hooklet 0.1.8

TODO
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256

use std::fmt::Debug;
use std::ptr;

use log::{debug, error, info};
use windows::core::{HSTRING, PCWSTR};
use windows::Win32::System::LibraryLoader::{GetModuleHandleA, GetModuleHandleW};
use windows::{
    core::PCSTR,
    Win32::{
        Foundation::{GetLastError, WIN32_ERROR},
        System::Memory::{VirtualProtect, PAGE_EXECUTE_READWRITE, PAGE_PROTECTION_FLAGS},
    },
};

#[derive(Debug, Clone, PartialEq, Eq)]
pub enum HookError {
    VirtualAllocFailed(WIN32_ERROR),
    VirtualProtectFailed(WIN32_ERROR),
    VirtualQueryFailed(WIN32_ERROR),
    GetModuleHandleFailed(WIN32_ERROR),
}

#[derive(Debug)]
pub struct CallRel32Hook {
    call_address: u32,
    old_rel32: u32,
    pub old_absolute: u32,
}

#[derive(Debug)]
pub struct FunctionPointerHook {
    fpointer_address: u32,
    pub old_absolute: u32,
}

#[derive(Debug)]
pub enum X86Rel32Type {
    Call,
    Jump,
}

unsafe impl Send for CallRel32Hook {}

unsafe impl Send for FunctionPointerHook {}

/// Hook an x86 call (e8) or jmp (e9) instruction.
///
/// * `offset`` - Offset of the instruction relative to the executable's base address
/// * `new_address` - Absolute address of the new target
pub unsafe fn hook_call_rel32(offset: u32, new_address: u32) -> Result<CallRel32Hook, HookError> {
    let call_base = match GetModuleHandleW(PCWSTR::from_raw(ptr::null())) {
        Ok(h) => h,
        Err(e) => {
            let error: WIN32_ERROR = GetLastError();
            error!("GetModuleHandleW failed: {:?} ({e}", error);
            return Err(HookError::GetModuleHandleFailed(error));
        }
    };
    let call_address = call_base.0 as u32 + offset;
    hook_call_rel32_inner(call_address, new_address)
}

pub unsafe fn hook_call_rel32_with_module<P: Into<HSTRING> + Debug>(module: P, offset: u32, new_address: u32) -> Result<CallRel32Hook, HookError> {
    let module = module.into();
    debug!("GetModuleHandleW {module:?}");
    let call_base = match GetModuleHandleW(&module) {
        Ok(h) => h,
        Err(e) => {
            let error: WIN32_ERROR = GetLastError();
            error!("GetModuleHandleW failed: {:?} ({e}", error);
            return Err(HookError::GetModuleHandleFailed(error));
        }
    };
    let call_address = call_base.0 as u32 + offset;
    hook_call_rel32_inner(call_address, new_address)
}

unsafe fn hook_call_rel32_inner(call_address: u32, new_address: u32) -> Result<CallRel32Hook, HookError> {
    info!("Hooking rel32 call at {call_address:#08x} to {new_address:#08x}");
    let new_value = new_address.wrapping_sub(call_address + 5); // +5 for the size of the call
    let old_rel32_bytes = replace_slice_rwx(call_address + 1, &new_value.to_le_bytes()).unwrap();
    let old_rel32 = u32::from_le_bytes(old_rel32_bytes);
    let old_absolute = get_absolute_from_rel32(call_address, old_rel32);

    Ok(CallRel32Hook {
        call_address,
        old_rel32,
        old_absolute,
    })
}

impl Drop for CallRel32Hook {
    fn drop(&mut self) {
        unsafe {
            info!("Dropping {:?}", self);
            replace_slice_rwx(self.call_address + 1, &self.old_rel32.to_le_bytes()).unwrap();
        }
    }
}

pub unsafe fn hook_function_pointer(offset: u32, new_address: u32) -> Result<FunctionPointerHook, HookError> {
    let module_base = match GetModuleHandleW(PCWSTR::from_raw(ptr::null())) {
        Ok(h) => h,
        Err(e) => {
            let error: WIN32_ERROR = GetLastError();
            error!("GetModuleHandleA failed: {:?} ({e}", error);
            return Err(HookError::GetModuleHandleFailed(error));
        }
    };
    let fpointer_address = module_base.0 as u32 + offset;
    hook_function_pointer_inner(fpointer_address, new_address)
}

pub unsafe fn hook_function_pointer_width_module(module: PCSTR, offset: u32, new_address: u32) -> Result<FunctionPointerHook, HookError> {
    debug!("GetModuleHandleA {module:?}");
    let module_base = match GetModuleHandleA(module) {
        Ok(h) => h,
        Err(e) => {
            let error: WIN32_ERROR = GetLastError();
            error!("GetModuleHandleA failed: {:?} ({e}", error);
            return Err(HookError::GetModuleHandleFailed(error));
        }
    };
    let fpointer_address = module_base.0 as u32 + offset;
    hook_function_pointer_inner(fpointer_address, new_address)
}

pub unsafe fn hook_function_pointer_inner(fpointer_address: u32, new_address: u32) -> Result<FunctionPointerHook, HookError> {
    info!("Hooking function pointer at {fpointer_address:#08x} to {new_address:#08x}");
    let old_absolute_bytes = replace_slice_rwx(fpointer_address, &new_address.to_le_bytes())?;
    let old_absolute = u32::from_le_bytes(old_absolute_bytes);

    Ok(FunctionPointerHook {
        fpointer_address,
        old_absolute,
    })
}

impl Drop for FunctionPointerHook {
    fn drop(&mut self) {
        unsafe {
            info!("Dropping {:?}", self);
            replace_slice_rwx(self.fpointer_address, &self.old_absolute.to_le_bytes()).unwrap();
        }
    }
}

/// Deploy a rel32 detour.
///
/// The page of the patch will be set to RWX while patching is in progress. This function does not yet check
/// whether the patch crosses a page boundary.
pub unsafe fn deploy_rel32_raw(patch_address: u32, target_address: u32, reltype: X86Rel32Type) -> Result<(), HookError> {
    let rel32 = get_rel32_from_absolute(patch_address, target_address);

    let mut patch: [u8; 5] = [0; 5];
    match reltype {
        X86Rel32Type::Call => patch[0] = 0xe8,
        X86Rel32Type::Jump => patch[0] = 0xe9,
    }
    patch[1..5].copy_from_slice(&rel32);

    replace_slice_rwx(patch_address, &patch)?;

    Ok(())
}

/// Calculate the rel32 component of x86 jump and call instructions.
///
/// Arguments:
///
/// * `patch_address`: The address of the new jump or call instruction
/// * `target_address`: The address the new jump or call will target
pub fn get_rel32_from_absolute(patch_address: u32, target_address: u32) -> [u8; 4] {
    let relative_address = target_address.wrapping_sub(patch_address).wrapping_sub(5);
    relative_address.to_le_bytes()
}

pub fn get_absolute_from_rel32(rel32_address: u32, rel32: u32) -> u32 {
    rel32_address.wrapping_add(rel32).wrapping_add(5)
}

pub unsafe fn replace_slice_rwx<const LEN: usize>(destination: u32, data: &[u8; LEN]) -> Result<[u8; LEN], HookError> {
    let destination_ptr: *mut u8 = destination as _;
    let mut old_data = [0; LEN];

    debug!("Setting page permissions to RWX");
    let mut old_flags: PAGE_PROTECTION_FLAGS = windows::Win32::System::Memory::PAGE_PROTECTION_FLAGS(0);
    if !VirtualProtect(destination as _, LEN, PAGE_EXECUTE_READWRITE, &mut old_flags).as_bool() {
        let error: WIN32_ERROR = GetLastError();
        error!("VirtualProtect PAGE_EXECUTE_READWRITE failed: {:?}", error);
        return Err(HookError::VirtualProtectFailed(error));
    }

    debug!("Reading old bytes");
    destination_ptr.copy_to(old_data.as_mut_ptr(), LEN);

    debug!("Writing new bytes");
    destination_ptr.copy_from(data.as_ptr(), LEN);

    debug!("Setting page permissions to old value");
    if !VirtualProtect(destination as _, LEN, old_flags, &mut old_flags).as_bool() {
        let error: WIN32_ERROR = GetLastError();
        error!("VirtualProtect restore failed: {:?}", error);
        return Err(HookError::VirtualProtectFailed(error));
    }

    Ok(old_data)
}

#[macro_export]
macro_rules! save_volatile_registers_except_eax {
    ($function_name:ident, $symbol_name:ident) => {
        extern "C" {
            static $symbol_name: c_void;
        }

        std::arch::global_asm!("
.global {detour_symbol}
{detour_symbol}:
pushfd
push ecx
push edx
call {function_symbol}
pop edx
pop ecx
popfd
ret
",
            detour_symbol = sym $symbol_name,
            function_symbol = sym $function_name,
        );
    };
}

#[macro_export]
macro_rules! save_volatile_registers {
    ($function_name:ident, $symbol_name:ident) => {
        extern "C" {
            static $symbol_name: c_void;
        }

        std::arch::global_asm!("
.global {detour_symbol}
{detour_symbol}:
pushfd
pushad
call {function_symbol}
popad
popfd
ret
",
            detour_symbol = sym $symbol_name,
            function_symbol = sym $function_name,
        );
    };
}