├── .gitattributes ├── .gitignore ├── .vs └── MyIntercept │ └── v16 │ └── Browse.VC.db ├── MyIntercept.sln ├── MyIntercept ├── MyIntercept.cpp ├── MyIntercept.vcxproj ├── MyIntercept.vcxproj.filters ├── OllyDBG │ ├── MyIntercept.udd │ ├── help.pdf │ ├── ollydbg.exe │ └── ollydbg.ini ├── OpCode.h ├── OsSpecific.h └── WaitChar.h └── ReadMe.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | 11 | [Dd]ebug/ 12 | [Rr]elease/ 13 | x64/ 14 | build/ 15 | [Bb]in/ 16 | [Oo]bj/ 17 | 18 | # Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets 19 | !packages/*/build/ 20 | 21 | # MSTest test Results 22 | [Tt]est[Rr]esult*/ 23 | [Bb]uild[Ll]og.* 24 | 25 | *_i.c 26 | *_p.c 27 | *.ilk 28 | *.meta 29 | *.obj 30 | *.pch 31 | *.pdb 32 | *.pgc 33 | *.pgd 34 | *.rsp 35 | *.sbr 36 | *.tlb 37 | *.tli 38 | *.tlh 39 | *.tmp 40 | *.tmp_proj 41 | *.log 42 | *.vspscc 43 | *.vssscc 44 | .builds 45 | *.pidb 46 | *.log 47 | *.scc 48 | 49 | # Visual C++ cache files 50 | ipch/ 51 | *.aps 52 | *.ncb 53 | *.opensdf 54 | *.sdf 55 | *.cachefile 56 | 57 | # Visual Studio profiler 58 | *.psess 59 | *.vsp 60 | *.vspx 61 | 62 | # Guidance Automation Toolkit 63 | *.gpState 64 | 65 | # ReSharper is a .NET coding add-in 66 | _ReSharper*/ 67 | *.[Rr]e[Ss]harper 68 | 69 | # TeamCity is a build add-in 70 | _TeamCity* 71 | 72 | # DotCover is a Code Coverage Tool 73 | *.dotCover 74 | 75 | # NCrunch 76 | *.ncrunch* 77 | .*crunch*.local.xml 78 | 79 | # Installshield output folder 80 | [Ee]xpress/ 81 | 82 | # DocProject is a documentation generator add-in 83 | DocProject/buildhelp/ 84 | DocProject/Help/*.HxT 85 | DocProject/Help/*.HxC 86 | DocProject/Help/*.hhc 87 | DocProject/Help/*.hhk 88 | DocProject/Help/*.hhp 89 | DocProject/Help/Html2 90 | DocProject/Help/html 91 | 92 | # Click-Once directory 93 | publish/ 94 | 95 | # Publish Web Output 96 | *.Publish.xml 97 | 98 | # NuGet Packages Directory 99 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line 100 | #packages/ 101 | 102 | # Windows Azure Build Output 103 | csx 104 | *.build.csdef 105 | 106 | # Windows Store app package directory 107 | AppPackages/ 108 | 109 | # Others 110 | sql/ 111 | *.Cache 112 | ClientBin/ 113 | [Ss]tyle[Cc]op.* 114 | ~$* 115 | *~ 116 | *.dbmdl 117 | *.[Pp]ublish.xml 118 | *.pfx 119 | *.publishsettings 120 | 121 | # RIA/Silverlight projects 122 | Generated_Code/ 123 | 124 | # Backup & report files from converting an old project file to a newer 125 | # Visual Studio version. Backup files are not needed, because we have git ;-) 126 | _UpgradeReport_Files/ 127 | Backup*/ 128 | UpgradeLog*.XML 129 | UpgradeLog*.htm 130 | 131 | # SQL Server files 132 | App_Data/*.mdf 133 | App_Data/*.ldf 134 | 135 | 136 | #LightSwitch generated files 137 | GeneratedArtifacts/ 138 | _Pvt_Extensions/ 139 | ModelManifest.xml 140 | 141 | # ========================= 142 | # Windows detritus 143 | # ========================= 144 | 145 | # Windows image file caches 146 | Thumbs.db 147 | ehthumbs.db 148 | 149 | # Folder config file 150 | Desktop.ini 151 | 152 | # Recycle Bin used on file shares 153 | $RECYCLE.BIN/ 154 | 155 | # Mac desktop service store files 156 | .DS_Store 157 | -------------------------------------------------------------------------------- /.vs/MyIntercept/v16/Browse.VC.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ststeiger/FunctionInterception/39a670b949fdaf5b253c858568cc28df09610076/.vs/MyIntercept/v16/Browse.VC.db -------------------------------------------------------------------------------- /MyIntercept.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.21005.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyIntercept", "MyIntercept\MyIntercept.vcxproj", "{B7B02711-CA43-424E-B8F5-D00E8B9B81CB}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {B7B02711-CA43-424E-B8F5-D00E8B9B81CB}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {B7B02711-CA43-424E-B8F5-D00E8B9B81CB}.Debug|Win32.Build.0 = Debug|Win32 16 | {B7B02711-CA43-424E-B8F5-D00E8B9B81CB}.Release|Win32.ActiveCfg = Release|Win32 17 | {B7B02711-CA43-424E-B8F5-D00E8B9B81CB}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /MyIntercept/MyIntercept.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | 5 | #include "OpCode.h" 6 | #include "OsSpecific.h" 7 | #include "WaitChar.h" 8 | 9 | // http://stackoverflow.com/questions/31792663/visual-studio-2013-error-ms8020-build-tools-v140-cannot-be-found 10 | 11 | 12 | 13 | // offset[ENGINE][FUNCTION_NAME] ; 14 | // detourlength[ENGINE][FUNCTION_NAME] 15 | 16 | #define HOTPATCH(FUNCTION_NAME) \ 17 | original_##FUNCTION_NAME = TemplateFuncInterceptFunction(\ 18 | original_##FUNCTION_NAME, \ 19 | reinterpret_cast (&FUNCTION_NAME), \ 20 | reinterpret_cast (&modified_##FUNCTION_NAME), \ 21 | static_cast (FUNCTION_NAME##_COPY) \ 22 | ) 23 | 24 | #define UNPATCH(FUNCTION_NAME) \ 25 | unpatchfunc(reinterpret_cast(reinterpret_cast(&FUNCTION_NAME)), reinterpret_cast (reinterpret_cast(original_##FUNCTION_NAME)), static_cast (FUNCTION_NAME##_COPY)) 26 | 27 | 28 | 29 | #define NATURALIZE(FUNCTION_NAME) \ 30 | Naturalized_##FUNCTION_NAME = FuncConvertAddress(Naturalized_##FUNCTION_NAME, reinterpret_cast (&FUNCTION_NAME)) 31 | 32 | 33 | template 34 | DataType FuncConvertAddress(const DataType dt_FunctionPointer, unsigned long uslng_FunctionAddress) 35 | { 36 | return reinterpret_cast (uslng_FunctionAddress); 37 | } 38 | 39 | 40 | 41 | 42 | void* FuncGetPage(const unsigned long &uslngVirtualMemoryAddress) 43 | { 44 | return reinterpret_cast (uslngVirtualMemoryAddress & uslngPageMask); 45 | } 46 | 47 | 48 | void* InterceptFunction(void* voidptr_AddressOfDetouredFunction, unsigned long uslng_CopyLength, void* voidptr_AddressOfDetourFunction) 49 | { 50 | DATATYPE_ADDRESS Relocation; 51 | //printf("copy length: %ld\n", uslng_CopyLength); 52 | //printf("MIN_REQUIRED_FOR_DETOUR : %d\n", MIN_REQUIRED_FOR_DETOUR ); 53 | void* voidptr_BackupForOriginalFunction = malloc(uslng_CopyLength + MIN_REQUIRED_FOR_DETOUR); 54 | //printf("Sizeof Backuppointer %ld\n", sizeof(voidptr_BackupForOriginalFunction)); 55 | //printf("Sizeof AddrDetouredFunction %d\n", sizeof(voidptr_AddressOfDetouredFunction)); 56 | 57 | // printf("Here 1\n"); 58 | memcpy(voidptr_BackupForOriginalFunction, voidptr_AddressOfDetourFunction, uslng_CopyLength); 59 | // printf("Here 2\n"); 60 | 61 | 62 | if (OPCODE_NOT_DEFINED) 63 | { 64 | printf("Error: OP-Code not defined\n."); 65 | exit(EXIT_FAILURE); 66 | } 67 | 68 | // printf("JMP_OPCODE 0x%X\n", JMP_OPCODE); 69 | // printf("OPCODE_LENGTH %d\n", OPCODE_LENGTH); 70 | // printf("MIN_REQUIRED_FOR_DETOUR %d\n", MIN_REQUIRED_FOR_DETOUR); 71 | 72 | 73 | memset(reinterpret_cast (reinterpret_cast (voidptr_BackupForOriginalFunction)+uslng_CopyLength), 74 | JMP_OPCODE, OPCODE_LENGTH); 75 | // printf("Here 3\n"); 76 | 77 | 78 | Relocation = static_cast (reinterpret_cast (voidptr_AddressOfDetouredFunction) 79 | -(reinterpret_cast (voidptr_BackupForOriginalFunction) 80 | +MIN_REQUIRED_FOR_DETOUR)); 81 | // printf("Here 4\n"); 82 | 83 | memcpy(reinterpret_cast (reinterpret_cast (voidptr_BackupForOriginalFunction) 84 | +uslng_CopyLength + OPCODE_LENGTH), &Relocation, ADDRESS_LENGTH); 85 | // printf("Here 5\n"); 86 | 87 | 88 | int retUnprotect = unprotect(FuncGetPage(reinterpret_cast (voidptr_AddressOfDetouredFunction)), uslngPageSize); 89 | printf("Patch unprotect: %d\n", retUnprotect); 90 | 91 | 92 | memset(voidptr_AddressOfDetouredFunction, JMP_OPCODE, OPCODE_LENGTH); 93 | 94 | Relocation = static_cast (reinterpret_cast (voidptr_AddressOfDetourFunction) 95 | -(reinterpret_cast (voidptr_AddressOfDetouredFunction) 96 | +MIN_REQUIRED_FOR_DETOUR)); 97 | 98 | memcpy(reinterpret_cast (reinterpret_cast (voidptr_AddressOfDetouredFunction) 99 | +OPCODE_LENGTH), &Relocation, ADDRESS_LENGTH); 100 | int retReprotect = unprotect(FuncGetPage(reinterpret_cast (voidptr_BackupForOriginalFunction)), uslngPageSize); 101 | printf("Patch reprotect: %d\n", retReprotect); 102 | 103 | 104 | return voidptr_BackupForOriginalFunction; 105 | } 106 | 107 | 108 | 109 | 110 | void unpatchfunc(void* patched_function, unsigned char* original_function, unsigned long uslng_DetourLength) 111 | { 112 | //DWORD dw_OldProtect; 113 | //VirtualProtect(patched_function, uslng_DetourLength, PAGE_EXECUTE_READWRITE, &dw_OldProtect); 114 | int retUnprotect = unprotect(FuncGetPage(reinterpret_cast(patched_function)), uslngPageSize); 115 | printf("Unpatch: unprotect: %d\n", retUnprotect); 116 | 117 | unsigned int intIndex; 118 | for (intIndex = 0; intIndex < uslng_DetourLength; ++intIndex) 119 | *((unsigned char*)patched_function + intIndex) = *(original_function + intIndex); 120 | 121 | //VirtualProtect(patched_function, uslng_DetourLength, dw_OldProtect, &dw_OldProtect); 122 | int retReprotect = unprotect(FuncGetPage(reinterpret_cast(patched_function)), uslngPageSize); 123 | printf("Unpatch reprotect: %d\n", retReprotect); 124 | 125 | if (original_function != NULL) 126 | free((void*)original_function); 127 | } 128 | 129 | 130 | // C++ is typesafe, they said... 131 | // I say: Yes, but at which price ? 132 | template 133 | DataType TemplateFuncInterceptFunction(DataType dt_Original_Function, unsigned long uslng_FunctionAddress, 134 | unsigned long uslng_modified_FunctionName, unsigned long uslng_DetourLength) 135 | { 136 | return reinterpret_cast 137 | (reinterpret_cast 138 | (InterceptFunction(reinterpret_cast (uslng_FunctionAddress), 139 | uslng_DetourLength, 140 | reinterpret_cast (uslng_modified_FunctionName) 141 | ) 142 | ) 143 | ); 144 | } 145 | 146 | 147 | 148 | 149 | extern "C" 150 | { 151 | 152 | 153 | 154 | //void __cdecl RE_RenderScene() 155 | void RE_RenderScene() 156 | { 157 | printf("This is the original RE_RenderScene\n"); 158 | } 159 | 160 | 161 | // void(__cdecl *original_RE_RenderScene)(); // = &RE_RenderScene; 162 | void(*original_RE_RenderScene)(); // = &RE_RenderScene; 163 | 164 | 165 | // void(__cdecl *Naturalized_RE_RenderScene)(); // = &RE_RenderScene; 166 | void(*Naturalized_RE_RenderScene)(); // = &RE_RenderScene; 167 | 168 | 169 | //void __cdecl modified_RE_RenderScene() 170 | void __cdecl modified_RE_RenderScene() 171 | { 172 | printf("Entering the modified RenderScene\n"); 173 | 174 | printf("Calling the original RenderScene in the modified RenderScene\n"); 175 | printf("Address of RE_RenderScene: %p\n", &RE_RenderScene); 176 | printf("Address of original_RE_RenderScene: %p\n", *original_RE_RenderScene); 177 | printf("Address of original_RE_RenderScene: %p\n", original_RE_RenderScene); 178 | // (*original_RE_RenderScene)(); 179 | 180 | printf("Finished calling the original RenderScene in the modified RenderScene\n"); 181 | 182 | printf("Exiting modified RenderScene\n"); 183 | } 184 | 185 | 186 | } 187 | 188 | // gdb MyIntercept.exe 189 | // info address RE_RenderScene 190 | // disas RE_RenderScene 191 | // disas 0x012E10CD 192 | 193 | 194 | //#define RE_RenderScene_COPY 9 // Visual Studio 2015 195 | #define RE_RenderScene_COPY 9 // Visual Studio 2013 196 | // #define RE_RenderScene_COPY 6 // g++ 197 | 198 | // int _tmain(int argc, _TCHAR* argv[]) 199 | int main(int argc, char* argv[]) 200 | { 201 | printf("Sizeof address: %d bit\n", sizeof(void*) * 8); 202 | printf("Address of %s: 0x%08p\n", "RE_RenderScene", &RE_RenderScene); 203 | printf("Address of %s: 0x%08x\n", "RE_RenderScene", &RE_RenderScene); 204 | printf("===================================================\n"); 205 | 206 | 207 | unsigned char* memoryDumpPointer = (unsigned char*)&RE_RenderScene; 208 | int i; 209 | for (i = 0; i < 100; ++i) 210 | { 211 | printf("0x%02X\n", memoryDumpPointer[i]); 212 | } 213 | 214 | 215 | if (true) 216 | { 217 | RE_RenderScene(); // Calling original version 218 | 219 | printf("\n\n====================== Naturalizing =============================\n"); 220 | NATURALIZE(RE_RenderScene); 221 | // Expands to 222 | // Naturalized_RE_RenderScene = FuncConvertAddress(Naturalized_RE_RenderScene, reinterpret_cast (&RE_RenderScene)); 223 | printf("====================== Naturalized ==============================\n\n"); 224 | 225 | (*Naturalized_RE_RenderScene)(); 226 | 227 | 228 | printf("\n\n====================== Hotpatching =============================\n"); 229 | // HOTPATCH(RE_RenderScene); 230 | /////// Expands to 231 | /////// InterceptFunction(&RE_RenderScene, RE_RenderScene_COPY, &modified_RE_RenderScene); 232 | /////// original_RE_RenderScene = FuncInterceptFunction(RE_RenderScene, modified_RE_RenderScene); 233 | 234 | // Overwriting the RE_RenderScene function (JMP REL32 = 0xE9) 235 | original_RE_RenderScene = TemplateFuncInterceptFunction( 236 | original_RE_RenderScene, 237 | reinterpret_cast (&RE_RenderScene), 238 | reinterpret_cast (&modified_RE_RenderScene), 239 | static_cast (RE_RenderScene_COPY) 240 | ); 241 | 242 | printf("====================== Hotpatched ==============================\n\n"); 243 | 244 | RE_RenderScene(); // Calling the modified version 245 | // Second time works as well 246 | RE_RenderScene(); 247 | 248 | 249 | printf("\n\n====================== Unpatching =============================\n"); 250 | UNPATCH(RE_RenderScene); // Undoing modification 251 | printf("====================== Unpatched ==============================\n"); 252 | // BUG shows here 253 | RE_RenderScene(); 254 | } 255 | 256 | 257 | printf("\n\n\n--- Press any key to continue --- \n"); 258 | WaitChar(); 259 | return EXIT_SUCCESS; 260 | } 261 | -------------------------------------------------------------------------------- /MyIntercept/MyIntercept.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {B7B02711-CA43-424E-B8F5-D00E8B9B81CB} 15 | Win32Proj 16 | MyIntercept 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | Unicode 24 | 25 | 26 | Application 27 | false 28 | v140 29 | false 30 | Unicode 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | 45 | 46 | false 47 | 48 | 49 | 50 | 51 | 52 | Level3 53 | Disabled 54 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 55 | 56 | 57 | Console 58 | true 59 | 60 | 61 | 62 | 63 | Level3 64 | 65 | 66 | MaxSpeed 67 | true 68 | true 69 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 70 | 71 | 72 | Console 73 | true 74 | true 75 | true 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | -------------------------------------------------------------------------------- /MyIntercept/MyIntercept.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Quelldateien 20 | 21 | 22 | 23 | 24 | Headerdateien 25 | 26 | 27 | Headerdateien 28 | 29 | 30 | Headerdateien 31 | 32 | 33 | -------------------------------------------------------------------------------- /MyIntercept/OllyDBG/MyIntercept.udd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ststeiger/FunctionInterception/39a670b949fdaf5b253c858568cc28df09610076/MyIntercept/OllyDBG/MyIntercept.udd -------------------------------------------------------------------------------- /MyIntercept/OllyDBG/help.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ststeiger/FunctionInterception/39a670b949fdaf5b253c858568cc28df09610076/MyIntercept/OllyDBG/help.pdf -------------------------------------------------------------------------------- /MyIntercept/OllyDBG/ollydbg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ststeiger/FunctionInterception/39a670b949fdaf5b253c858568cc28df09610076/MyIntercept/OllyDBG/ollydbg.exe -------------------------------------------------------------------------------- /MyIntercept/OllyDBG/ollydbg.ini: -------------------------------------------------------------------------------- 1 | [Settings] 2 | Check DLL versions=0 3 | Topmost window=0 4 | Show main menu items that don't apply=0 5 | Show popup items that don't apply=0 6 | Show toolbar=1 7 | Use system colours in toolbar=0 8 | Status in toolbar=0 9 | Flash duration=1 10 | Autoupdate interval=4 11 | Mode of main window=0 12 | Restore windows=1 13 | Restore window positions=1 14 | Restore width of columns=0 15 | Restore sorting criterium=1 16 | Highlight sorted column=1 17 | Right click selects=1 18 | Index of default font=1 19 | Index of default UNICODE font=3 20 | Index of default colours=0 21 | Code highlighting=0 22 | Horizontal scroll=0 23 | Snow-free drawing=1 24 | Append arguments=1 25 | Allow diacritical symbols=0 26 | Decode pascal strings=1 27 | Use IsTextUnicode=0 28 | String decoding=0 29 | File graph mode=1 30 | Dialog font mode=0 31 | Font in dialogs=0 32 | Align dialogs=1 33 | Global search=1 34 | Aligned search=0 35 | Ignore case=0 36 | Search direction=0 37 | Floating search with margin=0 38 | Allow extra commands in sequence=1 39 | Allow jumps into the sequence=0 40 | Keep size of hex edit selection=1 41 | Sorting mode of error list=0 42 | Modify FPU tag=0 43 | MMX display mode=0 44 | Show tooltips in dialog windows=1 45 | X options coordinate=-1 46 | Y options coordinate=-1 47 | Last selected options pane=0 48 | Last edited font in options=0 49 | Last edited scheme in options=0 50 | Last edited colour index in options=0 51 | Last edited highlighting in options=1 52 | Last edited highlighting index in options=0 53 | Warnmode when not administrator=0 54 | Warnmode for packed code in Analyzer=0 