forked from Menooker/PFishHook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhooktest.cpp
143 lines (126 loc) · 3.11 KB
/
hooktest.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#include "PFishHook.h"
#include <Zydis/Zydis.h>
#include <stdio.h>
#include <stdint.h>
int main();
asm("testfunc:\n\
ja gofurther2\n\
gofurther:\n\
call main\n\
gofurther2:\n\
call main\n\
");
extern "C" void testfunc();
void(*poldfunc)();
void test_replace()
{
return poldfunc();
}
asm(R"(testfunc2:
jne gofurther3
cmpl $0x0,0x10(%rip)
ja gofurther4
ja gofurther5
gofurther3:
call main
gofurther4:
call main
gofurther5:
call main
)");
extern "C" void testfunc2();
extern "C" void testfunc_lea();
asm(R"(testfunc_lea:
lea 0x123450(%rip),%ecx
lea 0x123450(%rip),%rcx
ret
)");
extern "C" void testfunc_call();
asm(R"(testfunc_call:
jmp main
call main
ret
)");
void(*poldfunc2)();
void(*poldfunc3)();
void(*poldfunc4)();
void(*poldfunc5)();
void(*poldfunc6)();
void(*poldfunc7)();
void test_dummy(){
printf("DUMMY: orig func\n");
}
void test_replace_d()
{
printf("shadow 1\n");
return poldfunc5();
}
void test_replace_d2()
{
printf("shadow 2\n");
return poldfunc6();
}
void test_replace_d3()
{
printf("shadow 3\n");
return poldfunc7();
}
void test_replace2()
{
return poldfunc2();
}
int main()
{
ZydisFormatter formatter;
ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
//ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_ADDR_FORMAT, ZYDIS_ADDR_FORMAT_RELATIVE_SIGNED);
ZydisDecoder decoder;
ZydisDecoderInit(
&decoder,
ZYDIS_MACHINE_MODE_LONG_64,
ZYDIS_ADDRESS_WIDTH_64);
typedef void(*functype)();
auto disas = [&](functype f, int sz)
{
uint8_t* readPointer = (uint8_t*)f;
ZydisDecodedInstruction instruction;
while (ZYDIS_SUCCESS(ZydisDecoderDecodeBuffer(
&decoder, readPointer, 128, (uint64_t)readPointer, &instruction)))
{
char buffer[256];
ZydisFormatterFormatInstruction(
&formatter, &instruction, buffer, sizeof(buffer));
printf("0x%p: %s\n", readPointer, buffer);
sz--;
if (sz <= 0)
break;
readPointer += instruction.length;
}
printf("==============================\n");
};
auto runtest = [&](const char* name,functype target, functype* old, functype newfunc)
{
printf("==============================\n%s\n==============================\nBefore Hook:\n", name);
disas(target, 5);
auto ret = HookIt((void*)target, (void**)old, (void*)newfunc);
printf("Hook status=%d\n", ret);
if (ret == FHSuccess)
{
printf("After Hook:\n");
disas(target, 7);
printf("\nShadow Func:\n");
disas(*old, 10);
}
};
printf("main=%p\ntest_replace=%p\ntest_replace2=%p\n", main, test_replace, test_replace2);
runtest("testfunc", testfunc, &poldfunc, test_replace);
runtest("testfunc2", testfunc2, &poldfunc2, test_replace2);
runtest("testfunc_lea", testfunc_lea, &poldfunc3, test_replace2);
runtest("testfunc_call", testfunc_call, &poldfunc4, test_replace2);
//test for dup hooks
runtest("testfunc_dup", test_dummy, &poldfunc5, test_replace_d);
runtest("testfunc_dup2", test_dummy, &poldfunc6, test_replace_d2);
runtest("testfunc_dup3", test_dummy, &poldfunc7, test_replace_d3);
test_dummy();
return 0;
}