BanMe
July 22nd, 2009, 23:17
had to work this one out myself..
its nothing to special except that its just more versatile the saks654's function..allowing hotpatchs on non mov edi,edi functions also it provides a method for nopping those pesky leftovers..
I hope you enjoy it
bool Native_HotPatchAddrEx(ULONG oldProc, ULONG newProc,WORD Code,ULONG NumOfNop, void**ppOrigFn)
{
bool bRet = false;
ULONG oldProtect = NULL;
ULONG pLongJump = 0;
ULONG pLongJumpAdr = 0;
ULONG ProtectSize = 2;
ULONG ProtectAddr = oldProc;
BYTE Nop = 0x90;
if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr, &ProtectSize, PAGE_EXECUTE_READWRITE, &oldProtect)))
{
return bRet;
}
WORD *pJumpBack = (WORD*)oldProc;
__asm
{
lea ecx,Code
inc ecx
mov al,byte ptr[ecx];
movzx ecx,al
cmp ecx,0
je Failed
push ecx
add oldProc,ecx
push oldProc
pop ProtectAddr
mov ProtectSize,5
}
if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr,&ProtectSize,PAGE_EXECUTE_READWRITE,&oldProtect)))
{
return bRet;
}
__asm
{
pop ecx
push oldProc
pop pLongJump
inc oldProc
push oldProc
pop pLongJumpAdr
dec oldProc
sub oldProc,ecx
}
if(*pJumpBack != 0xFF8B)
{
__asm
{
add oldProc,2
mov edi,oldProc
lea esi,Nop
mov ecx,NumOfNop
rep movsb
sub oldProc,2
}
}
*(BYTE*)pLongJump = 0xE9; // long jmp
*(ULONG*)pLongJumpAdr = ((ULONG)newProc)-((DWORD)oldProc); //
*pJumpBack = Code; // short jump back -7 (back 5, plus two for this jump)
if (ppOrigFn)
{
*ppOrigFn = ((BYTE*)oldProc);
bRet = true;
}
//if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&pLongJump, &ProtectSize, oldProtect, &oldProtect)))
//{
// return bRet;
//}
Failed:
return bRet;
}
This code is specialize to deal with the intricies of hot patching function with nop padding only located below the function..not like the last one that patched the nop padding above a function..please take this into account when using it, if you can..;P
regards BanMe
its nothing to special except that its just more versatile the saks654's function..allowing hotpatchs on non mov edi,edi functions also it provides a method for nopping those pesky leftovers..
I hope you enjoy it
bool Native_HotPatchAddrEx(ULONG oldProc, ULONG newProc,WORD Code,ULONG NumOfNop, void**ppOrigFn)
{
bool bRet = false;
ULONG oldProtect = NULL;
ULONG pLongJump = 0;
ULONG pLongJumpAdr = 0;
ULONG ProtectSize = 2;
ULONG ProtectAddr = oldProc;
BYTE Nop = 0x90;
if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr, &ProtectSize, PAGE_EXECUTE_READWRITE, &oldProtect)))
{
return bRet;
}
WORD *pJumpBack = (WORD*)oldProc;
__asm
{
lea ecx,Code
inc ecx
mov al,byte ptr[ecx];
movzx ecx,al
cmp ecx,0
je Failed
push ecx
add oldProc,ecx
push oldProc
pop ProtectAddr
mov ProtectSize,5
}
if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&ProtectAddr,&ProtectSize,PAGE_EXECUTE_READWRITE,&oldProtect)))
{
return bRet;
}
__asm
{
pop ecx
push oldProc
pop pLongJump
inc oldProc
push oldProc
pop pLongJumpAdr
dec oldProc
sub oldProc,ecx
}
if(*pJumpBack != 0xFF8B)
{
__asm
{
add oldProc,2
mov edi,oldProc
lea esi,Nop
mov ecx,NumOfNop
rep movsb
sub oldProc,2
}
}
*(BYTE*)pLongJump = 0xE9; // long jmp
*(ULONG*)pLongJumpAdr = ((ULONG)newProc)-((DWORD)oldProc); //
*pJumpBack = Code; // short jump back -7 (back 5, plus two for this jump)
if (ppOrigFn)
{
*ppOrigFn = ((BYTE*)oldProc);
bRet = true;
}
//if(!NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),(PVOID*)&pLongJump, &ProtectSize, oldProtect, &oldProtect)))
//{
// return bRet;
//}
Failed:
return bRet;
}
This code is specialize to deal with the intricies of hot patching function with nop padding only located below the function..not like the last one that patched the nop padding above a function..please take this into account when using it, if you can..;P
regards BanMe