Clone/plexmediaserver_crack
1
0
Fork 0
mirror of https://gitgud.io/yuv420p10le/plexmediaserver_crack synced 2025-07-04 16:34:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
plexmediaserver_crack/windows/safetyhook.cpp
yuv420p10le 2a003b95ba v1.40.3.8555+ support and other quirks. 
* Now works with v1.40.3.8555 (inlined) and older versions too.
* Added a whitelist of features now rather than a global-enable.
* Refactored some code to use std::optional.
* Linux: Wrote proper hooking function. No unhooking support as it's unneeded.
* Windows: Now uses SafetyHook as we need trampolines.
* Windows: When building for debug, you can see queried features and their caller (return address offset from PMS base address); reverse on your own or query me.
2024-06-11 20:41:05 +03:00

1664 lines
51 KiB
C++
Raw Blame History

// DO NOT EDIT. This file is auto-generated by `amalgamate.py`.
#define NOMINMAX
#include "safetyhook.hpp"
//
// Source file: allocator.cpp
//
#include <algorithm>
#include <functional>
#include <limits>
//
// Header: safetyhook/os.hpp
//
// This is the OS abstraction layer.
#pragma once
#ifndef SAFETYHOOK_USE_CXXMODULES
#include <cstdint>
#include <expected>
#include <functional>
#else
import std.compat;
#endif
namespace safetyhook {
enum class OsError {
FAILED_TO_ALLOCATE,
FAILED_TO_PROTECT,
FAILED_TO_QUERY,
FAILED_TO_GET_NEXT_THREAD,
FAILED_TO_GET_THREAD_CONTEXT,
FAILED_TO_SET_THREAD_CONTEXT,
FAILED_TO_FREEZE_THREAD,
FAILED_TO_UNFREEZE_THREAD,
FAILED_TO_GET_THREAD_ID,
};
struct VmAccess {
bool read : 1;
bool write : 1;
bool execute : 1;
constexpr bool operator==(const VmAccess& other) const {
return read == other.read && write == other.write && execute == other.execute;
}
};
constexpr VmAccess VM_ACCESS_R{.read = true, .write = false, .execute = false};
constexpr VmAccess VM_ACCESS_RW{.read = true, .write = true, .execute = false};
constexpr VmAccess VM_ACCESS_RX{.read = true, .write = false, .execute = true};
constexpr VmAccess VM_ACCESS_RWX{.read = true, .write = true, .execute = true};
struct VmBasicInfo {
uint8_t* address;
size_t size;
VmAccess access;
bool is_free;
};
std::expected<uint8_t*, OsError> vm_allocate(uint8_t* address, size_t size, VmAccess access);
void vm_free(uint8_t* address);
std::expected<uint32_t, OsError> vm_protect(uint8_t* address, size_t size, VmAccess access);
std::expected<uint32_t, OsError> vm_protect(uint8_t* address, size_t size, uint32_t access);
std::expected<VmBasicInfo, OsError> vm_query(uint8_t* address);
bool vm_is_readable(uint8_t* address, size_t size);
bool vm_is_writable(uint8_t* address, size_t size);
bool vm_is_executable(uint8_t* address);
struct SystemInfo {
uint32_t page_size;
uint32_t allocation_granularity;
uint8_t* min_address;
uint8_t* max_address;
};
SystemInfo system_info();
using ThreadId = uint32_t;
using ThreadHandle = void*;
using ThreadContext = void*;
/// @brief Executes a function while all other threads are frozen. Also allows for visiting each frozen thread and
/// modifying it's context.
/// @param run_fn The function to run while all other threads are frozen.
/// @param visit_fn The function that will be called for each frozen thread.
/// @note The visit function will be called in the order that the threads were frozen.
/// @note The visit function will be called before the run function.
/// @note Keep the logic inside run_fn and visit_fn as simple as possible to avoid deadlocks.
void execute_while_frozen(const std::function<void()>& run_fn,
const std::function<void(ThreadId, ThreadHandle, ThreadContext)>& visit_fn = {});
/// @brief Will modify the context of a thread's IP to point to a new address if its IP is at the old address.
/// @param ctx The thread context to modify.
/// @param old_ip The old IP address.
/// @param new_ip The new IP address.
void fix_ip(ThreadContext ctx, uint8_t* old_ip, uint8_t* new_ip);
} // namespace safetyhook
namespace safetyhook {
Allocation::Allocation(Allocation&& other) noexcept {
*this = std::move(other);
}
Allocation& Allocation::operator=(Allocation&& other) noexcept {
if (this != &other) {
free();
m_allocator = std::move(other.m_allocator);
m_address = other.m_address;
m_size = other.m_size;
other.m_address = nullptr;
other.m_size = 0;
}
return *this;
}
Allocation::~Allocation() {
free();
}
void Allocation::free() {
if (m_allocator && m_address != nullptr && m_size != 0) {
m_allocator->free(m_address, m_size);
m_address = nullptr;
m_size = 0;
m_allocator.reset();
}
}
Allocation::Allocation(std::shared_ptr<Allocator> allocator, uint8_t* address, size_t size) noexcept
: m_allocator{std::move(allocator)}, m_address{address}, m_size{size} {
}
std::shared_ptr<Allocator> Allocator::global() {
static std::weak_ptr<Allocator> global_allocator{};
static std::mutex global_allocator_mutex{};
std::scoped_lock lock{global_allocator_mutex};
if (auto allocator = global_allocator.lock()) {
return allocator;
}
auto allocator = Allocator::create();
global_allocator = allocator;
return allocator;
}
std::shared_ptr<Allocator> Allocator::create() {
return std::shared_ptr<Allocator>{new Allocator{}};
}
std::expected<Allocation, Allocator::Error> Allocator::allocate(size_t size) {
return allocate_near({}, size, std::numeric_limits<size_t>::max());
}
std::expected<Allocation, Allocator::Error> Allocator::allocate_near(
const std::vector<uint8_t*>& desired_addresses, size_t size, size_t max_distance) {
std::scoped_lock lock{m_mutex};
return internal_allocate_near(desired_addresses, size, max_distance);
}
void Allocator::free(uint8_t* address, size_t size) {
std::scoped_lock lock{m_mutex};
return internal_free(address, size);
}
std::expected<Allocation, Allocator::Error> Allocator::internal_allocate_near(
const std::vector<uint8_t*>& desired_addresses, size_t size, size_t max_distance) {
// First search through our list of allocations for a free block that is large
// enough.
for (const auto& allocation : m_memory) {
if (allocation->size < size) {
continue;
}
for (auto node = allocation->freelist.get(); node != nullptr; node = node->next.get()) {
// Enough room?
if (static_cast<size_t>(node->end - node->start) < size) {
continue;
}
const auto address = node->start;
// Close enough?
if (!in_range(address, desired_addresses, max_distance)) {
continue;
}
node->start += size;
return Allocation{shared_from_this(), address, size};
}
}
// If we didn't find a free block, we need to allocate a new one.
auto allocation_size = align_up(size, system_info().allocation_granularity);
auto allocation_address = allocate_nearby_memory(desired_addresses, allocation_size, max_distance);
if (!allocation_address) {
return std::unexpected{allocation_address.error()};
}
auto& allocation = m_memory.emplace_back(new Memory);
allocation->address = *allocation_address;
allocation->size = allocation_size;
allocation->freelist = std::make_unique<FreeNode>();
allocation->freelist->start = *allocation_address + size;
allocation->freelist->end = *allocation_address + allocation_size;
return Allocation{shared_from_this(), *allocation_address, size};
}
void Allocator::internal_free(uint8_t* address, size_t size) {
for (const auto& allocation : m_memory) {
if (allocation->address > address || allocation->address + allocation->size < address) {
continue;
}
// Find the right place for our new freenode.
FreeNode* prev{};
for (auto node = allocation->freelist.get(); node != nullptr; prev = node, node = node->next.get()) {
if (node->start > address) {
break;
}
}
// Add new freenode.
auto free_node = std::make_unique<FreeNode>();
free_node->start = address;
free_node->end = address + size;
if (prev == nullptr) {
free_node->next.swap(allocation->freelist);
allocation->freelist.swap(free_node);
} else {
free_node->next.swap(prev->next);
prev->next.swap(free_node);
}
combine_adjacent_freenodes(*allocation);
break;
}
}
void Allocator::combine_adjacent_freenodes(Memory& memory) {
for (auto prev = memory.freelist.get(), node = prev; node != nullptr; node = node->next.get()) {
if (prev->end == node->start) {
prev->end = node->end;
prev->next.swap(node->next);
node->next.reset();
node = prev;
} else {
prev = node;
}
}
}
std::expected<uint8_t*, Allocator::Error> Allocator::allocate_nearby_memory(
const std::vector<uint8_t*>& desired_addresses, size_t size, size_t max_distance) {
if (desired_addresses.empty()) {
if (auto result = vm_allocate(nullptr, size, VM_ACCESS_RWX)) {
return result.value();
}
return std::unexpected{Error::BAD_VIRTUAL_ALLOC};
}
auto attempt_allocation = [&](uint8_t* p) -> uint8_t* {
if (!in_range(p, desired_addresses, max_distance)) {
return nullptr;
}
if (auto result = vm_allocate(p, size, VM_ACCESS_RWX)) {
return result.value();
}
return nullptr;
};
auto si = system_info();
auto desired_address = desired_addresses[0];
auto search_start = si.min_address;
auto search_end = si.max_address;
if (static_cast<size_t>(desired_address - search_start) > max_distance) {
search_start = desired_address - max_distance;
}
if (static_cast<size_t>(search_end - desired_address) > max_distance) {
search_end = desired_address + max_distance;
}
search_start = std::max(search_start, si.min_address);
search_end = std::min(search_end, si.max_address);
desired_address = align_up(desired_address, si.allocation_granularity);
VmBasicInfo mbi{};
// Search backwards from the desired_address.
for (auto p = desired_address; p > search_start && in_range(p, desired_addresses, max_distance);
p = align_down(mbi.address - 1, si.allocation_granularity)) {
auto result = vm_query(p);
if (!result) {
break;
}
mbi = result.value();
if (!mbi.is_free) {
continue;
}
if (auto allocation_address = attempt_allocation(p); allocation_address != nullptr) {
return allocation_address;
}
}
// Search forwards from the desired_address.
for (auto p = desired_address; p < search_end && in_range(p, desired_addresses, max_distance); p += mbi.size) {
auto result = vm_query(p);
if (!result) {
break;
}
mbi = result.value();
if (!mbi.is_free) {
continue;
}
if (auto allocation_address = attempt_allocation(p); allocation_address != nullptr) {
return allocation_address;
}
}
return std::unexpected{Error::NO_MEMORY_IN_RANGE};
}
bool Allocator::in_range(uint8_t* address, const std::vector<uint8_t*>& desired_addresses, size_t max_distance) {
return std::ranges::all_of(desired_addresses, [&](const auto& desired_address) {
const size_t delta = (address > desired_address) ? address - desired_address : desired_address - address;
return delta <= max_distance;
});
}
Allocator::Memory::~Memory() {
vm_free(address);
}
} // namespace safetyhook
//
// Source file: easy.cpp
//
namespace safetyhook {
InlineHook create_inline(void* target, void* destination) {
if (auto hook = InlineHook::create(target, destination)) {
return std::move(*hook);
} else {
return {};
}
}
MidHook create_mid(void* target, MidHookFn destination) {
if (auto hook = MidHook::create(target, destination)) {
return std::move(*hook);
} else {
return {};
}
}
VmtHook create_vmt(void* object) {
if (auto hook = VmtHook::create(object)) {
return std::move(*hook);
} else {
return {};
}
}
} // namespace safetyhook
//
// Source file: inline_hook.cpp
//
#include <iterator>
#if __has_include("Zydis/Zydis.h")
#include "Zydis/Zydis.h"
#elif __has_include("Zydis.h")
#include "Zydis.h"
#else
#error "Zydis not found"
#endif
namespace safetyhook {
#pragma pack(push, 1)
struct JmpE9 {
uint8_t opcode{0xE9};
uint32_t offset{0};
};
#if SAFETYHOOK_ARCH_X86_64
struct JmpFF {
uint8_t opcode0{0xFF};
uint8_t opcode1{0x25};
uint32_t offset{0};
};
struct TrampolineEpilogueE9 {
JmpE9 jmp_to_original{};
JmpFF jmp_to_destination{};
uint64_t destination_address{};
};
struct TrampolineEpilogueFF {
JmpFF jmp_to_original{};
uint64_t original_address{};
};
#elif SAFETYHOOK_ARCH_X86_32
struct TrampolineEpilogueE9 {
JmpE9 jmp_to_original{};
JmpE9 jmp_to_destination{};
};
#endif
#pragma pack(pop)
#if SAFETYHOOK_ARCH_X86_64
static auto make_jmp_ff(uint8_t* src, uint8_t* dst, uint8_t* data) {
JmpFF jmp{};
jmp.offset = static_cast<uint32_t>(data - src - sizeof(jmp));
store(data, dst);
return jmp;
}
[[nodiscard]] static std::expected<void, InlineHook::Error> emit_jmp_ff(
uint8_t* src, uint8_t* dst, uint8_t* data, size_t size = sizeof(JmpFF)) {
if (size < sizeof(JmpFF)) {
return std::unexpected{InlineHook::Error::not_enough_space(dst)};
}
auto um = unprotect(src, size);
if (!um) {
return std::unexpected{InlineHook::Error::failed_to_unprotect(src)};
}
if (size > sizeof(JmpFF)) {
std::fill_n(src, size, static_cast<uint8_t>(0x90));
}
store(src, make_jmp_ff(src, dst, data));
return {};
}
#endif
constexpr auto make_jmp_e9(uint8_t* src, uint8_t* dst) {
JmpE9 jmp{};
jmp.offset = static_cast<uint32_t>(dst - src - sizeof(jmp));
return jmp;
}
[[nodiscard]] static std::expected<void, InlineHook::Error> emit_jmp_e9(
uint8_t* src, uint8_t* dst, size_t size = sizeof(JmpE9)) {
if (size < sizeof(JmpE9)) {
return std::unexpected{InlineHook::Error::not_enough_space(dst)};
}
auto um = unprotect(src, size);
if (!um) {
return std::unexpected{InlineHook::Error::failed_to_unprotect(src)};
}
if (size > sizeof(JmpE9)) {
std::fill_n(src, size, static_cast<uint8_t>(0x90));
}
store(src, make_jmp_e9(src, dst));
return {};
}
static bool decode(ZydisDecodedInstruction* ix, uint8_t* ip) {
ZydisDecoder decoder{};
ZyanStatus status;
#if SAFETYHOOK_ARCH_X86_64
status = ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);
#elif SAFETYHOOK_ARCH_X86_32
status = ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LEGACY_32, ZYDIS_STACK_WIDTH_32);
#endif
if (!ZYAN_SUCCESS(status)) {
return false;
}
return ZYAN_SUCCESS(ZydisDecoderDecodeInstruction(&decoder, nullptr, ip, 15, ix));
}
std::expected<InlineHook, InlineHook::Error> InlineHook::create(void* target, void* destination) {
return create(Allocator::global(), target, destination);
}
std::expected<InlineHook, InlineHook::Error> InlineHook::create(
const std::shared_ptr<Allocator>& allocator, void* target, void* destination) {
InlineHook hook{};
if (const auto setup_result =
hook.setup(allocator, reinterpret_cast<uint8_t*>(target), reinterpret_cast<uint8_t*>(destination));
!setup_result) {
return std::unexpected{setup_result.error()};
}
return hook;
}
InlineHook::InlineHook(InlineHook&& other) noexcept {
*this = std::move(other);
}
InlineHook& InlineHook::operator=(InlineHook&& other) noexcept {
if (this != &other) {
destroy();
std::scoped_lock lock{m_mutex, other.m_mutex};
m_target = other.m_target;
m_destination = other.m_destination;
m_trampoline = std::move(other.m_trampoline);
m_trampoline_size = other.m_trampoline_size;
m_original_bytes = std::move(other.m_original_bytes);
other.m_target = nullptr;
other.m_destination = nullptr;
other.m_trampoline_size = 0;
}
return *this;
}
InlineHook::~InlineHook() {
destroy();
}
void InlineHook::reset() {
*this = {};
}
std::expected<void, InlineHook::Error> InlineHook::setup(
const std::shared_ptr<Allocator>& allocator, uint8_t* target, uint8_t* destination) {
m_target = target;
m_destination = destination;
if (auto e9_result = e9_hook(allocator); !e9_result) {
#if SAFETYHOOK_ARCH_X86_64
if (auto ff_result = ff_hook(allocator); !ff_result) {
return ff_result;
}
#elif SAFETYHOOK_ARCH_X86_32
return e9_result;
#endif
}
return {};
}
std::expected<void, InlineHook::Error> InlineHook::e9_hook(const std::shared_ptr<Allocator>& allocator) {
m_original_bytes.clear();
m_trampoline_size = sizeof(TrampolineEpilogueE9);
std::vector<uint8_t*> desired_addresses{m_target};
ZydisDecodedInstruction ix{};
for (auto ip = m_target; ip < m_target + sizeof(JmpE9); ip += ix.length) {
if (!decode(&ix, ip)) {
return std::unexpected{Error::failed_to_decode_instruction(ip)};
}
m_trampoline_size += ix.length;
m_original_bytes.insert(m_original_bytes.end(), ip, ip + ix.length);
const auto is_relative = (ix.attributes & ZYDIS_ATTRIB_IS_RELATIVE) != 0;
if (is_relative) {
if (ix.raw.disp.size == 32) {
const auto target_address = ip + ix.length + static_cast<int32_t>(ix.raw.disp.value);
desired_addresses.emplace_back(target_address);
} else if (ix.raw.imm[0].size == 32) {
const auto target_address = ip + ix.length + static_cast<int32_t>(ix.raw.imm[0].value.s);
desired_addresses.emplace_back(target_address);
} else if (ix.meta.category == ZYDIS_CATEGORY_COND_BR && ix.meta.branch_type == ZYDIS_BRANCH_TYPE_SHORT) {
const auto target_address = ip + ix.length + static_cast<int32_t>(ix.raw.imm[0].value.s);
desired_addresses.emplace_back(target_address);
m_trampoline_size += 4; // near conditional branches are 4 bytes larger.
} else if (ix.meta.category == ZYDIS_CATEGORY_UNCOND_BR && ix.meta.branch_type == ZYDIS_BRANCH_TYPE_SHORT) {
const auto target_address = ip + ix.length + static_cast<int32_t>(ix.raw.imm[0].value.s);
desired_addresses.emplace_back(target_address);
m_trampoline_size += 3; // near unconditional branches are 3 bytes larger.
} else {
return std::unexpected{Error::unsupported_instruction_in_trampoline(ip)};
}
}
}
auto trampoline_allocation = allocator->allocate_near(desired_addresses, m_trampoline_size);
if (!trampoline_allocation) {
return std::unexpected{Error::bad_allocation(trampoline_allocation.error())};
}
m_trampoline = std::move(*trampoline_allocation);
for (auto ip = m_target, tramp_ip = m_trampoline.data(); ip < m_target + m_original_bytes.size(); ip += ix.length) {
if (!decode(&ix, ip)) {
m_trampoline.free();
return std::unexpected{Error::failed_to_decode_instruction(ip)};
}
const auto is_relative = (ix.attributes & ZYDIS_ATTRIB_IS_RELATIVE) != 0;
if (is_relative && ix.raw.disp.size == 32) {
std::copy_n(ip, ix.length, tramp_ip);
const auto target_address = ip + ix.length + ix.raw.disp.value;
const auto new_disp = target_address - (tramp_ip + ix.length);
store(tramp_ip + ix.raw.disp.offset, static_cast<int32_t>(new_disp));
tramp_ip += ix.length;
} else if (is_relative && ix.raw.imm[0].size == 32) {
std::copy_n(ip, ix.length, tramp_ip);
const auto target_address = ip + ix.length + ix.raw.imm[0].value.s;
const auto new_disp = target_address - (tramp_ip + ix.length);
store(tramp_ip + ix.raw.imm[0].offset, static_cast<int32_t>(new_disp));
tramp_ip += ix.length;
} else if (ix.meta.category == ZYDIS_CATEGORY_COND_BR && ix.meta.branch_type == ZYDIS_BRANCH_TYPE_SHORT) {
const auto target_address = ip + ix.length + ix.raw.imm[0].value.s;
auto new_disp = target_address - (tramp_ip + 6);
// Handle the case where the target is now in the trampoline.
if (target_address < m_target + m_original_bytes.size()) {
new_disp = static_cast<ptrdiff_t>(ix.raw.imm[0].value.s);
}
*tramp_ip = 0x0F;
*(tramp_ip + 1) = 0x10 + ix.opcode;
store(tramp_ip + 2, static_cast<int32_t>(new_disp));
tramp_ip += 6;
} else if (ix.meta.category == ZYDIS_CATEGORY_UNCOND_BR && ix.meta.branch_type == ZYDIS_BRANCH_TYPE_SHORT) {
const auto target_address = ip + ix.length + ix.raw.imm[0].value.s;
auto new_disp = target_address - (tramp_ip + 5);
// Handle the case where the target is now in the trampoline.
