Хук структуры методом Карена

[anarh1st47]

#include <iostream>
#include <cstddef>
#include <Windows.h>
#define KAREN_READ_WRITE_EXECUTE 0x40
#define KAREN_CALL '\xe9'
#define KAREN_JUMP_SIZE 0x5


struct Example_t {
    uint32_t field1;
    float_t field2;
};

void __stdcall NtZwHkStruct() {
    std::cout << "hooked struct" << std::endl;
    //triggering break in debugger to simple proof it works when running debugger
    __debugbreak();
}

int main() {
    //Creating object of Example_t structure, just for example. Storing it inside struct1
    auto struct1 = Example_t();
    //Changing protection of struct to KAREN_READ_WRITE_EXECUTE, so we allow read, write and execute
    //memory located at address of struct1
    //No memory leak, new DWORD will be destroyed by Karen right after finishing program
    VirtualProtect(&struct1, sizeof(Example_t), KAREN_READ_WRITE_EXECUTE, new DWORD); 

    //just hooking our struct object via simple bytepatching
    //changing first structure byte to 0xe9 (KAREN_JUMP instruction specified inside INTEL KAREN MANUAL)
    *(char*)& struct1 = KAREN_CALL;
    //replacing next 4(sizeof uintptr_t in x86) bytes with offset to NtZwHkStruct
    *(uintptr_t*)((uintptr_t)&struct1 + 1) = (uintptr_t)&NtZwHkStruct - (uintptr_t)&struct1 - KAREN_JUMP_SIZE;

    //Calling struct1 object
    ((decltype(&NtZwHkStruct))&struct1)();

    return 0;
}

 

[Blick1337]

было сложно но я понял. хукнул вак этим методом

 

[PureBottle]

Ничего нового здесь нет, увы

 

[Soufiw]

Карен-хук - теперь с поддержкой x64 и современных STD фич

#include <iostream>
#include <cstddef>
#include <Windows.h>
#define KAREN_READ_WRITE_EXECUTE 0x40
#define KAREN_CALL '\xe9'
#define KAREN_MOV_RAX '\x48\xb8'
#define KAREN_JUMP_RAX '\xff\xe0'
#define KAREN_JUMP_SIZE 0x5

using karen32_t = int;

struct Example_t {
   std::uint32_t field1;
   std::float_t field2;
   char32_t field3;
   karen32_t field4;
};

void __stdcall NtZwHkStruct( ) {
   std::cout << "hooked struct" << std::endl;

   // triggering break in debugger to simple proof it works when running debugger
   __debugbreak( );
}

int main( ) {
   // Creating object of Example_t structure, just for example. Storing it inside struct1
   auto struct1 = new Example_t( );

   // Changing protection of struct to KAREN_READ_WRITE_EXECUTE, so we allow read, write and execute
   // memory located at address of struct1
   // No memory leak, new DWORD will be destroyed by Karen right after finishing program
   VirtualProtect( struct1, sizeof( Example_t ), KAREN_READ_WRITE_EXECUTE, new DWORD );

#if _WIN32 || _WIN64
#if _WIN64
   // write special karen mov instruction
   * ( std::uint16_t* ) struct1 = KAREN_MOV_RAX;

   // write hook address
   *( std::uintptr_t* ) ( ( std::uintptr_t ) struct1 + 2 ) = ( std::uintptr_t ) & NtZwHkStruct;

   // write special karen jmp instruction
   *( std::uint16_t* ) ( ( std::uintptr_t ) struct1 + 10 ) = KAREN_JUMP_RAX;
#else
   // just hooking our struct object via simple bytepatching
   // changing first structure byte to 0xe9 (KAREN_JUMP instruction specified inside INTEL KAREN MANUAL)
   * ( std::uint8_t* ) struct1 = KAREN_CALL;

   // replacing next 4(sizeof uintptr_t in x86) bytes with offset to NtZwHkStruct
   auto jump_offset = ( std::uintptr_t ) & NtZwHkStruct - ( std::uintptr_t ) struct1 - KAREN_JUMP_SIZE;
   *( std::uintptr_t* ) ( ( std::uintptr_t ) struct1 + 1 ) = jump_offset;
#endif
#endif

   // Calling struct1 object
   ( ( decltype( &NtZwHkStruct ) ) struct1 )( );

   return 0;
}

 

[d4rkd3n1337]

NTSTATUS_KAREN()
KAREN_OK

 

[LehaSex]

Всё, пойду делать вак дизаблер