55 | Warnmode when process is still running=0 56 | Warnmode when INT3 breakpoint is corrupt=0 57 | Warnmode when INT3 set on non-command=0 58 | Warnmode when clipboard size too large=0 59 | Warnmode when all threads are suspended=0 60 | Warnmode when thread is changed=0 61 | Warnmode when unable to close process=0 62 | Warnmode when executable differs from udd=0 63 | Warnmode when INT3 in udd has different cmd=0 64 | Warnmode when fixups are modified=0 65 | Warnmode when memory breakpoint on stack=0 66 | Warnmode when modified debug registers=0 67 | Only ASCII printable in dump=0 68 | Underline fixups=1 69 | Show jump direction=1 70 | Show jump path=1 71 | Show grayed path if jump is not taken=1 72 | Fill rest of command with NOPs=1 73 | Action on letter key in Disassembler=1 74 | Wide characters in UNICODE dumps=1 75 | Automatically backup user code=0 76 | IDEAL disassembling mode=0 77 | Disassemble in lowercase=0 78 | Separate arguments with TAB=0 79 | Extra space between arguments=0 80 | Show default segments=1 81 | Always show memory size=1 82 | NEAR jump modifiers=0 83 | Use short form of string commands=0 84 | Use RET instead of RETN=0 85 | SSE size decoding mode=0 86 | Jump hint decoding mode=0 87 | Size sensitive mnemonics=1 88 | Top of FPU stack=1 89 | Show symbolic addresses=1 90 | Show local module names=0 91 | Demangle symbolic names=0 92 | First pause=3 93 | Pause on attach=1 94 | Assume flat selectors=0 95 | Ignore access violations in KERNEL32=1 96 | Ignore INT3=0 97 | Ignore TRAP=0 98 | Ignore access violations=0 99 | Ignore division by 0=0 100 | Ignore illegal instructions=0 101 | Ignore all FPU exceptions=0 102 | Ignore custom exception ranges=0 103 | Call UnhandledExceptionFilter=0 104 | Report ignored exceptions to log=1 105 | Autoreturn=0 106 | Use DebugBreakProcess=0 107 | Use ExitProcess=1 108 | Warn when frequent breaks=1 109 | Allow command emulation=0 110 | Debug child processes=0 111 | Animation delay index=0 112 | Stop on new DLL=0 113 | Stop on DLL unload=0 114 | Stop on debug string=0 115 | Stop on new thread=0 116 | Stop on thread end=0 117 | Run trace protocolling options=0 118 | Run trace buffer size index=2 119 | Trace over system DLLs=1 120 | Trace over string commands=1 121 | Save traced commands=0 122 | Save accessed memory to trace=0 123 | Save FPU registers to trace=0 124 | Synchronize CPU and Run trace=1 125 | Set breakpoints on callbacks in hit trace=0 126 | Hit trace mode for indirect jumps=0 127 | Stop hit trace if not command=0 128 | Hit trace outside the code section=2 129 | Show symbolic names in protocol range list=0 130 | Use predictions in search=1 131 | References include indirect jumps=1 132 | Add origin to search results=0 133 | Default resource language=9 134 | Gray inactive windows=1 135 | Gray register names=0 136 | Center FOLLOWed command=1 137 | Decode registers for any IP=0 138 | Remove code hilite on register hilite=1 139 | Automatically select register type=0 140 | Enable SSE registers=1 141 | Label display mode=0 142 | Highlight symbolic labels=0 143 | Log buffer size index=2 144 | Tabulate columns in log file=0 145 | Append data to existing log file=0 146 | Auto analysis=1 147 | No predicted registers in system DLLs=0 148 | Fuzzy analysis=1 149 | Report problems during analysis=0 150 | Decode tricks=1 151 | Mark tricks=0 152 | Decode ifs as switches=0 153 | Functions preserve registers=1 154 | Ignore braces in udd path=1 155 | Guess number of arguments=1 156 | Guess arguments from mangled names=0 157 | Guess meaning of guessed arguments=1 158 | Show uncertain arguments=1 159 | Rename value dependent arguments=0 160 | Show predicted values=1 161 | Show ARG and LOCAL in disassembly=1 162 | Use symbolic names for ARG and LOCAL=0 163 | Show ARG and LOCAL in comments=1 164 | Show loops=1 165 | Accept far calls and returns=0 166 | Accept direct segment modifications=0 167 | Accept privileged commands=0 168 | Accept I/O commands=0 169 | Accept NOPs=1 170 | Accept shifts out of range=0 171 | Accept superfluous prefixes=0 172 | Accept default prefixes=1 173 | Accept valid LOCK prefixes=1 174 | Accept unaligned stack operations=1 175 | Accept suspicious ESP operations=0 176 | Accept non-standard command forms=1 177 | Accept access to nonexisting memory=0 178 | Accept interrupt commands=0 179 | [History] 180 | Executable[0]=D:\Stefan.Steiger\Documents\Visual Studio 2013\Projects\MyIntercept\Debug\MyIntercept.exe 181 | Arguments[0]= 182 | Executable[1]= 183 | Arguments[1]= 184 | Executable[2]= 185 | Arguments[2]= 186 | Executable[3]= 187 | Arguments[3]= 188 | Executable[4]= 189 | Arguments[4]= 190 | Executable[5]= 191 | Arguments[5]= 192 | Log file=log.txt 193 | Trace save file=trace.txt 194 | Data directory=. 195 | API help file= 196 | Last viewed file= 197 | Previous JIT= 198 | [Search] 199 | Placement=26,26,140,187,1 200 | Appearance=1,0,1,0,0 201 | [Namelist] 202 | Appearance=1,0,1,0,0 203 | [Memory] 204 | Placement=-231,67,789,187,1 205 | Appearance=1,0,1,0,0 206 | Columns=54,54,54,60,108,30,48,48,1536 207 | Sort=0 208 | [Log data] 209 | Placement=0,0,387,187,1 210 | Appearance=1,0,1,0,0 211 | Columns=54,1536 212 | Sort=0 213 | [Modules] 214 | Placement=-103,34,663,187,1 215 | Appearance=1,0,1,0,0 216 | Columns=54,54,54,72,96,1536 217 | Sort=0 218 | [OllyDbg] 219 | Placement=652,342,871,592,0 220 | [Run trace data] 221 | Placement=-560,85,927,187,1 222 | Appearance=1,0,1,0,0 223 | Columns=54,48,54,54,240,144,1536 224 | Sort=0 225 | [Watches] 226 | Placement=78,78,513,187,1 227 | Appearance=1,0,1,0,0 228 | Columns=240,240 229 | Sort=0 230 | [Threads] 231 | Placement=-177,73,711,187,1 232 | Appearance=1,0,1,0,0 233 | Columns=30,54,108,108,54,54,54,72,72,72 