if (target_address < m_target + m_original_bytes.size()) {
new_disp = static_cast<ptrdiff_t>(ix.raw.imm[0].value.s);
}
*tramp_ip = 0xE9;
store(tramp_ip + 1, static_cast<int32_t>(new_disp));
tramp_ip += 5;
} else {
std::copy_n(ip, ix.length, tramp_ip);
tramp_ip += ix.length;
}
}
auto trampoline_epilogue = reinterpret_cast<TrampolineEpilogueE9*>(
m_trampoline.address() + m_trampoline_size - sizeof(TrampolineEpilogueE9));
// jmp from trampoline to original.
auto src = reinterpret_cast<uint8_t*>(&trampoline_epilogue->jmp_to_original);
auto dst = m_target + m_original_bytes.size();
if (auto result = emit_jmp_e9(src, dst); !result) {
return std::unexpected{result.error()};
}
// jmp from trampoline to destination.
src = reinterpret_cast<uint8_t*>(&trampoline_epilogue->jmp_to_destination);
dst = m_destination;
#if SAFETYHOOK_ARCH_X86_64
auto data = reinterpret_cast<uint8_t*>(&trampoline_epilogue->destination_address);
if (auto result = emit_jmp_ff(src, dst, data); !result) {
return std::unexpected{result.error()};
}
#elif SAFETYHOOK_ARCH_X86_32
if (auto result = emit_jmp_e9(src, dst); !result) {
return std::unexpected{result.error()};
}
#endif
std::optional<Error> error;
// jmp from original to trampoline.
execute_while_frozen(
[this, &trampoline_epilogue, &error] {
if (auto result = emit_jmp_e9(m_target,
reinterpret_cast<uint8_t*>(&trampoline_epilogue->jmp_to_destination), m_original_bytes.size());
!result) {
error = result.error();
}
},
[this](auto, auto, auto ctx) {
for (size_t i = 0; i < m_original_bytes.size(); ++i) {
fix_ip(ctx, m_target + i, m_trampoline.data() + i);
}
});
if (error) {
return std::unexpected{*error};
}
return {};
}
#if SAFETYHOOK_ARCH_X86_64
std::expected<void, InlineHook::Error> InlineHook::ff_hook(const std::shared_ptr<Allocator>& allocator) {
m_original_bytes.clear();
m_trampoline_size = sizeof(TrampolineEpilogueFF);
ZydisDecodedInstruction ix{};
for (auto ip = m_target; ip < m_target + sizeof(JmpFF) + sizeof(uintptr_t); ip += ix.length) {
if (!decode(&ix, ip)) {
return std::unexpected{Error::failed_to_decode_instruction(ip)};
}
// We can't support any instruction that is IP relative here because
// ff_hook should only be called if e9_hook failed indicating that
// we're likely outside the +- 2GB range.
if (ix.attributes & ZYDIS_ATTRIB_IS_RELATIVE) {
return std::unexpected{Error::ip_relative_instruction_out_of_range(ip)};
}
m_original_bytes.insert(m_original_bytes.end(), ip, ip + ix.length);
m_trampoline_size += ix.length;
}
auto trampoline_allocation = allocator->allocate(m_trampoline_size);
if (!trampoline_allocation) {
return std::unexpected{Error::bad_allocation(trampoline_allocation.error())};
}
m_trampoline = std::move(*trampoline_allocation);
std::copy(m_original_bytes.begin(), m_original_bytes.end(), m_trampoline.data());
const auto trampoline_epilogue =
reinterpret_cast<TrampolineEpilogueFF*>(m_trampoline.data() + m_trampoline_size - sizeof(TrampolineEpilogueFF));
// jmp from trampoline to original.
auto src = reinterpret_cast<uint8_t*>(&trampoline_epilogue->jmp_to_original);
auto dst = m_target + m_original_bytes.size();
auto data = reinterpret_cast<uint8_t*>(&trampoline_epilogue->original_address);
if (auto result = emit_jmp_ff(src, dst, data); !result) {
return std::unexpected{result.error()};
}
std::optional<Error> error;
// jmp from original to trampoline.
execute_while_frozen(
[this, &error] {
if (auto result = emit_jmp_ff(m_target, m_destination, m_target + sizeof(JmpFF), m_original_bytes.size());
!result) {
error = result.error();
}
},
[this](auto, auto, auto ctx) {
for (size_t i = 0; i < m_original_bytes.size(); ++i) {
fix_ip(ctx, m_target + i, m_trampoline.data() + i);
}
});
if (error) {
return std::unexpected{*error};
}
return {};
}
#endif
void InlineHook::destroy() {
std::scoped_lock lock{m_mutex};
if (!m_trampoline) {
return;
}
execute_while_frozen(
[this] {
if (auto um = unprotect(m_target, m_original_bytes.size())) {
std::copy(m_original_bytes.begin(), m_original_bytes.end(), m_target);
}
},
[this](auto, auto, auto ctx) {
for (size_t i = 0; i < m_original_bytes.size(); ++i) {
fix_ip(ctx, m_trampoline.data() + i, m_target + i);
}
});
m_trampoline.free();
}
} // namespace safetyhook
//
// Source file: mid_hook.cpp
//
#include <algorithm>
#include <array>
namespace safetyhook {
#if SAFETYHOOK_ARCH_X86_64
#if SAFETYHOOK_OS_WINDOWS
constexpr std::array<uint8_t, 391> asm_data = {0xFF, 0x35, 0x79, 0x01, 0x00, 0x00, 0x54, 0x54, 0x55, 0x50, 0x53, 0x51,
0x52, 0x56, 0x57, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
0x9C, 0x48, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0xBC, 0x24, 0xF0, 0x00, 0x00, 0x00, 0xF3,
0x44, 0x0F, 0x7F, 0xB4, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0xAC, 0x24, 0xD0, 0x00, 0x00, 0x00,
0xF3, 0x44, 0x0F, 0x7F, 0xA4, 0x24, 0xC0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x9C, 0x24, 0xB0, 0x00, 0x00,
0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x94, 0x24, 0xA0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x8C, 0x24, 0x90, 0x00,
0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x7C, 0x24, 0x70, 0xF3,
0x0F, 0x7F, 0x74, 0x24, 0x60, 0xF3, 0x0F, 0x7F, 0x6C, 0x24, 0x50, 0xF3, 0x0F, 0x7F, 0x64, 0x24, 0x40, 0xF3, 0x0F,
0x7F, 0x5C, 0x24, 0x30, 0xF3, 0x0F, 0x7F, 0x54, 0x24, 0x20, 0xF3, 0x0F, 0x7F, 0x4C, 0x24, 0x10, 0xF3, 0x0F, 0x7F,
0x04, 0x24, 0x48, 0x8B, 0x8C, 0x24, 0x80, 0x01, 0x00, 0x00, 0x48, 0x83, 0xC1, 0x10, 0x48, 0x89, 0x8C, 0x24, 0x80,
0x01, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x24, 0x48, 0x89, 0xE3, 0x48, 0x83, 0xEC, 0x30, 0x48, 0x83, 0xE4, 0xF0, 0xFF,
0x15, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xDC, 0xF3, 0x0F, 0x6F, 0x04, 0x24, 0xF3, 0x0F, 0x6F, 0x4C, 0x24, 0x10,
0xF3, 0x0F, 0x6F, 0x54, 0x24, 0x20, 0xF3, 0x0F, 0x6F, 0x5C, 0x24, 0x30, 0xF3, 0x0F, 0x6F, 0x64, 0x24, 0x40, 0xF3,
0x0F, 0x6F, 0x6C, 0x24, 0x50, 0xF3, 0x0F, 0x6F, 0x74, 0x24, 0x60, 0xF3, 0x0F, 0x6F, 0x7C, 0x24, 0x70, 0xF3, 0x44,
0x0F, 0x6F, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0x8C, 0x24, 0x90, 0x00, 0x00, 0x00, 0xF3,
0x44, 0x0F, 0x6F, 0x94, 0x24, 0xA0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0x9C, 0x24, 0xB0, 0x00, 0x00, 0x00,
0xF3, 0x44, 0x0F, 0x6F, 0xA4, 0x24, 0xC0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0xAC, 0x24, 0xD0, 0x00, 0x00,
0x00, 0xF3, 0x44, 0x0F, 0x6F, 0xB4, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0xBC, 0x24, 0xF0, 0x00,
0x00, 0x00, 0x48, 0x81, 0xC4, 0x00, 0x01, 0x00, 0x00, 0x9D, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x41,
0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5F, 0x5E, 0x5A, 0x59, 0x5B, 0x58, 0x5D, 0x48, 0x8D, 0x64, 0x24, 0x08,
0x5C, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
#elif SAFETYHOOK_OS_LINUX
constexpr std::array<uint8_t, 391> asm_data = {0xFF, 0x35, 0x79, 0x01, 0x00, 0x00, 0x54, 0x54, 0x55, 0x50, 0x53, 0x51,
0x52, 0x56, 0x57, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
0x9C, 0x48, 0x81, 0xEC, 0x00, 0x01, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0xBC, 0x24, 0xF0, 0x00, 0x00, 0x00, 0xF3,
0x44, 0x0F, 0x7F, 0xB4, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0xAC, 0x24, 0xD0, 0x00, 0x00, 0x00,
0xF3, 0x44, 0x0F, 0x7F, 0xA4, 0x24, 0xC0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x9C, 0x24, 0xB0, 0x00, 0x00,
0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x94, 0x24, 0xA0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x8C, 0x24, 0x90, 0x00,
0x00, 0x00, 0xF3, 0x44, 0x0F, 0x7F, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x7C, 0x24, 0x70, 0xF3,
0x0F, 0x7F, 0x74, 0x24, 0x60, 0xF3, 0x0F, 0x7F, 0x6C, 0x24, 0x50, 0xF3, 0x0F, 0x7F, 0x64, 0x24, 0x40, 0xF3, 0x0F,
0x7F, 0x5C, 0x24, 0x30, 0xF3, 0x0F, 0x7F, 0x54, 0x24, 0x20, 0xF3, 0x0F, 0x7F, 0x4C, 0x24, 0x10, 0xF3, 0x0F, 0x7F,
0x04, 0x24, 0x48, 0x8B, 0xBC, 0x24, 0x80, 0x01, 0x00, 0x00, 0x48, 0x83, 0xC7, 0x10, 0x48, 0x89, 0xBC, 0x24, 0x80,
0x01, 0x00, 0x00, 0x48, 0x8D, 0x3C, 0x24, 0x48, 0x89, 0xE3, 0x48, 0x83, 0xEC, 0x30, 0x48, 0x83, 0xE4, 0xF0, 0xFF,
0x15, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xDC, 0xF3, 0x0F, 0x6F, 0x04, 0x24, 0xF3, 0x0F, 0x6F, 0x4C, 0x24, 0x10,
0xF3, 0x0F, 0x6F, 0x54, 0x24, 0x20, 0xF3, 0x0F, 0x6F, 0x5C, 0x24, 0x30, 0xF3, 0x0F, 0x6F, 0x64, 0x24, 0x40, 0xF3,
0x0F, 0x6F, 0x6C, 0x24, 0x50, 0xF3, 0x0F, 0x6F, 0x74, 0x24, 0x60, 0xF3, 0x0F, 0x6F, 0x7C, 0x24, 0x70, 0xF3, 0x44,
0x0F, 0x6F, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0x8C, 0x24, 0x90, 0x00, 0x00, 0x00, 0xF3,
0x44, 0x0F, 0x6F, 0x94, 0x24, 0xA0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0x9C, 0x24, 0xB0, 0x00, 0x00, 0x00,
0xF3, 0x44, 0x0F, 0x6F, 0xA4, 0x24, 0xC0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0xAC, 0x24, 0xD0, 0x00, 0x00,
0x00, 0xF3, 0x44, 0x0F, 0x6F, 0xB4, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xF3, 0x44, 0x0F, 0x6F, 0xBC, 0x24, 0xF0, 0x00,
0x00, 0x00, 0x48, 0x81, 0xC4, 0x00, 0x01, 0x00, 0x00, 0x9D, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x41,
0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5F, 0x5E, 0x5A, 0x59, 0x5B, 0x58, 0x5D, 0x48, 0x8D, 0x64, 0x24, 0x08,
0x5C, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
#endif
#elif SAFETYHOOK_ARCH_X86_32
constexpr std::array<uint8_t, 171> asm_data = {0xFF, 0x35, 0xA7, 0x00, 0x00, 0x00, 0x54, 0x54, 0x55, 0x50, 0x53, 0x51,
0x52, 0x56, 0x57, 0x9C, 0x81, 0xEC, 0x80, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x7C, 0x24, 0x70, 0xF3, 0x0F, 0x7F,
0x74, 0x24, 0x60, 0xF3, 0x0F, 0x7F, 0x6C, 0x24, 0x50, 0xF3, 0x0F, 0x7F, 0x64, 0x24, 0x40, 0xF3, 0x0F, 0x7F, 0x5C,
0x24, 0x30, 0xF3, 0x0F, 0x7F, 0x54, 0x24, 0x20, 0xF3, 0x0F, 0x7F, 0x4C, 0x24, 0x10, 0xF3, 0x0F, 0x7F, 0x04, 0x24,
0x8B, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x83, 0xC1, 0x08, 0x89, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x54, 0xFF,
0x15, 0xA3, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x04, 0xF3, 0x0F, 0x6F, 0x04, 0x24, 0xF3, 0x0F, 0x6F, 0x4C, 0x24, 0x10,
0xF3, 0x0F, 0x6F, 0x54, 0x24, 0x20, 0xF3, 0x0F, 0x6F, 0x5C, 0x24, 0x30, 0xF3, 0x0F, 0x6F, 0x64, 0x24, 0x40, 0xF3,
0x0F, 0x6F, 0x6C, 0x24, 0x50, 0xF3, 0x0F, 0x6F, 0x74, 0x24, 0x60, 0xF3, 0x0F, 0x6F, 0x7C, 0x24, 0x70, 0x81, 0xC4,
0x80, 0x00, 0x00, 0x00, 0x9D, 0x5F, 0x5E, 0x5A, 0x59, 0x5B, 0x58, 0x5D, 0x8D, 0x64, 0x24, 0x04, 0x5C, 0xC3, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
#endif
std::expected<MidHook, MidHook::Error> MidHook::create(void* target, MidHookFn destination) {
return create(Allocator::global(), target, destination);
}
std::expected<MidHook, MidHook::Error> MidHook::create(
const std::shared_ptr<Allocator>& allocator, void* target, MidHookFn destination) {
MidHook hook{};
if (const auto setup_result = hook.setup(allocator, reinterpret_cast<uint8_t*>(target), destination);
!setup_result) {
return std::unexpected{setup_result.error()};
}
return hook;
}
MidHook::MidHook(MidHook&& other) noexcept {
*this = std::move(other);
}
MidHook& MidHook::operator=(MidHook&& other) noexcept {
if (this != &other) {
m_hook = std::move(other.m_hook);
m_target = other.m_target;
m_stub = std::move(other.m_stub);
m_destination = other.m_destination;
other.m_target = 0;
other.m_destination = nullptr;
}
return *this;
}
void MidHook::reset() {
*this = {};
}
std::expected<void, MidHook::Error> MidHook::setup(
const std::shared_ptr<Allocator>& allocator, uint8_t* target, MidHookFn destination_fn) {
m_target = target;
m_destination = destination_fn;
auto stub_allocation = allocator->allocate(asm_data.size());
if (!stub_allocation) {
return std::unexpected{Error::bad_allocation(stub_allocation.error())};
}
m_stub = std::move(*stub_allocation);
std::copy(asm_data.begin(), asm_data.end(), m_stub.data());
#if SAFETYHOOK_ARCH_X86_64
store(m_stub.data() + sizeof(asm_data) - 16, m_destination);
#elif SAFETYHOOK_ARCH_X86_32
store(m_stub.data() + sizeof(asm_data) - 8, m_destination);
// 32-bit has some relocations we need to fix up as well.
store(m_stub.data() + 0x02, m_stub.data() + m_stub.size() - 4);
store(m_stub.data() + 0x59, m_stub.data() + m_stub.size() - 8);
#endif
auto hook_result = InlineHook::create(allocator, m_target, m_stub.data());
if (!hook_result) {
m_stub.free();
return std::unexpected{Error::bad_inline_hook(hook_result.error())};
}
m_hook = std::move(*hook_result);
#if SAFETYHOOK_ARCH_X86_64
store(m_stub.data() + sizeof(asm_data) - 8, m_hook.trampoline().data());
#elif SAFETYHOOK_ARCH_X86_32
store(m_stub.data() + sizeof(asm_data) - 4, m_hook.trampoline().data());
#endif
return {};
}
} // namespace safetyhook
//
// Source file: os.linux.cpp
//
#if SAFETYHOOK_OS_LINUX
#include <cstdio>
#include <sys/mman.h>
#include <unistd.h>
namespace safetyhook {
std::expected<uint8_t*, OsError> vm_allocate(uint8_t* address, size_t size, VmAccess access) {
int prot = 0;
int flags = MAP_PRIVATE | MAP_ANONYMOUS;
if (access == VM_ACCESS_R) {
prot = PROT_READ;
} else if (access == VM_ACCESS_RW) {
prot = PROT_READ | PROT_WRITE;
} else if (access == VM_ACCESS_RX) {
prot = PROT_READ | PROT_EXEC;
} else if (access == VM_ACCESS_RWX) {
prot = PROT_READ | PROT_WRITE | PROT_EXEC;
} else {
return std::unexpected{OsError::FAILED_TO_ALLOCATE};
}
auto* result = mmap(address, size, prot, flags, -1, 0);
if (result == MAP_FAILED) {
return std::unexpected{OsError::FAILED_TO_ALLOCATE};
}
return static_cast<uint8_t*>(result);
}
void vm_free(uint8_t* address) {
munmap(address, 0);
}
std::expected<uint32_t, OsError> vm_protect(uint8_t* address, size_t size, VmAccess access) {
int prot = 0;
if (access == VM_ACCESS_R) {
prot = PROT_READ;
} else if (access == VM_ACCESS_RW) {
prot = PROT_READ | PROT_WRITE;
} else if (access == VM_ACCESS_RX) {
prot = PROT_READ | PROT_EXEC;
} else if (access == VM_ACCESS_RWX) {
prot = PROT_READ | PROT_WRITE | PROT_EXEC;
} else {
return std::unexpected{OsError::FAILED_TO_PROTECT};
}
return vm_protect(address, size, prot);
}
std::expected<uint32_t, OsError> vm_protect(uint8_t* address, size_t size, uint32_t protect) {
auto mbi = vm_query(address);
if (!mbi.has_value()) {
return std::unexpected{OsError::FAILED_TO_PROTECT};
}
uint32_t old_protect = 0;
if (mbi->access.read) {
old_protect |= PROT_READ;
}
if (mbi->access.write) {
old_protect |= PROT_WRITE;
}
if (mbi->access.execute) {
old_protect |= PROT_EXEC;
}
auto* addr = align_down(address, static_cast<size_t>(sysconf(_SC_PAGESIZE)));
if (mprotect(addr, size, static_cast<int>(protect)) == -1) {
return std::unexpected{OsError::FAILED_TO_PROTECT};
}
return old_protect;
}
std::expected<VmBasicInfo, OsError> vm_query(uint8_t* address) {
auto* maps = fopen("/proc/self/maps", "r");
if (maps == nullptr) {
return std::unexpected{OsError::FAILED_TO_QUERY};
}
char line[512];
unsigned long start;
unsigned long end;
char perms[5];
unsigned long offset;
int dev_major;
int dev_minor;
unsigned long inode;
char path[256];
unsigned long last_end =
reinterpret_cast<unsigned long>(system_info().min_address); // Track the end address of the last mapping.
auto addr = reinterpret_cast<unsigned long>(address);
std::optional<VmBasicInfo> info = std::nullopt;
while (fgets(line, sizeof(line), maps) != nullptr) {
path[0] = '\0';
sscanf(line, "%lx-%lx %4s %lx %x:%x %lu %255[^\n]", &start, &end, perms, &offset, &dev_major, &dev_minor,
&inode, path);
if (last_end < start && addr >= last_end && addr < start) {
info = {
.address = reinterpret_cast<uint8_t*>(last_end),
.size = start - last_end,
.access = VmAccess{},
.is_free = true,
};
break;
}
last_end = end;
if (addr >= start && addr < end) {
info = {
.address = reinterpret_cast<uint8_t*>(start),
.size = end - start,
.access = VmAccess{},
.is_free = false,
};
if (perms[0] == 'r') {
info->access.read = true;
}
if (perms[1] == 'w') {
info->access.write = true;
}
if (perms[2] == 'x') {
info->access.execute = true;
}
break;
}
}
fclose(maps);
if (!info.has_value()) {
return std::unexpected{OsError::FAILED_TO_QUERY};
}
return info.value();
}
bool vm_is_readable(uint8_t* address, [[maybe_unused]] size_t size) {
return vm_query(address).value_or(VmBasicInfo{}).access.read;
}
bool vm_is_writable(uint8_t* address, [[maybe_unused]] size_t size) {
return vm_query(address).value_or(VmBasicInfo{}).access.write;
}
bool vm_is_executable(uint8_t* address) {
return vm_query(address).value_or(VmBasicInfo{}).access.execute;
}
SystemInfo system_info() {
auto page_size = static_cast<uint32_t>(sysconf(_SC_PAGESIZE));
return {
.page_size = page_size,
.allocation_granularity = page_size,
.min_address = reinterpret_cast<uint8_t*>(0x10000),
.max_address = reinterpret_cast<uint8_t*>(1ull << 47),
};
}
void execute_while_frozen(const std::function<void()>& run_fn,
[[maybe_unused]] const std::function<void(ThreadId, ThreadHandle, ThreadContext)>& visit_fn) {
run_fn();
}
void fix_ip([[maybe_unused]] ThreadContext ctx, [[maybe_unused]] uint8_t* old_ip, [[maybe_unused]] uint8_t* new_ip) {
}
} // namespace safetyhook
#endif
//
// Source file: os.windows.cpp
//
#if SAFETYHOOK_OS_WINDOWS
#define NOMINMAX
#if __has_include(<Windows.h>)
#include <Windows.h>
#elif __has_include(<windows.h>)
#include <windows.h>
#else
#error "Windows.h not found"
#endif
#include <winternl.h>
#pragma comment(lib, "ntdll")
extern "C" {
NTSTATUS
NTAPI
NtGetNextThread(HANDLE ProcessHandle, HANDLE ThreadHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes,
ULONG Flags, PHANDLE NewThreadHandle);
}
namespace safetyhook {
std::expected<uint8_t*, OsError> vm_allocate(uint8_t* address, size_t size, VmAccess access) {
DWORD protect = 0;
if (access == VM_ACCESS_R) {
protect = PAGE_READONLY;
} else if (access == VM_ACCESS_RW) {
protect = PAGE_READWRITE;
} else if (access == VM_ACCESS_RX) {
protect = PAGE_EXECUTE_READ;
} else if (access == VM_ACCESS_RWX) {
protect = PAGE_EXECUTE_READWRITE;
} else {
return std::unexpected{OsError::FAILED_TO_ALLOCATE};
}
auto* result = VirtualAlloc(address, size, MEM_COMMIT | MEM_RESERVE, protect);
if (result == nullptr) {
return std::unexpected{OsError::FAILED_TO_ALLOCATE};
}
return static_cast<uint8_t*>(result);
}
void vm_free(uint8_t* address) {
VirtualFree(address, 0, MEM_RELEASE);
}
std::expected<uint32_t, OsError> vm_protect(uint8_t* address, size_t size, VmAccess access) {
DWORD protect = 0;
if (access == VM_ACCESS_R) {
protect = PAGE_READONLY;
} else if (access == VM_ACCESS_RW) {
protect = PAGE_READWRITE;
} else if (access == VM_ACCESS_RX) {
protect = PAGE_EXECUTE_READ;
} else if (access == VM_ACCESS_RWX) {
protect = PAGE_EXECUTE_READWRITE;
} else {
return std::unexpected{OsError::FAILED_TO_PROTECT};
}
return vm_protect(address, size, protect);
}
std::expected<uint32_t, OsError> vm_protect(uint8_t* address, size_t size, uint32_t protect) {
DWORD old_protect = 0;
if (VirtualProtect(address, size, protect, &old_protect) == FALSE) {
return std::unexpected{OsError::FAILED_TO_PROTECT};
}
return old_protect;
}
std::expected<VmBasicInfo, OsError> vm_query(uint8_t* address) {
MEMORY_BASIC_INFORMATION mbi{};
auto result = VirtualQuery(address, &mbi, sizeof(mbi));
if (result == 0) {
return std::unexpected{OsError::FAILED_TO_QUERY};
}
VmAccess access{
.read = (mbi.Protect & (PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE)) != 0,
.write = (mbi.Protect & (PAGE_READWRITE | PAGE_EXECUTE_READWRITE)) != 0,
.execute = (mbi.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE)) != 0,
};
return VmBasicInfo{
.address = static_cast<uint8_t*>(mbi.AllocationBase),
.size = mbi.RegionSize,
.access = access,
.is_free = mbi.State == MEM_FREE,
};
}
bool vm_is_readable(uint8_t* address, size_t size) {
return IsBadReadPtr(address, size) == FALSE;
}
bool vm_is_writable(uint8_t* address, size_t size) {
return IsBadWritePtr(address, size) == FALSE;
}
bool vm_is_executable(uint8_t* address) {
LPVOID image_base_ptr;
if (RtlPcToFileHeader(address, &image_base_ptr) == nullptr) {
return vm_query(address).value_or(VmBasicInfo{}).access.execute;
}
// Just check if the section is executable.
const auto* image_base = reinterpret_cast<uint8_t*>(image_base_ptr);
const auto* dos_hdr = reinterpret_cast<const IMAGE_DOS_HEADER*>(image_base);
if (dos_hdr->e_magic != IMAGE_DOS_SIGNATURE) {
return vm_query(address).value_or(VmBasicInfo{}).access.execute;
}
const auto* nt_hdr = reinterpret_cast<const IMAGE_NT_HEADERS*>(image_base + dos_hdr->e_lfanew);
if (nt_hdr->Signature != IMAGE_NT_SIGNATURE) {
return vm_query(address).value_or(VmBasicInfo{}).access.execute;
}
const auto* section = IMAGE_FIRST_SECTION(nt_hdr);
for (auto i = 0; i < nt_hdr->FileHeader.NumberOfSections; ++i, ++section) {
if (address >= image_base + section->VirtualAddress &&
address < image_base + section->VirtualAddress + section->Misc.VirtualSize) {
return (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0;
}
}
return vm_query(address).value_or(VmBasicInfo{}).access.execute;
}
SystemInfo system_info() {
SystemInfo info{};
SYSTEM_INFO si{};
GetSystemInfo(&si);
info.page_size = si.dwPageSize;
info.allocation_granularity = si.dwAllocationGranularity;
info.min_address = static_cast<uint8_t*>(si.lpMinimumApplicationAddress);
info.max_address = static_cast<uint8_t*>(si.lpMaximumApplicationAddress);
return info;
}
void execute_while_frozen(
const std::function<void()>& run_fn, const std::function<void(ThreadId, ThreadHandle, ThreadContext)>& visit_fn) {
// Freeze all threads.
int num_threads_frozen;
auto first_run = true;
do {
num_threads_frozen = 0;
HANDLE thread{};
while (true) {
HANDLE next_thread{};
const auto status = NtGetNextThread(GetCurrentProcess(), thread,
THREAD_QUERY_LIMITED_INFORMATION | THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, 0,
0, &next_thread);
if (thread != nullptr) {
CloseHandle(thread);
}
if (!NT_SUCCESS(status)) {
break;
}
thread = next_thread;
const auto thread_id = GetThreadId(thread);
if (thread_id == 0 || thread_id == GetCurrentThreadId()) {
continue;
}
const auto suspend_count = SuspendThread(thread);
if (suspend_count == static_cast<DWORD>(-1)) {
continue;
}
// Check if the thread was already frozen. Only resume if the thread was already frozen, and it wasn't the
// first run of this freeze loop to account for threads that may have already been frozen for other reasons.
if (suspend_count != 0 && !first_run) {
ResumeThread(thread);
continue;
}
CONTEXT thread_ctx{};
thread_ctx.ContextFlags = CONTEXT_FULL;
if (GetThreadContext(thread, &thread_ctx) == FALSE) {
continue;
}
if (visit_fn) {
visit_fn(static_cast<ThreadId>(thread_id), static_cast<ThreadHandle>(thread),
static_cast<ThreadContext>(&thread_ctx));
}
SetThreadContext(thread, &thread_ctx);
++num_threads_frozen;
}
first_run = false;
} while (num_threads_frozen != 0);
// Run the function.
if (run_fn) {
run_fn();
}
// Resume all threads.
HANDLE thread{};
while (true) {
HANDLE next_thread{};
const auto status = NtGetNextThread(GetCurrentProcess(), thread,
THREAD_QUERY_LIMITED_INFORMATION | THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, 0, 0,
&next_thread);
if (thread != nullptr) {
CloseHandle(thread);
}
if (!NT_SUCCESS(status)) {
break;
}
thread = next_thread;
const auto thread_id = GetThreadId(thread);
if (thread_id == 0 || thread_id == GetCurrentThreadId()) {
continue;
}
ResumeThread(thread);
}
}
void fix_ip(ThreadContext thread_ctx, uint8_t* old_ip, uint8_t* new_ip) {
auto* ctx = reinterpret_cast<CONTEXT*>(thread_ctx);
#if SAFETYHOOK_ARCH_X86_64
auto ip = ctx->Rip;
#elif SAFETYHOOK_ARCH_X86_32
auto ip = ctx->Eip;
#endif
if (ip == reinterpret_cast<uintptr_t>(old_ip)) {
ip = reinterpret_cast<uintptr_t>(new_ip);
}
#if SAFETYHOOK_ARCH_X86_64
ctx->Rip = ip;
#elif SAFETYHOOK_ARCH_X86_32
ctx->Eip = ip;
#endif
}
} // namespace safetyhook
#endif
//
// Source file: utility.cpp
//
namespace safetyhook {
bool is_executable(uint8_t* address) {
return vm_is_executable(address);
}
UnprotectMemory::~UnprotectMemory() {
if (m_address != nullptr) {
vm_protect(m_address, m_size, m_original_protection);
}
}
UnprotectMemory::UnprotectMemory(UnprotectMemory&& other) noexcept {
*this = std::move(other);
}
UnprotectMemory& UnprotectMemory::operator=(UnprotectMemory&& other) noexcept {
if (this != &other) {
m_address = other.m_address;
m_size = other.m_size;
m_original_protection = other.m_original_protection;
other.m_address = nullptr;
other.m_size = 0;
other.m_original_protection = 0;
}
return *this;
}
std::optional<UnprotectMemory> unprotect(uint8_t* address, size_t size) {
auto old_protection = vm_protect(address, size, VM_ACCESS_RWX);
if (!old_protection) {
return std::nullopt;
}
return UnprotectMemory{address, size, old_protection.value()};
}
} // namespace safetyhook
//
// Source file: vmt_hook.cpp
//
namespace safetyhook {
VmHook::VmHook(VmHook&& other) noexcept {
*this = std::move(other);
}
VmHook& VmHook::operator=(VmHook&& other) noexcept {
destroy();
m_original_vm = other.m_original_vm;
m_new_vm = other.m_new_vm;
m_vmt_entry = other.m_vmt_entry;
m_new_vmt_allocation = std::move(other.m_new_vmt_allocation);
other.m_original_vm = nullptr;
other.m_new_vm = nullptr;
other.m_vmt_entry = nullptr;
return *this;
}
VmHook::~VmHook() {
destroy();
}
void VmHook::reset() {
*this = {};
}
void VmHook::destroy() {
if (m_original_vm != nullptr) {
*m_vmt_entry = m_original_vm;
m_original_vm = nullptr;
m_new_vm = nullptr;
m_vmt_entry = nullptr;
m_new_vmt_allocation.reset();
}
}
std::expected<VmtHook, VmtHook::Error> VmtHook::create(void* object) {
VmtHook hook{};
const auto original_vmt = *reinterpret_cast<uint8_t***>(object);
hook.m_objects.emplace(object, original_vmt);
// Count the number of virtual method pointers. We start at one to account for the RTTI pointer.
auto num_vmt_entries = 1;
for (auto vm = original_vmt; is_executable(*vm); ++vm) {
++num_vmt_entries;
}
// Allocate memory for the new VMT.
auto allocation = Allocator::global()->allocate(num_vmt_entries * sizeof(uint8_t*));
if (!allocation) {
return std::unexpected{Error::bad_allocation(allocation.error())};
}
hook.m_new_vmt_allocation = std::make_shared<Allocation>(std::move(*allocation));
hook.m_new_vmt = reinterpret_cast<uint8_t**>(hook.m_new_vmt_allocation->data());
// Copy pointer to RTTI.
hook.m_new_vmt[0] = original_vmt[-1];
// Copy virtual method pointers.
for (auto i = 0; i < num_vmt_entries - 1; ++i) {
hook.m_new_vmt[i + 1] = original_vmt[i];
}
*reinterpret_cast<uint8_t***>(object) = &hook.m_new_vmt[1];
return hook;
}
VmtHook::VmtHook(VmtHook&& other) noexcept {
*this = std::move(other);
}
VmtHook& VmtHook::operator=(VmtHook&& other) noexcept {
destroy();
m_objects = std::move(other.m_objects);
m_new_vmt_allocation = std::move(other.m_new_vmt_allocation);
m_new_vmt = other.m_new_vmt;
other.m_new_vmt = nullptr;
return *this;
}
VmtHook::~VmtHook() {
destroy();
}
void VmtHook::apply(void* object) {
m_objects.emplace(object, *reinterpret_cast<uint8_t***>(object));
*reinterpret_cast<uint8_t***>(object) = &m_new_vmt[1];
}
void VmtHook::remove(void* object) {
const auto search = m_objects.find(object);
if (search == m_objects.end()) {
return;
}
const auto original_vmt = search->second;
execute_while_frozen([&] {
if (!vm_is_writable(reinterpret_cast<uint8_t*>(object), sizeof(void*))) {
return;
}
if (*reinterpret_cast<uint8_t***>(object) != &m_new_vmt[1]) {
return;
}
*reinterpret_cast<uint8_t***>(object) = original_vmt;
});
m_objects.erase(search);
}
void VmtHook::reset() {
*this = {};
}
void VmtHook::destroy() {
execute_while_frozen([this] {
for (const auto [object, original_vmt] : m_objects) {
if (!vm_is_writable(reinterpret_cast<uint8_t*>(object), sizeof(void*))) {
return;
}
if (*reinterpret_cast<uint8_t***>(object) != &m_new_vmt[1]) {
return;
}
*reinterpret_cast<uint8_t***>(object) = original_vmt;
}
});
m_objects.clear();
m_new_vmt_allocation.reset();
m_new_vmt = nullptr;
}
} // namespace safetyhook
Reference in New Issue View Git Blame Copy Permalink