Implement function HookRevokeFunction for x64 (#46)

SpriteOvO · Jun 22, 2021 · 5bb4784 · 5bb4784
1 parent 1931ecc
commit 5bb4784
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 3 deletions.
diff --git a/Source/IAntiRevoke.cpp b/Source/IAntiRevoke.cpp
@@ -273,19 +273,62 @@ bool IAntiRevoke::HookRevokeFunction()
 {
     void* HookAddress = IRuntime::GetInstance().GetData().Address.FnDestroyMessageCaller;
     void* TargetAddress = Utils::GetFunctionAddress(&History::OnDestroyMessage);
-    std::vector<uint8_t> Shellcode = Memory::MakeCall(HookAddress, TargetAddress);
 
     // Save the original function
     //
     _FnOriginalDestroyMessage = (FnDestroyMessageT)((uintptr_t)HookAddress + 5 + *(int32_t*)((uintptr_t)HookAddress + 1));
 
+#if defined PLATFORM_X86
+
+    std::vector<uint8_t> Shellcode = Memory::MakeCall(HookAddress, TargetAddress);
+
     return Memory::ForceOperate(
         HookAddress,
         Shellcode.size(),
         [&]() {
             memcpy(HookAddress, Shellcode.data(), Shellcode.size());
         }
     );
+
+#elif defined PLATFORM_X64
+
+    std::vector<uint8_t> Shellcode = {
+        0xFF, 0xFF, 0xFF,                                                                               // mov rcx,rbx                          ; Original placeholders
+        0xFF, 0x15, 0x02, 0x00, 0x00, 0x00, 0xEB, 0x08, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // call History::OnDestroyMessage       ; Detour
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,                                                       // cmp byte ptr [rbx+00000228],00 { 0 } ; Original
+        0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF              // jmp XXXXXXXXXXXXXXXX                 ; Jump back
+    };
+
+    auto HookBegin = (uint8_t*)HookAddress - 3;
+    auto JumpBack = HookBegin + 15;
+
+    std::memcpy(Shellcode.data(), HookBegin, 3);
+    std::memcpy(Shellcode.data() + 11, &TargetAddress, sizeof(TargetAddress));
+    std::memcpy(Shellcode.data() + 19, HookBegin + 8, 7);
+    std::memcpy(Shellcode.data() + 32, &JumpBack, sizeof(JumpBack));
+
+    std::vector<uint8_t> Jumper = {
+        0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF              // jmp XXXXXXXXXXXXXXXX
+    };
+
+    auto Allocated = VirtualAlloc(nullptr, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+    if (Allocated == nullptr) {
+        spdlog::warn("VirtualAlloc failed. LastError: {}", ::GetLastError());
+        return false;
+    }
+
+    std::memcpy(Jumper.data() + 6, &Allocated, sizeof(Allocated));
+    std::memcpy(Allocated, Shellcode.data(), Shellcode.size());
+
+    return Memory::ForceOperate(HookBegin, Jumper.size(),
+        [&]() {
+            std::memcpy(HookBegin, Jumper.data(), Jumper.size());
+        }
+    );
+
+#else
+# error "Unimplemented."
+#endif
 }
 
 void IAntiRevoke::OnFree(void *Block)

diff --git a/Source/IRuntime.cpp b/Source/IRuntime.cpp
@@ -393,10 +393,10 @@ bool IRuntime::InitDynamicData_DestroyMessage()
         Telegram.exe+7ADE7B - 49 3B F7              - cmp rsi,r15
         Telegram.exe+7ADE7E - 0F85 CCFEFFFF         - jne Telegram.exe+7ADD50
 
-        48 8B 5A 18 48 85 DB 0F 84 ?? ?? ?? ?? 48 8B CB E8
+        48 8B 5A 18 48 85 DB 0F 84 ?? ?? ?? ?? 48 8B CB E8 ?? ?? ?? ?? 80 BB ?? ?? ?? ?? 00
     */
 
-    std::vector<uintptr_t> vResult = FindPatternInMainModule("\x48\x8B\x5A\x18\x48\x85\xDB\x0F\x84\x00\x00\x00\x00\x48\x8B\xCB\xE8", "xxxxxxxxx????xxxx");
+    std::vector<uintptr_t> vResult = FindPatternInMainModule("\x48\x8B\x5A\x18\x48\x85\xDB\x0F\x84\x00\x00\x00\x00\x48\x8B\xCB\xE8\x00\x00\x00\x00\x80\xBB\x00\x00\x00\x00\x00", "xxxxxxxxx????xxxx????xx????x");
     if (vResult.size() != 1) {
         spdlog::warn("[IRuntime] Search DestroyMessage failed.");
         return false;