234 | Sort=0 235 | [CPU] 236 | Placement=63,63,400,327,3 237 | Offset[0]=0 238 | Offset[1]=0 239 | Offset[2]=0 240 | Offset[3]=0 241 | [CPU Disasm] 242 | Appearance=1,0,0,0,0 243 | Columns=54,102,240,1536 244 | [CPU Info] 245 | Appearance=1,0,0,0,0 246 | [CPU registers] 247 | Appearance=1,0,1,0,0 248 | Local=0,0 249 | [CPU Dump] 250 | Appearance=1,0,1,0,0 251 | Columns=54,288,102 252 | Local=00011001 253 | [CPU Stack] 254 | Appearance=1,0,0,0,0 255 | Columns=54,60,30,1536 256 | Local=000A0104 257 | [Colour schemes] 258 | Scheme name[0]=Black on white 259 | Foreground_1[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 260 | Foreground_2[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 261 | Background_1[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 262 | Background_2[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 263 | Operands[0]=0 264 | Modified commands[0]=0 265 | Scheme name[1]=Yellow on blue 266 | Foreground_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 267 | Foreground_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 268 | Background_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 269 | Background_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 270 | Operands[1]=0 271 | Modified commands[1]=0 272 | Scheme name[2]=Marine 273 | Foreground_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 274 | Foreground_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 275 | Background_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 276 | Background_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 277 | Operands[2]=0 278 | Modified commands[2]=0 279 | Scheme name[3]=Mostly black 280 | Foreground_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 281 | Foreground_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 282 | Background_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 283 | Background_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 284 | Operands[3]=0 285 | Modified commands[3]=0 286 | Scheme name[4]=Scheme 4 287 | Foreground_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 288 | Foreground_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 289 | Background_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 290 | Background_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 291 | Operands[4]=0 292 | Modified commands[4]=0 293 | Scheme name[5]=Scheme 5 294 | Foreground_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 295 | Foreground_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 296 | Background_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 297 | Background_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 298 | Operands[5]=0 299 | Modified commands[5]=0 300 | Scheme name[6]=Scheme 6 301 | Foreground_1[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 302 | Foreground_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 303 | Background_1[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 304 | Background_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 305 | Operands[6]=0 306 | Modified commands[6]=0 307 | Scheme name[7]=Scheme 7 308 | Foreground_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 309 | Foreground_2[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 310 | Background_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 311 | Background_2[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 312 | Operands[7]=0 313 | Modified commands[7]=0 314 | [Highlighting schemes] 315 | Scheme name[1]=Christmas tree 316 | Foreground_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 317 | Foreground_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 318 | Background_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 319 | Background_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 320 | Operands[1]=1 321 | Modified commands[1]=1 322 | Scheme name[2]=Jumps and calls 323 | Foreground_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 324 | Foreground_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 325 | Background_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 326 | Background_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 327 | Operands[2]=0 328 | Modified commands[2]=0 329 | Scheme name[3]=Memory access 330 | Foreground_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 331 | Foreground_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 332 | Background_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 333 | Background_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 334 | Operands[3]=1 335 | Modified commands[3]=1 336 | Scheme name[4]=Hilite 4 337 | Foreground_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 338 | Foreground_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 339 | Background_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 340 | Background_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 341 | Operands[4]=0 342 | Modified commands[4]=0 343 | Scheme name[5]=Hilite 5 344 | Foreground_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 345 | Foreground_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 346 | Background_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 347 | Background_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 348 | Operands[5]=0 349 | Modified commands[5]=0 350 | Scheme name[6]=Hilite 6 351 | Foreground_1[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 352 | Foreground_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 353 | Background_1[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 354 | Background_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 355 | Operands[6]=0 356 | Modified commands[6]=0 357 | Scheme name[7]=Hilite 7 358 | Foreground_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 359 | Foreground_2[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 360 | Background_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 361 | Background_2[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* 362 | Operands[7]=0 363 | Modified commands[7]=0 364 | [Fonts] 365 | Font name[0]=OEM fixed font 366 | Font[0]=0,0,0,0,0,0,0,0,0,0,10 367 | Face name[0]= 368 | Font name[1]=Terminal 6 369 | Font[1]=9,6,700,0,0,0,255,0,1,1,0 370 | Face name[1]=Terminal 371 | Font name[2]=System fixed font 372 | Font[2]=0,0,0,0,0,0,0,0,0,0,16 373 | Face name[2]= 374 | Font name[3]=Courier (UNICODE) 375 | Font[3]=14,0,400,0,0,0,1,2,5,-2,0 376 | Face name[3]=Courier New 377 | Font name[4]=Lucida (UNICODE) 378 | Font[4]=10,6,400,0,0,0,1,2,5,0,0 379 | Face name[4]=Lucida Console 380 | Font name[5]=Font 5 381 | Font[5]=9,6,700,0,0,0,255,0,1,1,0 382 | Face name[5]=Terminal 383 | Font name[6]=Font 6 384 | Font[6]=0,0,0,0,0,0,0,0,0,0,16 385 | Face name[6]= 386 | Font name[7]=Font 7 387 | Font[7]=14,0,400,0,0,0,1,2,5,-2,0 388 | Face name[7]=Courier New 389 | -------------------------------------------------------------------------------- /MyIntercept/OpCode.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef OPCODE_H 3 | #define OPCODE_H 4 | 5 | 6 | 7 | 8 | 9 | #ifndef OPCODE_NOT_DEFINED 10 | #define OPCODE_NOT_DEFINED 1 11 | #else 12 | // Defined IA32-80x86 by default, but abort program at runtime because OP-Code is not defined 13 | #undef OPCODE_NOT_DEFINED 14 | #define OPCODE_NOT_DEFINED 1 15 | #endif 16 | 17 | 18 | // ======================== 19 | 20 | #ifndef JMP_OPCODE 21 | #define JMP_OPCODE 0xE9 22 | #endif 23 | 24 | #ifndef OPCODE_LENGTH 25 | #define OPCODE_LENGTH 1 26 | #endif 27 | 28 | #ifndef DATATYPE_ADDRESS 29 | #define DATATYPE_ADDRESS long 30 | #endif 31 | 32 | #ifndef ADDRESS_LENGTH 33 | #define ADDRESS_LENGTH (sizeof(DATATYPE_ADDRESS)) 34 | #endif 35 | 36 | #ifndef MIN_REQUIRED_FOR_DETOUR 37 | #define MIN_REQUIRED_FOR_DETOUR (OPCODE_LENGTH + ADDRESS_LENGTH) 38 | #endif 39 | 40 | #ifndef INT_DETOUR_FACTOR 41 | #define INT_DETOUR_FACTOR 1 42 | #endif 43 | 44 | #ifdef OPCODE_NOT_DEFINED 45 | #undef OPCODE_NOT_DEFINED 46 | #define OPCODE_NOT_DEFINED 0 47 | #endif 48 | 49 | 50 | 51 | 52 | // Select Processor 53 | #if ( defined (__x86__) || defined (__x86) || defined (_x86) || defined (x86) || \ 54 | defined (__i386__) || defined (__i386) || defined (_i386) || defined (i386) || \ 55 | defined (__m_ix86__) || defined (__m_ix86) || defined (_m_ix86) || defined (m_ix86)) 56 | // little endian 57 | #undef JMP_OPCODE 58 | #undef OPCODE_LENGTH 59 | #undef DATATYPE_ADDRESS 60 | #undef ADDRESS_LENGTH 61 | #undef MIN_REQUIRED_FOR_DETOUR 62 | #undef INT_DETOUR_FACTOR 63 | #undef OPCODE_NOT_DEFINED 64 | 65 | // Defines for IA-32 80x86 Architecture 66 | #define JMP_OPCODE 0xE9 67 | #define OPCODE_LENGTH 1 68 | #define DATATYPE_ADDRESS long 69 | #define ADDRESS_LENGTH (sizeof(DATATYPE_ADDRESS)) 70 | #define MIN_REQUIRED_FOR_DETOUR (OPCODE_LENGTH + ADDRESS_LENGTH) 71 | #define INT_DETOUR_FACTOR 1 72 | #define OPCODE_NOT_DEFINED 0 73 | 74 | // For Mac only 75 | #define MAC_DETLEN_RE_RenderScene 7 76 | #define MAC_DETLEN_RE_Com_MD5File 7 77 | #define MAC_DETLEN_RE_VM_Create 7 78 | #define MAC_DETLEN_RE_VM_CallCompiled 7 79 | #define MAC_DETLEN_RE_VM_Free 7 80 | #define MAC_DETLEN_RE_Sys_ConsoleInputShutdown 7 81 | // end of Mac only 82 | #endif 83 | 84 | 85 | #if ( defined (__x86_64__) || defined (__x86_64) || defined (_x86_64)|| defined (x86_64) || \ 86 | defined (__ia64__) || defined (__ia64) || defined (_ia64) || defined (ia64) || \ 87 | defined (__m_ia64__) || defined (__m_ia64) || defined (_m_ia64) || defined (m_ia64) || \ 88 | defined (__amd64__) || defined (__amd64) || defined (_amd64) || defined (amd64)) 89 | // switchable endian 90 | #undef JMP_OPCODE 91 | #undef OPCODE_LENGTH 92 | #undef DATATYPE_ADDRESS 93 | #undef ADDRESS_LENGTH 94 | #undef MIN_REQUIRED_FOR_DETOUR 95 | #undef INT_DETOUR_FACTOR 96 | #undef OPCODE_NOT_DEFINED 97 | 98 | // Defines for IA-64 80x86 architecture 99 | // To be done: don't know if they work if it's truly 64 bit, but assume full 32-bit compatibility 100 | #define JMP_OPCODE 0xE9 101 | #define OPCODE_LENGTH 1 102 | #define DATATYPE_ADDRESS long 103 | #define ADDRESS_LENGTH (sizeof(DATATYPE_ADDRESS)) 104 | #define MIN_REQUIRED_FOR_DETOUR (OPCODE_LENGTH + ADDRESS_LENGTH) 105 | #define INT_DETOUR_FACTOR 1 106 | #define OPCODE_NOT_DEFINED 0 107 | 108 | // For Mac only 109 | #define MAC_DETLEN_RE_RenderScene 7 110 | #define MAC_DETLEN_RE_Com_MD5File 7 111 | #define MAC_DETLEN_RE_VM_Create 7 112 | #define MAC_DETLEN_RE_VM_CallCompiled 7 113 | #define MAC_DETLEN_RE_VM_Free 7 114 | #define MAC_DETLEN_RE_Sys_ConsoleInputShutdown 7 115 | // end of Mac only 116 | #endif 117 | 118 | 119 | #if ( defined(__mips__) || defined(__mips) || defined(_mips) || defined(mips) ) 120 | // switchable endian 121 | #undef JMP_OPCODE 122 | #undef OPCODE_LENGTH 123 | #undef DATATYPE_ADDRESS 124 | #undef ADDRESS_LENGTH 125 | #undef MIN_REQUIRED_FOR_DETOUR 126 | #undef INT_DETOUR_FACTOR 127 | #undef OPCODE_NOT_DEFINED 128 | 129 | // Godson/Loongson processor Architecture, Lemote Box Debian GNU Linux 130 | // To be done 131 | #endif 132 | 133 | 134 | #if ( defined (__alpha__) || defined (__alpha) || defined (_alpha) || defined (alpha) || \ 135 | defined (__m_alpha__) || defined (__m_alpha) || defined (_m_alpha) || defined (m_alpha)) 136 | // little endian 137 | // DEC alpha: switchable endian 138 | #undef JMP_OPCODE 139 | #undef OPCODE_LENGTH 140 | #undef DATATYPE_ADDRESS 141 | #undef ADDRESS_LENGTH 142 | #undef MIN_REQUIRED_FOR_DETOUR 143 | #undef INT_DETOUR_FACTOR 144 | #undef OPCODE_NOT_DEFINED 145 | 146 | // Defines for Alpha Architecture 147 | // To be done 148 | #endif 149 | 150 | 151 | #if ( defined(__sparc__) || defined(__sparc) || defined(_sparc) || defined(sparc) ) 152 | // big endian 153 | #undef JMP_OPCODE 154 | #undef OPCODE_LENGTH 155 | #undef DATATYPE_ADDRESS 156 | #undef ADDRESS_LENGTH 157 | #undef MIN_REQUIRED_FOR_DETOUR 158 | #undef INT_DETOUR_FACTOR 159 | #undef OPCODE_NOT_DEFINED 160 | 161 | // Defines for 32-bit SPARC (R) Architecture 162 | // To be done 163 | #endif 164 | 165 | 166 | #if (defined(__sparcv9__) || defined(__sparcv9) || defined(_sparcv9) || defined(sparcv9) ) 167 | // switchable endian 168 | #undef JMP_OPCODE 169 | #undef OPCODE_LENGTH 170 | #undef DATATYPE_ADDRESS 171 | #undef ADDRESS_LENGTH 172 | #undef MIN_REQUIRED_FOR_DETOUR 173 | #undef INT_DETOUR_FACTOR 174 | #undef OPCODE_NOT_DEFINED 175 | 176 | // Defines for 64-bit SPARC (R) Architecture 177 | // To be done 178 | #endif 179 | 180 | 181 | #if ( defined(__powerpc__) || defined(__powerpc) || defined(_powerpc) || defined(powerpc) || \ 182 | defined(__ppc__) || defined(__ppc) || defined(_ppc) || defined(ppc) || \ 183 | defined(__power__) || defined(__power) || defined(_power) || defined(power)) 184 | // big endian 185 | #undef JMP_OPCODE 186 | #undef OPCODE_LENGTH 187 | #undef DATATYPE_ADDRESS 188 | #undef ADDRESS_LENGTH 189 | #undef MIN_REQUIRED_FOR_DETOUR 190 | #undef INT_DETOUR_FACTOR 191 | #undef OPCODE_NOT_DEFINED 192 | 193 | #define BRANCH_OPCODE 0x12 194 | #define NO_THX 0 195 | #define YES_PLEASE 1 196 | 197 | 198 | 199 | // Defines for PowerPC Architecture 200 | // Is very different!!! Does not have JMP Rel32!!! 201 | // Must change the Interception routine 202 | // Who cares, it's anyway Intel, now 203 | 204 | // For Mac only 205 | #define MAC_DETLEN_RE_RenderScene 4 206 | #define MAC_DETLEN_RE_Com_MD5File 4 207 | #define MAC_DETLEN_RE_VM_Create 4 208 | #define MAC_DETLEN_RE_VM_CallCompiled 4 209 | #define MAC_DETLEN_RE_VM_Free 4 210 | #define MAC_DETLEN_RE_Sys_ConsoleInputShutdown 4 211 | // end of Mac only 212 | #endif 213 | 214 | 215 | #endif // OPCODE_H 216 | -------------------------------------------------------------------------------- /MyIntercept/OsSpecific.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef OS_SPECIFIC_H 3 | #define OS_SPECIFIC_H 4 | 5 | 6 | 7 | 8 | 9 | 10 | #if ( defined(__MACOS_X__) || defined(__MACOS_X) || defined(_MACOS_X) || defined(MACOS_X) || \ 11 | defined(__DARWIN__) || defined(__DARWIN) || defined(_DARWIN) || defined(DARWIN) || \ 12 | defined(__MACOSX__) || defined(__MACOSX) || defined(_MACOSX) || defined(MACOSX) || \ 13 | defined(__OSX__) || defined(__OSX) || defined(_OSX) || defined(OSX) || \ 14 | defined(__APPLE__) || defined(__APPLE) || defined(_APPLE) || defined(APPLE) || \ 15 | defined(__MACINTOSH__) || defined(__MACINTOSH) || defined(_MACINTOSH) || defined(MACINTOSH) || \ 16 | defined(__MAC__) || defined(__MAC) || defined(_MAC) || defined(MAC)) 17 | 18 | #include 19 | #include 20 | #endif 21 | 22 | 23 | #if ( defined (_WIN32) || defined (_WIN64) ) 24 | #include 25 | #include 26 | DWORD oldprot; 27 | // https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx 28 | // BOOL WINAPI VirtualProtect 29 | // If the function succeeds, the return value is nonzero. 30 | // If the function fails, the return value is zero.To get extended error information, call GetLastError. 31 | #define unprotect(addr,len) (VirtualProtect(addr, len, PAGE_EXECUTE_READWRITE, &oldprot)) 32 | #define GETPAGESIZE() getpagesize() 33 | #define EXPORT __declspec (dllexport) 34 | // popen in Microbosoft C++: _popen 35 | #define POPEN(x,y) _popen (x, y) 36 | #define PCLOSE(x) _pclose(x) 37 | 38 | unsigned long getpagesize(void) 39 | { 40 | static long g_pagesize = 0; 41 | if (!g_pagesize) 42 | { 43 | SYSTEM_INFO system_info; 44 | GetSystemInfo(&system_info); 45 | g_pagesize = system_info.dwPageSize; 46 | } 47 | return (unsigned long)g_pagesize; 48 | } 49 | 50 | unsigned long uslngPageSize = GETPAGESIZE(); 51 | unsigned long uslngPageMask = (~(uslngPageSize - 1)); 52 | 53 | #else // LINUX / UNIX / OS X 54 | // #include //STDIN_FILENO 55 | #include //termios, TCSANOW, ECHO, ICANON 56 | #include 57 | 58 | // int mprotect(void *addr, size_t len, int prot); 59 | // On success, mprotect() returns zero. On error, -1 is returned, and errno is set appropriately. 60 | #define unprotect(addr,len) (mprotect(addr,len,PROT_READ|PROT_WRITE|PROT_EXEC)) 61 | #define GETPAGESIZE() sysconf (_SC_PAGE_SIZE) 62 | #define POPEN(x,y) popen (x, y) 63 | #define PCLOSE(x) pclose(x) 64 | 65 | #endif 66 | 67 | 68 | 69 | 70 | #endif // OS_SPECIFIC_H 71 | -------------------------------------------------------------------------------- /MyIntercept/WaitChar.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef WAITCHAR_H 3 | #define WAITCHAR_H 4 | 5 | 6 | 7 | // http://stackoverflow.com/questions/1798511/how-to-avoid-press-enter-with-any-getchar 8 | int WaitChar() 9 | { 10 | #if defined(_WIN32) 11 | //int c = getch(); // Deprecated 12 | int c = _getch(); 13 | 14 | fflush(stdin); 15 | return c; 16 | #elif defined(__linux__) || defined(__linux) || defined(linux) || defined(__gnu_linux__) 17 | int c; 18 | static struct termios oldt, newt; 19 | /*tcgetattr gets the parameters of the current terminal 20 | STDIN_FILENO will tell tcgetattr that it should write the settings 21 | of stdin to oldt*/ 22 | tcgetattr(STDIN_FILENO, &oldt); 23 | /*now the settings will be copied*/ 24 | newt = oldt; 25 | 26 | /*ICANON normally takes care that one line at a time will be processed 27 | that means it will return if it sees a "\n" or an EOF or an EOL*/ 28 | newt.c_lflag &= ~(ICANON); 29 | 30 | /*Those new settings will be set to STDIN 31 | TCSANOW tells tcsetattr to change attributes immediately. */ 32 | tcsetattr(STDIN_FILENO, TCSANOW, &newt); 33 | 34 | c = getchar(); 35 | 36 | // restore the old settings 37 | tcsetattr(STDIN_FILENO, TCSANOW, &oldt); 38 | 39 | fflush(stdin); 40 | return c; 41 | #else 42 | // system("/bin/stty raw"); 43 | int c; 44 | printf("Note: Waitchar for OS not supported, waits for ENTER-key instead.