DWORD oldprot,ret;
PROC HookedFunction;
UINT64 Offset[
3
]
=
{
0xBA39
,
0xB9FD
,
0xBA5D
},
Len
[
3
]
=
{
9
,
8
,
12
};
/
/
PATCH偏移和PATCH长度,这里皆patch为
0x90
(NOP)
BYTE Ins[]
=
{
0x41
,
0x88
,
0x06
,
/
/
mov [r14],al
0x90
,
/
/
nop
0x49
,
0x83
,
0xC6
,
0x00
/
/
add r14,
0
};
UINT64 InsOffset
=
0xBA05
,InsLen
=
sizeof(Ins);
SIZE_T num;
BYTE buf
=
0x90
;
BYTE NOP[]
=
{
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
};
void patch() {
UINT64 Base
=
(UINT64)GetModuleHandle(nullptr);
for
(
int
i
=
0
; i <
3
; i
+
+
) {
/
/
把三个点位的指令NOP掉
UINT64 addr
=
Base
+
Offset[i];
VirtualProtect((void
*
)addr,
Len
[i], PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void
*
)addr, NOP,
Len
[i]);
VirtualProtect((void
*
)addr,
Len
[i], oldprot, &oldprot);
}
printf(
"NOP done\n"
);
VirtualProtect((void
*
)(Base
+
InsOffset), InsLen,PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void
*
)(Base
+
InsOffset), Ins, InsLen);
/
/
替换对应的指令
VirtualProtect((void
*
)(Base
+
InsOffset), InsLen, oldprot, &oldprot);
printf(
"Instruction Patch Done!\n"
);
}
void patchname() {
UINT64 Base
=
(UINT64)GetModuleHandle(nullptr);
UINT64 Offset1
=
0xC8F3
,Offset2
=
0xC5C6
,NameOffset
=
0x772FA
,Len1
=
4
,Len2
=
5
,flagOffset
=
0x772E9
;
char NewName[]
=
"test.txt"
;
/
/
新文件名
char flag[]
=
"catchmeifyoucan"
;
VirtualProtect((void
*
)(Base
+
Offset1), Len1, PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void
*
)(Base
+
Offset1), NOP, Len1);
/
/
指令Nop掉防止写的时机不对发生变化
VirtualProtect((void
*
)(Base
+
Offset1), Len1, oldprot, &oldprot);
VirtualProtect((void
*
)(Base
+
Offset2), Len2, PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void
*
)(Base
+
Offset2), NOP, Len2);
/
/
指令Nop掉防止写的时机不对发生变化
VirtualProtect((void
*
)(Base
+
Offset2), Len2, oldprot, &oldprot);
VirtualProtect((void
*
)(Base
+
NameOffset), sizeof(NewName), PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void
*
)(Base
+
NameOffset), NewName, sizeof(NewName));
/
/
把名字写到内存中
VirtualProtect((void
*
)(Base
+
NameOffset), sizeof(NewName), oldprot, &oldprot);
VirtualProtect((void
*
)(Base
+
flagOffset), sizeof(flag), PAGE_EXECUTE_READWRITE, &oldprot);
memcpy((void
*
)(Base
+
flagOffset), flag, sizeof(flag));
/
/
把flag写到内存中
VirtualProtect((void
*
)(Base
+
flagOffset), sizeof(flag), oldprot, &oldprot);
printf(
"Change Name Success\n"
);
}
BOOL
APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
patch();
patchname();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break
;
}
return
TRUE;
}