Last active
January 8, 2021 04:10
-
-
Save kumatti1/1e37c10daf49cc8c56ad to your computer and use it in GitHub Desktop.
Declareフック
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Explicit | |
| Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr | |
| Private Declare Function IsBadWritePtr Lib "kernel32" _ | |
| (ByVal lp As Long, ByVal ucb As Long) As Long | |
| Private Declare Function VirtualProtect Lib "kernel32" _ | |
| (ByVal lpAddress As Long, ByVal dwSize As Long, _ | |
| ByVal flNewProtect As Long, lpflOldProtect As Long) As Long | |
| Private Declare Function VirtualAlloc Lib "kernel32" _ | |
| (ByVal lpAddress As Long, ByVal dwSize As Long, _ | |
| ByVal flAllocationType As Long, _ | |
| ByVal flProtect As Long) As Long | |
| Private Declare Function VirtualFree Lib "kernel32" _ | |
| (ByVal lpAddress As Long, ByVal dwSize As Long, _ | |
| ByVal dwFreeType As Long) As Long | |
| Const PAGE_EXECUTE_READWRITE = &H40 | |
| Const MEM_COMMIT = &H1000 | |
| Const MEM_RESERVE = &H2000 | |
| Const MEM_RELEASE = &H8000& | |
| Private Declare Function GetCurrentProcess Lib "kernel32" () As Long | |
| Private Declare Function FlushInstructionCache Lib "kernel32" _ | |
| (ByVal hProcess As Long, lpBaseAddress As Any, _ | |
| ByVal dwSize As Long) As Long | |
| Private Declare Sub CopyLong Lib "kernel32" Alias "RtlMoveMemory" _ | |
| (Destination As Any, Source As Any, _ | |
| Optional ByVal length As Long = 4) | |
| Const S_OK = &H0& | |
| Private Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongPtr | |
| Private lngCodeLen As Long | |
| Private pProc As Long | |
| Private HookProc As Long | |
| Private proc As LongPtr | |
| Private tmp As Long | |
| Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Sub Main() | |
| proc = GetModuleHandle("vbe7.dll") | |
| If proc = 0 Then Exit Sub | |
| proc = proc + &H20F36C | |
| '退避 | |
| CopyLong tmp, ByVal proc, 4 | |
| Debug.Print Hex$(tmp) | |
| Dim hDLL& | |
| hDLL = GetModuleHandle("KernelBase.dll") | |
| Dim func& | |
| func = GetProcAddress(hDLL, "GetProcAddressForCaller") | |
| Debug.Print Hex$(func) | |
| 'pop eax | |
| 'push eax | |
| 'push eax | |
| 'mov eax, 0 | |
| 'jmp eax | |
| Const CODE_T = "B8505058000000009090E0FF" | |
| Dim Code() As Long | |
| Dim i As Long | |
| ReDim Code(0 To (Len(CODE_T) - 1) \ 8) | |
| For i = 0 To UBound(Code) | |
| Code(i) = "&H" & Mid$(CODE_T, 1 + i * 8, 8) | |
| Next | |
| lngCodeLen = (UBound(Code) + 1) * 4 | |
| pProc = VirtualAlloc(0, lngCodeLen, MEM_RESERVE Or MEM_COMMIT, _ | |
| PAGE_EXECUTE_READWRITE) | |
| If pProc = 0 Then Err.Raise 7 | |
| CopyLong ByVal pProc, Code(0), lngCodeLen | |
| CopyLong ByVal pProc + 4, func | |
| FlushInstructionCache GetCurrentProcess(), ByVal pProc, lngCodeLen | |
| 'Hookスタート | |
| ForceCopyLong proc, pProc | |
| hDLL = GetModuleHandle("KernelBase.dll") | |
| func = GetProcAddress(hDLL, "GetProcAddressForCaller") | |
| Debug.Print Hex$(func) | |
| EndHook | |
| End Sub | |
| ' フック終了 | |
| Sub EndHook() | |
| ForceCopyLong proc, tmp | |
| VirtualFree pProc, 0, MEM_RELEASE | |
| End Sub | |
| Private Function ForceCopyLong(ByVal Address As Long, _ | |
| ByVal Value As Long) As Boolean | |
| Dim lngOld As Long | |
| If IsBadWritePtr(Address, 4) Then | |
| If VirtualProtect(Address, 4, _ | |
| PAGE_EXECUTE_READWRITE, lngOld) = 0 Then | |
| Exit Function | |
| End If | |
| CopyLong ByVal Address, Value, 4 | |
| VirtualProtect Address, 4, lngOld, lngOld | |
| Else | |
| CopyLong ByVal Address, Value, 4 | |
| End If | |
| ForceCopyLong = True | |
| End Function |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment