|
switch ( eOffsetType )
|
|||
|
{
|
|||
|
case k_ENoRelativeOffsets:
|
|||
|
break;
|
|||
|
|
|||
|
case k_EDWORDOffsetAtByteTwo:
|
|||
|
iPositionOfDWORDFixup = 1;
|
|||
|
break;
|
|||
|
|
|||
|
case k_EDWORDOffsetAtByteThree:
|
|||
|
iPositionOfDWORDFixup = 2;
|
|||
|
break;
|
|||
|
|
|||
|
case k_EDWORDOffsetAtByteFour:
|
|||
|
iPositionOfDWORDFixup = 3;
|
|||
|
break;
|
|||
|
|
|||
|
case k_EBYTEOffsetAtByteTwo:
|
|||
|
// We need explicit knowledge of the opcode here so that we can convert it to DWORD-offset form
|
|||
|
if ( (BYTE)rgCopiedCode[nFixupPosition] == 0xEB && nLength == 2 )
|
|||
|
{
|
|||
|
if ( nHookCodeLength + 3 > MAX_HOOKED_FUNCTION_PREAMBLE_LENGTH )
|
|||
|
{
|
|||
|
Log( "Can't fixup EB jmp because there isn't enough room to expand to E9 jmp\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
rgCopiedCode[nFixupPosition] = 0xE9;
|
|||
|
memmove( &rgCopiedCode[nFixupPosition + 5], &rgCopiedCode[nFixupPosition + 2], nHookCodeLength - nFixupPosition - 2 );
|
|||
|
|
|||
|
// Expand from 8-bit signed offset to 32-bit signed offset, and remember it for address fixup below
|
|||
|
// (subtract 3 from offset to account for additional length of the replacement JMP instruction)
|
|||
|
int32 iOffset = (int8) rgCopiedCode[nFixupPosition + 1] - 3;
|
|||
|
memcpy( &rgCopiedCode[nFixupPosition + 1], &iOffset, 4 );
|
|||
|
iPositionOfDWORDFixup = 1;
|
|||
|
|
|||
|
// This opcode and the total amount of copied data grew by 3 bytes
|
|||
|
nLength += 3;
|
|||
|
nHookCodeLength += 3;
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
Log( "Opcode %x of type k_EBYTEOffsetAtByteTwo can't be converted to larger relative address\n", rgCopiedCode[nFixupPosition] );
|
|||
|
return false;
|
|||
|
}
|
|||
|
break;
|
|||
|
default:
|
|||
|
Log( "Unknown opcode relative-offset enum value %d\n", (int)eOffsetType );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
if ( iPositionOfDWORDFixup != -1 )
|
|||
|
{
|
|||
|
int32 iOffset;
|
|||
|
memcpy( &iOffset, &rgCopiedCode[ nFixupPosition + iPositionOfDWORDFixup ], 4 );
|
|||
|
|
|||
|
intp iNewOffset = iOffset + (intp)pFuncToHook - (intp)pTrampolineAddress;
|
|||
|
iOffset = (int32)iNewOffset;
|
|||
|
// On 32-bit platforms, 32-bit relative mode can reach any valid address.
|
|||
|
// On 64-bit platforms, 32-bit relative mode can only reach addresses +/- 2GB.
|
|||
|
if ( sizeof(intp) > sizeof(int32) && (intp)iOffset != iNewOffset )
|
|||
|
{
|
|||
|
Log( "Can't relocate and adjust offset because offset is too big after relocation.\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
memcpy( &rgCopiedCode[ nFixupPosition + iPositionOfDWORDFixup ], &iOffset, 4 );
|
|||
|
}
|
|||
|
|
|||
|
nFixupPosition += nLength;
|
|||
|
}
|
|||
|
|
|||
|
// Copy out the original code to our allocated memory to save it, keep track of original trampoline beginning
|
|||
|
BYTE *pBeginTrampoline = pTrampolineAddress;
|
|||
|
SavedData.m_pTrampolineRealFunc = pTrampolineAddress;
|
|||
|
|
|||
|
memcpy( pTrampolineAddress, rgCopiedCode, nHookCodeLength );
|
|||
|
pTrampolineAddress += nHookCodeLength; // move pointer forward past copied code
|
|||
|
|
|||
|
// Place a jump at the end of the copied code to jump back to the rest of the post-hook function body
|
|||
|
intp lJumpTarget = (intp)pFuncToHook + nHookCodeLength;
|
|||
|
intp lJumpInstruction = (intp)pTrampolineAddress;
|
|||
|
intp lJumpOffset = lJumpTarget - lJumpInstruction - sizeof( JumpCodeRelative_t );
|
|||
|
sRelativeJumpCode.m_JumpOffset = (int32)lJumpOffset;
|
|||
|
|
|||
|
// On 64-bit platforms, 32-bit relative addressing can only reach addresses +/- 2GB.
|
|||
|
if ( sizeof(intp) > sizeof(int32) && (intp)sRelativeJumpCode.m_JumpOffset != lJumpOffset )
|
|||
|
{
|
|||
|
// Use a direct 64-bit jump instead
|
|||
|
sDirectX64JumpCode.m_QWORDTarget = lJumpTarget;
|
|||
|
memcpy( pTrampolineAddress, &sDirectX64JumpCode, sizeof( JumpCodeDirectX64_t ) );
|
|||
|
pTrampolineAddress += sizeof( JumpCodeDirectX64_t );
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
memcpy( pTrampolineAddress, &sRelativeJumpCode, sizeof( JumpCodeRelative_t ) );
|
|||
|
pTrampolineAddress += sizeof( JumpCodeRelative_t );
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
// Ok, now write the other half of the trampoline, which is the entry point that we will make the
|
|||
|
// hooked function jump to. This will in turn jump into our hook function, which may then call the
|
|||
|
// original function bytes that we relocated into the start of the trampoline.
|
|||
|
SavedData.m_pTrampolineEntryPoint = pTrampolineAddress;
|
|||
|
BYTE *pIntermediateJumpLocation = pTrampolineAddress;
|
|||
|
|
|||
|
lJumpTarget = (intp)pHookFunctionAddr;
|
|||
|
lJumpInstruction = (intp)pIntermediateJumpLocation;
|
|||
|
lJumpOffset = lJumpTarget - lJumpInstruction - sizeof( JumpCodeRelative_t );
|
|||
|
sRelativeJumpCode.m_JumpOffset = (int32)lJumpOffset;
|
|||
|
|
|||
|
if ( sizeof(intp) > sizeof(int32) && (intp)sRelativeJumpCode.m_JumpOffset != lJumpOffset )
|
|||
|
{
|
|||
|
sDirectX64JumpCode.m_QWORDTarget = lJumpTarget;
|
|||
|
memcpy( pTrampolineAddress, &sDirectX64JumpCode, sizeof( JumpCodeDirectX64_t ) );
|
|||
|
pTrampolineAddress += sizeof( JumpCodeDirectX64_t );
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
memcpy( pTrampolineAddress, &sRelativeJumpCode, sizeof( JumpCodeRelative_t ) );
|
|||
|
pTrampolineAddress += sizeof( JumpCodeRelative_t );
|
|||
|
}
|
|||
|
|
|||
|
// Now flush instruction cache to ensure the processor detects the changed memory.
|
|||
|
FlushInstructionCache( hProc, pBeginTrampoline, pTrampolineAddress - pBeginTrampoline );
|
|||
|
|
|||
|
|
|||
|
// Trampoline is done; write jump-into-trampoline over the original function body
|
|||
|
lJumpTarget = (intp)pIntermediateJumpLocation;
|
|||
|
lJumpInstruction = (intp)pFuncToHook;
|
|||
|
lJumpOffset = lJumpTarget - lJumpInstruction - sizeof( JumpCodeRelative_t );
|
|||
|
sRelativeJumpCode.m_JumpOffset = (int32)lJumpOffset;
|
|||
|
|
|||
|
if ( sizeof(intp) > sizeof(int32) && (intp)sRelativeJumpCode.m_JumpOffset != lJumpOffset )
|
|||
|
{
|
|||
|
// Shouldn't ever hit this, since we explicitly found an address to place the intermediate
|
|||
|
// trampoline which was close enough.
|
|||
|
Log( "Warning: Jump from function to intermediate trampoline is too far! Shouldn't happen." );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// Jump is prepared for writing, now adjust virtual protection and overwrite the function start
|
|||
|
|
|||
|
DWORD dwSystemPageSize = GetSystemPageSize();
|
|||
|
|
|||
|
void *pLastHookByte = pFuncToHook + sizeof( JumpCodeRelative_t ) - 1;
|
|||
|
bool bHookSpansTwoPages = ( (uintp)pFuncToHook / dwSystemPageSize != (uintp)pLastHookByte / dwSystemPageSize );
|
|||
|
|
|||
|
DWORD dwOldProtectionLevel = 0;
|
|||
|
DWORD dwOldProtectionLevel2 = 0;
|
|||
|
DWORD dwIgnore;
|
|||
|
|
|||
|
// Fix up the protection on the memory where the functions current asm code is
|
|||
|
// so that we will be able read/write it.
|
|||
|
if( !VirtualProtect( pFuncToHook, 1, PAGE_EXECUTE_READWRITE, &dwOldProtectionLevel ) )
|
|||
|
{
|
|||
|
Log( "Warning: VirtualProtect call failed during hook attempt\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
// In case the hook spans a page boundary, also adjust protections on the last byte,
|
|||
|
// and track the memory protection for the second page in a separate variable since
|
|||
|
// it could theoretically be different (although that would be very odd).
|
|||
|
if ( bHookSpansTwoPages && !VirtualProtect( pLastHookByte, 1, PAGE_EXECUTE_READWRITE, &dwOldProtectionLevel2 ) )
|
|||
|
{
|
|||
|
// Restore original protection on first page.
|
|||
|
VirtualProtect( pFuncToHook, 1, dwOldProtectionLevel, &dwIgnore );
|
|||
|
Log( "Warning: VirtualProtect (2) call failed during hook attempt\n" );
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
bool bSuccess = false;
|
|||
|
|
|||
|
// We must store the relocated function address to the output variable after the trampoline
|
|||
|
// is written, but BEFORE the hook is written, because once the hook is written it could be
|
|||
|
// executed by anybody on any thread, and it needs to know the real function address.
|
|||
|
*ppRealFunctionAdr = pBeginTrampoline;
|
|||
|
|
|||
|
// Write new function body which jumps to trampoline which runs our hook and then relocated function bits
|
|||
|
SIZE_T cBytesWritten;
|
|||
|
if( !WriteProcessMemory( hProc, (void *)pFuncToHook, &sRelativeJumpCode, sizeof( JumpCodeRelative_t ), &cBytesWritten ) )
|
|||
|
{
|
|||
|
Log( "WriteProcessMemory() call failed trying to overwrite first 5 bytes of function body during hook\n" );
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
// From this point on, we must return success because we wrote a live jump into the trampoline
|
|||
|
*ppTrampolineAddressToReturn = NULL;
|
|||
|
bSuccess = true;
|
|||
|
|
|||
|
if ( !FlushInstructionCache( hProc, (void*)pFuncToHook, sizeof( JumpCodeRelative_t ) ) )
|
|||
|
{
|
|||
|
// if flush instruction cache fails what should we do?
|
|||
|
Log( "FlushInstructionCache() call failed trying to overwrite first 5 bytes of function body during hook\n" );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// Restore the original protection flags regardless of success, unless they already matched, then don't bother
|
|||
|
if ( bHookSpansTwoPages && dwOldProtectionLevel2 != PAGE_EXECUTE_READWRITE && dwOldProtectionLevel2 != PAGE_EXECUTE_WRITECOPY )
|
|||
|
{
|
|||
|
if ( !VirtualProtect( pLastHookByte, 1, dwOldProtectionLevel2, &dwIgnore ) )
|
|||
|
{
|
|||
|
Log( "Warning: VirtualProtect (2) call failed to restore protection flags during hook attempt\n" );
|
|||
|
}
|
|||
|
}
|
|||
|
if ( dwOldProtectionLevel != PAGE_EXECUTE_READWRITE && dwOldProtectionLevel != PAGE_EXECUTE_WRITECOPY )
|
|||
|
{
|
|||
|
if( !VirtualProtect( pFuncToHook, 1, dwOldProtectionLevel, &dwIgnore ) )
|
|||
|
{
|
|||
|
Log( "Warning: VirtualProtect call failed to restore protection flags during hook attempt\n" );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// Track that we have hooked the function at this address
|
|||
|
if ( bSuccess )
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
g_mapHookedFunctions[ (void *)pRealFunctionAddr ] = SavedData;
|
|||
|
}
|
|||
|
|
|||
|
return bSuccess;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Check if windows says a given address is committed. Used to make
|
|||
|
// sure we don't follow jumps into unloaded modules due to other apps bad detours
|
|||
|
// code.
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
static bool BIsAddressCommited( const void *pAddress )
|
|||
|
{
|
|||
|
MEMORY_BASIC_INFORMATION memInfo;
|
|||
|
if ( !VirtualQuery( pAddress, &memInfo, sizeof( memInfo ) ) )
|
|||
|
{
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
if ( memInfo.State == MEM_COMMIT )
|
|||
|
return true;
|
|||
|
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Check if we have already hooked a function at a given address.
|
|||
|
// Params: pRealFunctionAddr -- the address of the function to detour.
|
|||
|
// pHookFunc -- optional, and if given is the function we want to detour to.
|
|||
|
// Providing it will allow additional detection to make sure a detour to
|
|||
|
// the target isn't already set via an E9 or chain of E9 calls at the start
|
|||
|
// of the function.
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
bool bIsFuncHooked( BYTE *pRealFunctionAddr, void *pHookFunc /* = NULL */ )
|
|||
|
{
|
|||
|
if ( !pRealFunctionAddr )
|
|||
|
return false;
|
|||
|
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
if ( g_mapHookedFunctions.find( (void*)pRealFunctionAddr ) != g_mapHookedFunctions.end() )
|
|||
|
{
|
|||
|
if ( *pRealFunctionAddr != 0xE9
|
|||
|
#ifdef _WIN64
|
|||
|
&& ( *pRealFunctionAddr != 0xFF || *(pRealFunctionAddr+1) != 0x25 )
|
|||
|
#endif
|
|||
|
)
|
|||
|
{
|
|||
|
Log( "Warning: Function we had previously hooked now appears unhooked.\n" );
|
|||
|
}
|
|||
|
return true;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// If we were told what the hook func address is we can do more checking to avoid infinite recursion
|
|||
|
BYTE *pFuncToHook = pRealFunctionAddr;
|
|||
|
|
|||
|
int nJumpsToCheckForExistingHook = 5;
|
|||
|
BYTE * pCurrentDetour = pFuncToHook;
|
|||
|
while( nJumpsToCheckForExistingHook )
|
|||
|
{
|
|||
|
// We defensively check all the pointers we find following the detour chain
|
|||
|
// to make sure they are at least in commited pages to try to avoid following
|
|||
|
// bad jmps. We can end up in bad jmps due to badly behaving third-party detour
|
|||
|
// code.
|
|||
|
if ( !BIsAddressCommited( pCurrentDetour ) )
|
|||
|
return false;
|
|||
|
|
|||
|
if ( pCurrentDetour[0] == 0xE9 )
|
|||
|
{
|
|||
|
// Make sure the hook isn't pointing at the same place we are going to detour to (which would mean we've already hooked)
|
|||
|
int32 * pOffset = (int32 *)(pCurrentDetour+1);
|
|||
|
if ( !BIsAddressCommited( pOffset ) )
|
|||
|
return false;
|
|||
|
|
|||
|
pCurrentDetour = (BYTE*)((int64)pCurrentDetour + 5 + *pOffset);
|
|||
|
if ( pCurrentDetour == pHookFunc )
|
|||
|
{
|
|||
|
Log ( "Trying to hook when already detoured to target addr (by E9)\n" );
|
|||
|
return true;
|
|||
|
}
|
|||
|
}
|
|||
|
#ifdef _WIN64
|
|||
|
else if ( pCurrentDetour[0] == 0xFF && pCurrentDetour[1] == 0x25 )
|
|||
|
{
|
|||
|
// On x64 we have a relative offset to an absolute qword ptr
|
|||
|
DWORD * pOffset = (DWORD *)(pCurrentDetour+2);
|
|||
|
if ( !BIsAddressCommited( pOffset ) )
|
|||
|
return false;
|
|||
|
|
|||
|
int64 *pTarget = (int64*)(pCurrentDetour + 6 + *pOffset);
|
|||
|
if ( !BIsAddressCommited( pTarget ) )
|
|||
|
return false;
|
|||
|
|
|||
|
pCurrentDetour = (BYTE*)*pTarget;
|
|||
|
if ( (void *)pCurrentDetour == pHookFunc )
|
|||
|
{
|
|||
|
Log ( "Trying to hook when already detoured to target addr (by FF 25)\n" );
|
|||
|
return true;
|
|||
|
}
|
|||
|
}
|
|||
|
#endif
|
|||
|
else
|
|||
|
{
|
|||
|
// Done, no more chained jumps
|
|||
|
break;
|
|||
|
}
|
|||
|
--nJumpsToCheckForExistingHook;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
return false;
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Check if any of the functions in our map of already hooked ones appears
|
|||
|
// to no longer exist in a valid module, if that has happened its likely the following
|
|||
|
// sequence of events has occurred:
|
|||
|
//
|
|||
|
// hMod = LoadLibrary( "target.dll" );
|
|||
|
// ...
|
|||
|
// DetourFunc called on method in target.dll
|
|||
|
// ...
|
|||
|
// FreeLibrary( hMod ); // ref count to 0 for dll in process
|
|||
|
//
|
|||
|
// If that has happened, we want to remove the address from the list of hooked code as
|
|||
|
// if the DLL is reloaded the address will likely be the same but the code will be restored
|
|||
|
// and no longer hooked.
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void DetectUnloadedHooks()
|
|||
|
{
|
|||
|
void **pTestAddresses = NULL;
|
|||
|
uint32 nTestAddresses = 0;
|
|||
|
|
|||
|
// Build an array of function addresses to test, naturally sorted ascending due to std::map.
|
|||
|
// Don't hold the lock while we call GetModuleHandleEx or there will be potential to deadlock!
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
nTestAddresses = (uint32)g_mapHookedFunctions.size();
|
|||
|
pTestAddresses = (void**) malloc( sizeof(void*) * nTestAddresses );
|
|||
|
uint32 i = 0;
|
|||
|
for ( const auto &entry : g_mapHookedFunctions )
|
|||
|
{
|
|||
|
pTestAddresses[i++] = entry.first;
|
|||
|
if ( nTestAddresses == i )
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// Iterate from high addresses to low, can eliminate some GetModuleHandleExA calls since
|
|||
|
// the HMODULE returned is the module's base address, defining a known-valid module range.
|
|||
|
BYTE *pLoadedModuleBase = NULL;
|
|||
|
for ( uint32 i = nTestAddresses; i--; )
|
|||
|
{
|
|||
|
if ( !pLoadedModuleBase || pLoadedModuleBase > (BYTE*)pTestAddresses[i] )
|
|||
|
{
|
|||
|
HMODULE hMod = NULL;
|
|||
|
if ( !GetModuleHandleExA( GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, (LPCSTR)pTestAddresses[i], &hMod ) || !hMod )
|
|||
|
{
|
|||
|
// leave entry alone so that it is erased from map below.
|
|||
|
Log( "Found a hooked function in now unloaded module, removing from map.\n" );
|
|||
|
pLoadedModuleBase = NULL;
|
|||
|
continue;
|
|||
|
}
|
|||
|
pLoadedModuleBase = (BYTE*)hMod;
|
|||
|
}
|
|||
|
|
|||
|
// Either we shortcut the test because we already know this module is loaded, or
|
|||
|
// we looked up the function's module and found it to be valid (and remembered it).
|
|||
|
// Swap from back and shorten array.
|
|||
|
pTestAddresses[i] = pTestAddresses[--nTestAddresses];
|
|||
|
}
|
|||
|
|
|||
|
// Lock again and delete the entries that we found to be pointing at unloaded modules
|
|||
|
if ( nTestAddresses )
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
for ( uint32 i = 0; i < nTestAddresses; ++i )
|
|||
|
{
|
|||
|
g_mapHookedFunctions.erase( pTestAddresses[i] );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
free( pTestAddresses );
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// Purpose: Unhook a function, this doesn't remove the jump code, it just makes
|
|||
|
// it jump back to the original code directly
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
|
|||
|
void UnhookFunc( BYTE *pRealFunctionAddr, BYTE *pOriginalFunctionAddr_DEPRECATED )
|
|||
|
{
|
|||
|
(void)pOriginalFunctionAddr_DEPRECATED;
|
|||
|
UnhookFunc( pRealFunctionAddr, true );
|
|||
|
}
|
|||
|
|
|||
|
void UnhookFunc( BYTE *pRealFunctionAddr, bool bLogFailures )
|
|||
|
{
|
|||
|
if ( !pRealFunctionAddr )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Aborting UnhookFunc because pRealFunctionAddr is null\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
HookData_t hookData;
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
std::map<void *, HookData_t>::iterator iter;
|
|||
|
iter = g_mapHookedFunctions.find( (void*)pRealFunctionAddr );
|
|||
|
if ( iter == g_mapHookedFunctions.end() )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Aborting UnhookFunc because pRealFunctionAddr is not hooked\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
hookData = iter->second;
|
|||
|
g_mapHookedFunctions.erase( iter );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
DWORD dwSystemPageSize = GetSystemPageSize();
|
|||
|
HANDLE hProc = GetCurrentProcess();
|
|||
|
|
|||
|
BYTE *pFuncToUnhook = hookData.m_pFuncHookedAddr;
|
|||
|
void *pLastHookByte = pFuncToUnhook + hookData.m_nOriginalPreambleLength - 1;
|
|||
|
bool bHookSpansTwoPages = ( (uintp)pFuncToUnhook / dwSystemPageSize != (uintp)pLastHookByte / dwSystemPageSize );
|
|||
|
|
|||
|
// Write a 2-byte 0xEB jump into the trampoline at the entry point (the jump to our hook function)
|
|||
|
// to cause it to jump again to the start of the saved function bytes instead of calling our hook.
|
|||
|
COMPILE_TIME_ASSERT( BYTES_FOR_TRAMPOLINE_ALLOCATION < 128 );
|
|||
|
union {
|
|||
|
struct {
|
|||
|
uint8 opcode;
|
|||
|
int8 offset;
|
|||
|
} s;
|
|||
|
uint16 u16;
|
|||
|
} smalljump;
|
|||
|
smalljump.s.opcode = 0xEB; // tiny jump to 8-bit immediate offset from next instruction
|
|||
|
smalljump.s.offset = (int8)( hookData.m_pTrampolineRealFunc - ( hookData.m_pTrampolineEntryPoint + 2 ) );
|
|||
|
|
|||
|
*(UNALIGNED uint16*)hookData.m_pTrampolineEntryPoint = smalljump.u16;
|
|||
|
FlushInstructionCache( hProc, hookData.m_pTrampolineEntryPoint, 2 );
|
|||
|
|
|||
|
if ( !BIsAddressCommited( pFuncToUnhook ) )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "UnhookFunc not restoring original bytes - function is unmapped\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
// Check that the function still starts with our 0xE9 jump before slamming it back to original code
|
|||
|
if ( *pFuncToUnhook != 0xE9 )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "UnhookFunc not restoring original bytes - jump instruction not found\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
BYTE *pJumpTarget = pFuncToUnhook + 5 + *(UNALIGNED int32*)(pFuncToUnhook + 1);
|
|||
|
if ( pJumpTarget != hookData.m_pTrampolineEntryPoint )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "UnhookFunc not restoring original bytes - jump target has changed\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
DWORD dwOldProtectionLevel = 0;
|
|||
|
DWORD dwOldProtectionLevel2 = 0;
|
|||
|
DWORD dwIgnore;
|
|||
|
|
|||
|
// Fix up the protection on the memory where the functions current asm code is
|
|||
|
// so that we will be able read/write it
|
|||
|
if( !VirtualProtect( pFuncToUnhook, hookData.m_nOriginalPreambleLength, PAGE_EXECUTE_READWRITE, &dwOldProtectionLevel ) )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Warning: VirtualProtect call failed during unhook\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
// In case the hook spans a page boundary, also adjust protections on the last byte,
|
|||
|
// and track the memory protection for the second page in a separate variable since
|
|||
|
// it could theoretically be different (although that would be very odd).
