Last active
August 29, 2015 14:22
-
-
Save kumatti1/53585db6f6a79d53680a to your computer and use it in GitHub Desktop.
文字列連結フック
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Explicit | |
| Private Declare Function IsBadWritePtr Lib "kernel32" _ | |
| (ByVal lp As Long, ByVal ucb As Long) As Long | |
| Private Declare Function VirtualProtect Lib "kernel32" _ | |
| (ByVal lpAddress As Long, ByVal dwSize As Long, _ | |
| ByVal flNewProtect As Long, lpflOldProtect As Long) As Long | |
| Private Declare Function VirtualAlloc Lib "kernel32" _ | |
| (ByVal lpAddress As Long, ByVal dwSize As Long, _ | |
| ByVal flAllocationType As Long, _ | |
| ByVal flProtect As Long) As Long | |
| Private Declare Function VirtualFree Lib "kernel32" _ | |
| (ByVal lpAddress As Long, ByVal dwSize As Long, _ | |
| ByVal dwFreeType As Long) As Long | |
| Const PAGE_EXECUTE_READWRITE = &H40 | |
| Const MEM_COMMIT = &H1000 | |
| Const MEM_RESERVE = &H2000 | |
| Const MEM_RELEASE = &H8000& | |
| Private Declare Function GetCurrentProcess Lib "kernel32" () As Long | |
| Private Declare Function FlushInstructionCache Lib "kernel32" _ | |
| (ByVal hProcess As Long, lpBaseAddress As Any, _ | |
| ByVal dwSize As Long) As Long | |
| Private Declare Sub CopyLong Lib "kernel32" Alias "RtlMoveMemory" _ | |
| (Destination As Any, Source As Any, _ | |
| Optional ByVal Length As Long = 4) | |
| Const S_OK = &H0& | |
| Private Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function SysAllocString Lib "OleAut32" (ByVal psz As LongPtr) As LongPtr | |
| Private lngCodeLen As Long | |
| Private pProc As Long | |
| Private HookProc As Long | |
| Private tmp(0 To 7) As Byte | |
| Private proc As LongPtr | |
| Sub Main() | |
| 'mov eax, 0 | |
| 'jmp eax | |
| Const CODE_T = "000000B890E0FF00" | |
| Dim Code() As Long | |
| Dim i As Long | |
| HookProc = VBA.Int(AddressOf testProc) | |
| ReDim Code(0 To (Len(CODE_T) - 1) \ 8) | |
| For i = 0 To UBound(Code) | |
| Code(i) = "&H" & Mid$(CODE_T, 1 + i * 8, 8) | |
| Next | |
| lngCodeLen = (UBound(Code) + 1) * 4 | |
| pProc = VirtualAlloc(0, lngCodeLen, MEM_RESERVE Or MEM_COMMIT, _ | |
| PAGE_EXECUTE_READWRITE) | |
| If pProc = 0 Then Err.Raise 7 | |
| CopyLong ByVal pProc, Code(0), lngCodeLen | |
| CopyLong ByVal pProc + 1, HookProc | |
| FlushInstructionCache GetCurrentProcess(), ByVal pProc, lngCodeLen | |
| proc = GetModuleHandle("vbe7.dll") | |
| If proc = 0 Then Exit Sub | |
| 'Debug.Print Hex$(proc) | |
| proc = proc + &HC0A47 | |
| 'Debug.Print Hex$(proc) | |
| '退避 | |
| CopyLong tmp(0), ByVal proc, lngCodeLen | |
| 'Hookスタート | |
| ForceCopyLong proc, pProc | |
| Dim s$ | |
| s = "hoge" & "foo" | |
| MsgBox s | |
| 'CopyLong ByVal VarPtr(s), 0& | |
| EndHook | |
| End Sub | |
| ' フック終了 | |
| Sub EndHook() | |
| ForceCopyLong proc, VarPtr(tmp(0)) | |
| VirtualFree pProc, 0, MEM_RELEASE | |
| End Sub | |
| Private Function testProc(ByVal dst As Long, ByVal src As Long) As Long | |
| Const s = "あいうえお" | |
| testProc = SysAllocString(StrPtr(s)) | |
| End Function | |
| Private Function ForceCopyLong(ByVal Address As Long, _ | |
| ByVal Value As Long) As Boolean | |
| Dim lngOld As Long | |
| If IsBadWritePtr(Address, 4) Then | |
| If VirtualProtect(Address, 4, _ | |
| PAGE_EXECUTE_READWRITE, lngOld) = 0 Then | |
| Exit Function | |
| End If | |
| CopyLong ByVal Address, ByVal Value, lngCodeLen | |
| VirtualProtect Address, 4, lngOld, lngOld | |
| Else | |
| CopyLong ByVal Address, ByVal Value, lngCodeLen | |
| End If | |
| ForceCopyLong = True | |
| End Function |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment