dutc/proc-hook.c

## proc-hook.c
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>

#pragma pack(push, 1)
struct {
	unsigned char PUSH_RAX;
	unsigned char MOV_RAX[2];
	unsigned char addr[8];
	unsigned char JMP_RAX[2]; }
jump_asm = {.PUSH_RAX = 0x50, .MOV_RAX = {0x48, 0xb8}, .JMP_RAX = {0xff, 0xe0}};
#pragma pack(pop)

const unsigned char POP_RAX = 0x58;
const unsigned char NOP     = 0x90;

void __attribute__((noinline)) func1(int x, char y) {
	printf("func1(%d, %c)\n", x, y);
}

void __attribute__((noinline)) func2(int x, char y) {
	__asm__("nop");

	int i, j;

	printf("func2(%d, %c) -> ", x, y);
	for(i = 0; i < x; ++i)
		for(j = 0; j < i; ++j)
			printf("%c", y);
	printf("\n");
}

int hook(void* target, void* hook) {
	int fh;
	int off;
	unsigned char buf[32] = {POP_RAX};

	long int target_pos = (long int)target;
	long int hook_pos   = (long int)hook;

	fh = open("/proc/self/mem", O_RDWR);
	if(fh == -1) goto failure;

	/* fix hook function */
	for(off = 0; off < sizeof buf && ((unsigned char*)hook)[off] != NOP; ++off);

	if(   (off == (sizeof buf)) // couldn't find offset
	   || (lseek(fh, hook_pos, SEEK_SET) != hook_pos)
	   || (read (fh, buf+1,    off)      != off)
	   || (lseek(fh, -off,     SEEK_CUR) != hook_pos)
	   || (write(fh, buf,      off+1)    != off+1))
		goto failure;

	/* set up trampoline */
	memcpy(jump_asm.addr, &hook, sizeof (void *));

	/* write trampoline to target */
	if(   (lseek(fh, target_pos, SEEK_SET)        != target_pos)
	   || (write(fh, &jump_asm,  sizeof jump_asm) != sizeof jump_asm))
		goto failure;

	close(fh);
	return 1;

failure:
	close(fh);
	return 0;
}

int main(int argc, char* argv[]) {
	printf("func1() -> "); func1(5, '+');

	if(!hook(func1, func2)) {
		fprintf(stderr, "could not hook function!\n");
		exit(EXIT_FAILURE);
	}
	printf("func1() -> "); func1(5, '+');

	exit(EXIT_SUCCESS);
	return 0;
}
	#include <stdio.h>
	#include <stdlib.h>
	#include <fcntl.h>
	#include <unistd.h>
	#include <string.h>

	#pragma pack(push, 1)
	struct {
	unsigned char PUSH_RAX;
	unsigned char MOV_RAX[2];
	unsigned char addr[8];
	unsigned char JMP_RAX[2]; }
	jump_asm = {.PUSH_RAX = 0x50, .MOV_RAX = {0x48, 0xb8}, .JMP_RAX = {0xff, 0xe0}};
	#pragma pack(pop)

	const unsigned char POP_RAX = 0x58;
	const unsigned char NOP = 0x90;

	void __attribute__((noinline)) func1(int x, char y) {
	printf("func1(%d, %c)\n", x, y);
	}

	void __attribute__((noinline)) func2(int x, char y) {
	__asm__("nop");

	int i, j;

	printf("func2(%d, %c) -> ", x, y);
	for(i = 0; i < x; ++i)
	for(j = 0; j < i; ++j)
	printf("%c", y);
	printf("\n");
	}

	int hook(void* target, void* hook) {
	int fh;
	int off;
	unsigned char buf[32] = {POP_RAX};

	long int target_pos = (long int)target;
	long int hook_pos = (long int)hook;

	fh = open("/proc/self/mem", O_RDWR);
	if(fh == -1) goto failure;

	/* fix hook function */
	for(off = 0; off < sizeof buf && ((unsigned char*)hook)[off] != NOP; ++off);

	if( (off == (sizeof buf)) // couldn't find offset
	\|\| (lseek(fh, hook_pos, SEEK_SET) != hook_pos)
	\|\| (read (fh, buf+1, off) != off)
	\|\| (lseek(fh, -off, SEEK_CUR) != hook_pos)
	\|\| (write(fh, buf, off+1) != off+1))
	goto failure;

	/* set up trampoline */
	memcpy(jump_asm.addr, &hook, sizeof (void *));

	/* write trampoline to target */
	if( (lseek(fh, target_pos, SEEK_SET) != target_pos)
	\|\| (write(fh, &jump_asm, sizeof jump_asm) != sizeof jump_asm))
	goto failure;

	close(fh);
	return 1;

	failure:
	close(fh);
	return 0;
	}

	int main(int argc, char* argv[]) {
	printf("func1() -> "); func1(5, '+');

	if(!hook(func1, func2)) {
	fprintf(stderr, "could not hook function!\n");
	exit(EXIT_FAILURE);
	}
	printf("func1() -> "); func1(5, '+');

	exit(EXIT_SUCCESS);
	return 0;
	}