|
|||
|
if ( bHookSpansTwoPages && !VirtualProtect( pLastHookByte, 1, PAGE_EXECUTE_READWRITE, &dwOldProtectionLevel2 ) )
|
|||
|
{
|
|||
|
// Restore original protection on first page.
|
|||
|
VirtualProtect( pFuncToUnhook, 1, dwOldProtectionLevel, &dwIgnore );
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Warning: VirtualProtect (2) call failed during unhook\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
memcpy( pFuncToUnhook, hookData.m_rgOriginalPreambleCode, hookData.m_nOriginalPreambleLength );
|
|||
|
|
|||
|
// Must flush instruction cache to ensure the processor detects the changed memory
|
|||
|
FlushInstructionCache( hProc, pFuncToUnhook, hookData.m_nOriginalPreambleLength );
|
|||
|
|
|||
|
// Restore the original protection flags regardless of success, unless they already matched, then don't bother
|
|||
|
if ( bHookSpansTwoPages && dwOldProtectionLevel2 != PAGE_EXECUTE_READWRITE && dwOldProtectionLevel2 != PAGE_EXECUTE_WRITECOPY )
|
|||
|
{
|
|||
|
if ( !VirtualProtect( pLastHookByte, 1, dwOldProtectionLevel2, &dwIgnore ) )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Warning: VirtualProtect (2) call failed to restore protection flags during unhook\n" );
|
|||
|
}
|
|||
|
}
|
|||
|
if ( dwOldProtectionLevel != PAGE_EXECUTE_READWRITE && dwOldProtectionLevel != PAGE_EXECUTE_WRITECOPY )
|
|||
|
{
|
|||
|
if ( !VirtualProtect( pFuncToUnhook, 1, dwOldProtectionLevel, &dwIgnore ) )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Warning: VirtualProtect call failed to restore protection flags during unhook\n" );
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
void UnhookFuncByRelocAddr( BYTE *pRelocFunctionAddr, bool bLogFailures )
|
|||
|
{
|
|||
|
if ( !pRelocFunctionAddr )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Aborting UnhookFunc because pRelocFunctionAddr is null\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
BYTE *pOrigFunc = NULL;
|
|||
|
{
|
|||
|
GetLock getLock( g_mapLock );
|
|||
|
for ( const auto &entry : g_mapHookedFunctions )
|
|||
|
{
|
|||
|
if ( entry.second.m_pTrampolineRealFunc == pRelocFunctionAddr )
|
|||
|
{
|
|||
|
pOrigFunc = (BYTE*)entry.first;
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
if ( !pOrigFunc )
|
|||
|
{
|
|||
|
if ( bLogFailures )
|
|||
|
Log( "Aborting UnhookFuncByRelocAddr because no matching function is hooked\n" );
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
UnhookFunc( pOrigFunc, bLogFailures );
|
|||
|
}
|
|||
|
|
|||
|
#if DEBUG_ENABLE_DETOUR_RECORDING
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// CRecordDetouredCalls
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
CRecordDetouredCalls::CRecordDetouredCalls()
|
|||
|
{
|
|||
|
m_guidMarkerBegin = { 0xb6a8cedf, 0x3296, 0x43d2, { 0xae, 0xc1, 0xa5, 0x96, 0xea, 0xb7, 0x6c, 0xc2 } };
|
|||
|
m_nVersionNumber = 1;
|
|||
|
m_cubRecordDetouredCalls = sizeof(CRecordDetouredCalls);
|
|||
|
m_cubGetAsyncKeyStateCallRecord = sizeof( m_GetAsyncKeyStateCallRecord );
|
|||
|
m_cubVirtualAllocCallRecord = sizeof( m_VirtualAllocCallRecord );
|
|||
|
m_cubVirtualProtectCallRecord = sizeof( m_VirtualProtectCallRecord );
|
|||
|
m_cubLoadLibraryCallRecord = sizeof( m_LoadLibraryCallRecord );
|
|||
|
m_bMasterSwitch = false;
|
|||
|
m_guidMarkerEnd = { 0xff84867e, 0x86e0, 0x4c0f, { 0x81, 0xf5, 0x8f, 0xe5, 0x48, 0x72, 0xa7, 0xe5 } };
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// BShouldRecordProtectFlags
|
|||
|
// only want to track PAGE_EXECUTE_READWRITE for now
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
bool CRecordDetouredCalls::BShouldRecordProtectFlags( DWORD flProtect )
|
|||
|
{
|
|||
|
return flProtect == PAGE_EXECUTE_READWRITE;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordGetAsyncKeyState
|
|||
|
// only care about callers address, not params or results
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordGetAsyncKeyState( DWORD vKey,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
GetAsyncKeyStateCallRecord_t fcr;
|
|||
|
fcr.InitGetAsyncKeyState( vKey, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_GetAsyncKeyStateCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
Log( "GetAsyncKeyState called %d from %p %p\n", iCall, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordVirtualAlloc
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordVirtualAlloc( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect,
|
|||
|
LPVOID lpvResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
VirtualAllocCallRecord_t fcr;
|
|||
|
fcr.InitVirtualAlloc( lpAddress, dwSize, flAllocationType, flProtect, lpvResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_VirtualAllocCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
Log( "VirtualAlloc called %d : %p %llx %x %x result %p from %p %p\n", iCall, lpAddress, (uint64)dwSize, flAllocationType, flProtect, lpvResult, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordVirtualProtect
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordVirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD flOldProtect,
|
|||
|
BOOL bResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
VirtualAllocCallRecord_t fcr;
|
|||
|
fcr.InitVirtualProtect( lpAddress, dwSize, flNewProtect, flOldProtect, bResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_VirtualProtectCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
Log( "VirtualProtect called %d : %p %llx %x %x result %x from %p %p\n", iCall, lpAddress, (uint64)dwSize, flNewProtect, flOldProtect, bResult, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordVirtualAllocEx
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordVirtualAllocEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect,
|
|||
|
LPVOID lpvResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
VirtualAllocCallRecord_t fcr;
|
|||
|
fcr.InitVirtualAllocEx( hProcess, lpAddress, dwSize, flAllocationType, flProtect, lpvResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_VirtualAllocCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
Log( "VirtualAllocEx called %d : %p %llx %x %x result %p from %p %p\n", iCall, lpAddress, (uint64)dwSize, flAllocationType, flProtect, lpvResult, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordVirtualProtectEx
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordVirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD flOldProtect,
|
|||
|
BOOL bResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
VirtualAllocCallRecord_t fcr;
|
|||
|
fcr.InitVirtualProtectEx( hProcess, lpAddress, dwSize, flNewProtect, flOldProtect, bResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_VirtualProtectCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
Log( "VirtualProtectEx called %d : %p %llx %x %x result %x from %p %p\n", iCall, lpAddress, (uint64)dwSize, flNewProtect, flOldProtect, bResult, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordLoadLibraryW
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordLoadLibraryW(
|
|||
|
LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags,
|
|||
|
HMODULE hModule, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
LoadLibraryCallRecord_t fcr;
|
|||
|
fcr.InitLoadLibraryW( lpLibFileName, hFile, dwFlags, hModule, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_LoadLibraryCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
if ( iCall >= 0 )
|
|||
|
{
|
|||
|
// keep updating the last callers address, so we will have the first and last caller, but lose any in between
|
|||
|
m_LoadLibraryCallRecord.m_rgElements[iCall].m_lpLastCallerAddress = lpCallersAddress;
|
|||
|
}
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
char rgchCopy[500];
|
|||
|
wcstombs( rgchCopy, lpLibFileName, 500 );
|
|||
|
Log( "LoadLibraryW called %d : %s result %p from %p %p\n", iCall, rgchCopy, hModule, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// RecordLoadLibraryA
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::RecordLoadLibraryA(
|
|||
|
LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags,
|
|||
|
HMODULE hModule, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
LoadLibraryCallRecord_t fcr;
|
|||
|
fcr.InitLoadLibraryA( lpLibFileName, hFile, dwFlags, hModule, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
int iCall = m_LoadLibraryCallRecord.AddFunctionCallRecord( fcr );
|
|||
|
if ( iCall >= 0 )
|
|||
|
{
|
|||
|
// keep updating the last callers address, so we will have the first and last caller, but lose any in between
|
|||
|
m_LoadLibraryCallRecord.m_rgElements[iCall].m_lpLastCallerAddress = lpCallersAddress;
|
|||
|
}
|
|||
|
#ifdef DEBUG_LOG_DETOURED_CALLS
|
|||
|
Log( "LoadLibraryA called %d : %s result %p from %p %p\n", iCall, lpLibFileName, hModule, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
#else
|
|||
|
iCall;
|
|||
|
#endif
|
|||
|
}
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// SharedInit
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::FunctionCallRecordBase_t::SharedInit(
|
|||
|
DWORD dwResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
m_dwResult = dwResult;
|
|||
|
m_dwGetLastError = dwGetLastError;
|
|||
|
m_lpFirstCallersAddress = lpCallersAddress;
|
|||
|
m_lpLastCallerAddress = NULL;
|
|||
|
lpCallersCallerAddress;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
// CRecordDetouredCalls private implementations
|
|||
|
//-----------------------------------------------------------------------------
|
|||
|
void CRecordDetouredCalls::GetAsyncKeyStateCallRecord_t::InitGetAsyncKeyState( DWORD vKey,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
vKey;
|
|||
|
SharedInit( 0, 0, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
}
|
|||
|
|
|||
|
void CRecordDetouredCalls::VirtualAllocCallRecord_t::InitVirtualAlloc( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect,
|
|||
|
LPVOID lpvResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
SharedInit( (DWORD)lpvResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
m_dwProcessId = 0;
|
|||
|
m_lpAddress = lpAddress;
|
|||
|
m_dwSize = dwSize;
|
|||
|
m_flProtect = flProtect;
|
|||
|
m_dw2 = flAllocationType;
|
|||
|
}
|
|||
|
|
|||
|
// VirtualAllocEx
|
|||
|
void CRecordDetouredCalls::VirtualAllocCallRecord_t::InitVirtualAllocEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect,
|
|||
|
LPVOID lpvResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
SharedInit( (DWORD)lpvResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
m_dwProcessId = GetProcessId( hProcess );
|
|||
|
m_lpAddress = lpAddress;
|
|||
|
m_dwSize = dwSize;
|
|||
|
m_flProtect = flProtect;
|
|||
|
m_dw2 = flAllocationType;
|
|||
|
}
|
|||
|
|
|||
|
// VirtualProtect
|
|||
|
void CRecordDetouredCalls::VirtualAllocCallRecord_t::InitVirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD flOldProtect,
|
|||
|
BOOL bResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
SharedInit( (DWORD)bResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
|
|||
|
m_dwProcessId = 0;
|
|||
|
m_lpAddress = lpAddress;
|
|||
|
m_dwSize = dwSize;
|
|||
|
m_flProtect = flNewProtect;
|
|||
|
m_dw2 = flOldProtect;
|
|||
|
}
|
|||
|
|
|||
|
// VirtualProtectEx
|
|||
|
void CRecordDetouredCalls::VirtualAllocCallRecord_t::InitVirtualProtectEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD flOldProtect,
|
|||
|
BOOL bResult, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
SharedInit( (DWORD)bResult, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
|
|||
|
m_dwProcessId = GetProcessId( hProcess );
|
|||
|
m_lpAddress = lpAddress;
|
|||
|
m_dwSize = dwSize;
|
|||
|
m_flProtect = flNewProtect;
|
|||
|
m_dw2 = flOldProtect;
|
|||
|
}
|
|||
|
|
|||
|
// LoadLibraryExW
|
|||
|
void CRecordDetouredCalls::LoadLibraryCallRecord_t::InitLoadLibraryW(
|
|||
|
LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags,
|
|||
|
HMODULE hModule, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
SharedInit( (DWORD)hModule, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
m_hFile = hFile;
|
|||
|
m_dwFlags = dwFlags;
|
|||
|
|
|||
|
memset( m_rgubFileName, 0, sizeof(m_rgubFileName) );
|
|||
|
if ( hModule != NULL && lpLibFileName != NULL )
|
|||
|
{
|
|||
|
// record as many of the tail bytes as will fit in m_rgubFileName
|
|||
|
size_t cubLibFileName = wcslen( lpLibFileName )* sizeof(WCHAR);
|
|||
|
size_t cubToCopy = cubLibFileName;
|
|||
|
size_t nOffset = 0;
|
|||
|
if ( cubToCopy > sizeof(m_rgubFileName) )
|
|||
|
{
|
|||
|
nOffset = cubToCopy - sizeof(m_rgubFileName);
|
|||
|
cubToCopy = sizeof(m_rgubFileName);
|
|||
|
}
|
|||
|
memcpy( m_rgubFileName, ((uint8 *)lpLibFileName) + nOffset, cubToCopy );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// LoadLibraryExA
|
|||
|
void CRecordDetouredCalls::LoadLibraryCallRecord_t::InitLoadLibraryA(
|
|||
|
LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags,
|
|||
|
HMODULE hModule, DWORD dwGetLastError,
|
|||
|
PVOID lpCallersAddress, PVOID lpCallersCallerAddress
|
|||
|
)
|
|||
|
{
|
|||
|
SharedInit( (DWORD)hModule, dwGetLastError, lpCallersAddress, lpCallersCallerAddress );
|
|||
|
m_hFile = hFile;
|
|||
|
m_dwFlags = dwFlags;
|
|||
|
|
|||
|
memset( m_rgubFileName, 0, sizeof(m_rgubFileName) );
|
|||
|
if ( hModule != NULL && lpLibFileName != NULL )
|
|||
|
{
|
|||
|
// record as many of the tail bytes as will fit in m_rgubFileName
|
|||
|
size_t cubLibFileName = strlen( lpLibFileName );
|
|||
|
size_t cubToCopy = cubLibFileName;
|
|||
|
size_t nOffset = 0;
|
|||
|
if ( cubToCopy > sizeof(m_rgubFileName) )
|
|||
|
{
|
|||
|
nOffset = cubToCopy - sizeof(m_rgubFileName);
|
|||
|
cubToCopy = sizeof(m_rgubFileName);
|
|||
|
}
|
|||
|
memcpy( m_rgubFileName, ((uint8 *)lpLibFileName) + nOffset, cubToCopy );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
#endif // DEBUG_ENABLE_DETOUR_RECORDING
|
|||
|
|
|||
|
#pragma warning( pop )
|