\n"); 45 | c = getchar(); 46 | 47 | fflush(stdin); 48 | return c; 49 | #endif 50 | 51 | return 0; 52 | } 53 | 54 | 55 | 56 | 57 | #endif // WAITCHAR_H 58 | -------------------------------------------------------------------------------- /ReadMe.md: -------------------------------------------------------------------------------- 1 | # Function interception and detours that work on Windows, Linux, and MacOS. 2 | 3 | Hook into method calls and change what they do, re-call the original function, all at runtime.
4 | No modifyig of the binary, overwrites the code-segment directly in RAM.
5 | This way, the MD5-checksum of the file stays the same. 6 | 7 | 8 | There are the preprocessor-functions HOTPATCH, UNPATCH and NATURALIZE. 9 | 10 | 11 | Hotpatch is just a convenience function for TemplateFuncInterceptFunction which calls InterceptFunction. 12 | Hotpatch requires you have a backup function pointer with name original_##FUNCTION_NAME defined and a function modified_##FUNCTION_NAME, which is the function you are overwriting ##FUNCTION_NAME with. 13 | 14 | UNPATCH is just a convenience preprocessor-function-definition for unpatchfunc. 15 | 16 | NATURALIZE is a preprocessor defined function which assigns a function in the code segment to a function pointer based on the function's address. 17 | 18 | The target function RE_RenderScene, and the backup and naturalization pointers: 19 | ``` 20 | extern "C" 21 | { 22 | 23 | 24 | 25 | //void __cdecl RE_RenderScene() 26 | void RE_RenderScene() 27 | { 28 | printf("This is the original RE_RenderScene\n"); 29 | } 30 | 31 | 32 | // void(__cdecl *original_RE_RenderScene)(); // = &RE_RenderScene; 33 | void(*original_RE_RenderScene)(); // = &RE_RenderScene; 34 | 35 | 36 | // void(__cdecl *Naturalized_RE_RenderScene)(); // = &RE_RenderScene; 37 | void(*Naturalized_RE_RenderScene)(); // = &RE_RenderScene; 38 | 39 | 40 | //void __cdecl modified_RE_RenderScene() 41 | void __cdecl modified_RE_RenderScene() 42 | { 43 | printf("Entering the modified RenderScene\n"); 44 | 45 | printf("Calling the original RenderScene in the modified RenderScene\n"); 46 | printf("Address of RE_RenderScene: %p\n", &RE_RenderScene); 47 | printf("Address of original_RE_RenderScene: %p\n", *original_RE_RenderScene); 48 | printf("Address of original_RE_RenderScene: %p\n", original_RE_RenderScene); 49 | // (*original_RE_RenderScene)(); 50 | 51 | printf("Finished calling the original RenderScene in the modified RenderScene\n"); 52 | 53 | printf("Exiting modified RenderScene\n"); 54 | } 55 | 56 | 57 | } 58 | ``` 59 | 60 | 61 | Then you can call it in code: 62 | ``` 63 | //#define RE_RenderScene_COPY 9 // Visual Studio 2015 64 | #define RE_RenderScene_COPY 9 // Visual Studio 2013 65 | // #define RE_RenderScene_COPY 6 // g++ 66 | 67 | // int _tmain(int argc, _TCHAR* argv[]) 68 | int main(int argc, char* argv[]) 69 | { 70 | printf("Sizeof address: %d bit\n", sizeof(void*) * 8); 71 | printf("Address of %s: 0x%08p\n", "RE_RenderScene", &RE_RenderScene); 72 | printf("Address of %s: 0x%08x\n", "RE_RenderScene", &RE_RenderScene); 73 | printf("===================================================\n"); 74 | 75 | 76 | unsigned char* memoryDumpPointer = (unsigned char*)&RE_RenderScene; 77 | int i; 78 | for (i = 0; i < 100; ++i) 79 | { 80 | printf("0x%02X\n", memoryDumpPointer[i]); 81 | } 82 | 83 | 84 | if (true) 85 | { 86 | RE_RenderScene(); // Calling original version 87 | 88 | printf("\n\n====================== Naturalizing =============================\n"); 89 | NATURALIZE(RE_RenderScene); 90 | // Expands to 91 | // Naturalized_RE_RenderScene = FuncConvertAddress(Naturalized_RE_RenderScene, reinterpret_cast (&RE_RenderScene)); 92 | printf("====================== Naturalized ==============================\n\n"); 93 | 94 | (*Naturalized_RE_RenderScene)(); 95 | 96 | 97 | printf("\n\n====================== Hotpatching =============================\n"); 98 | // HOTPATCH(RE_RenderScene); 99 | /////// Expands to 100 | /////// InterceptFunction(&RE_RenderScene, RE_RenderScene_COPY, &modified_RE_RenderScene); 101 | /////// original_RE_RenderScene = FuncInterceptFunction(RE_RenderScene, modified_RE_RenderScene); 102 | 103 | // Overwriting the RE_RenderScene function (JMP REL32 = 0xE9) 104 | original_RE_RenderScene = TemplateFuncInterceptFunction( 105 | original_RE_RenderScene, 106 | reinterpret_cast (&RE_RenderScene), 107 | reinterpret_cast (&modified_RE_RenderScene), 108 | static_cast (RE_RenderScene_COPY) 109 | ); 110 | 111 | printf("====================== Hotpatched ==============================\n\n"); 112 | 113 | RE_RenderScene(); // Calling the modified version 114 | // Second time works as well 115 | RE_RenderScene(); 116 | 117 | 118 | printf("\n\n====================== Unpatching =============================\n"); 119 | UNPATCH(RE_RenderScene); // Undoing modification 120 | printf("====================== Unpatched ==============================\n"); 121 | // BUG shows here 122 | RE_RenderScene(); 123 | } 124 | 125 | 126 | printf("\n\n\n--- Press any key to continue --- \n"); 127 | WaitChar(); 128 | return EXIT_SUCCESS; 129 | } 130 | ``` 131 | --------------------------------------------------------------------------------