23 "NtProtectVirtualMemory"
85 std::map<std::string, FARPROC>::const_iterator
itr = hooks_map.find(
func_name);
86 if (
itr != hooks_map.end()) {
89 std::cout <<
">>>>>>Replacing: " <<
func_name <<
" by: " <<
hook << std::endl;
96 std::map<std::string, std::string>::const_iterator
itr2 = this->dll_replacements_map.find(
lib_name_str);
97 if (
itr2 != dll_replacements_map.end()) {
98 const std::string &
name =
itr2->second;
100 std::cout <<
">>>>>>Replacing DLL: " <<
lib_name_str <<
" by: " <<
name << std::endl;
112 0x48, 0xB8, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xEE, 0xFF,
117 std::cout <<
"[WARNING] Patching NTDLL is not allowed because of possible stability issues!\n";
147 0xB8, 0xCC, 0xDD, 0xEE, 0xFF,
152 std::cout <<
"[WARNING] Patching NTDLL is not allowed because of possible stability issues!\n";
221 std::cout <<
"Cannot replace the target: too big delta: " << std::hex <<
delta << std::endl;
bool makeBackup(BYTE *patch_ptr, size_t patch_size)
virtual FARPROC resolve_func(LPCSTR lib_name, LPCSTR func_name)
virtual FARPROC resolve_func(LPCSTR lib_name, LPCSTR func_name)
bool parse_delayed_desc(BYTE *modulePtr, const size_t moduleSize, const ULONGLONG img_base, LPSTR lib_name, const T_FIELD ordinal_flag, IMAGE_DELAYLOAD_DESCRIPTOR *desc, peconv::t_function_resolver *func_resolver)
long long int get_jmp_delta(ULONGLONG currVA, int instrLen, ULONGLONG destVA)
bool is_valid_delta(long long int delta)
Functions related to hooking the loaded PE. Reditecting/replacing a functions with another.
HMODULE get_module_via_peb(IN OPTIONAL LPCWSTR module_name=nullptr)
BOOL nt_protect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
bool validate_ptr(IN const void *buffer_bgn, IN size_t buffer_size, IN const void *field_bgn, IN size_t field_size)
bool is_pointer_in_ntdll(LPVOID lpAddress)
FARPROC get_exported_func(PVOID modulePtr, LPCSTR wanted_name)
size_t get_module_size_via_peb(IN OPTIONAL HMODULE hModule=nullptr)
bool is_bad_read_ptr(LPCVOID areaStart, SIZE_T areaSize)
bool replace_target(BYTE *ptr, ULONGLONG dest_addr)
size_t redirect_to_local32(void *ptr, DWORD new_offset, PatchBackup *backup=nullptr)
size_t redirect_to_local64(void *ptr, ULONGLONG new_offset, PatchBackup *backup=nullptr)
size_t redirect_to_local(void *ptr, void *new_function_ptr, PatchBackup *backup=nullptr)
Functions for retrieving process information from PEB.
Master include file, including everything else.