"Safer" Trampolining

"Safer" Trampolining

by Irwin
I've posted a few examples of this before but nobody seems to listen, and thus you have problems with people who have a version (service pack) of Windows which did not support hot-patching. Mind you, I think it's incredibly stupid to trampoline over hooks, but here's a "safer" way to do so:

Código:

#ifdef _WIN64
#error Inline assembler & naked function decelerations are not supported on x64.
#else

#include
#include

#define HOTPATCH_PROLOGUE 0x8BFF
// #define TEST_TRAMPOLINE

ULONG_PTR ulPostMessage;

__declspec(naked) BOOL WINAPI _PostMessage(__in HWND hWnd, __in UINT Msg, __in WPARAM wParam, __in LPARAM lParam)
{
__asm {
push ebp
mov ebp, esp
jmp [ulPostMessage]
}
}

__inline BOOL InitializeTrampoline(void)
{
__try {
ulPostMessage = (ULONG_PTR)PostMessage;
// proof of my absent-mindedness
// ulPostMessage += *(WORD*)PostMessage == HOTPATCH_PROLOGUE ? 5 : 3;
ulPostMessage += 5;
return TRUE;
}
__except(EXCEPTION_EXECUTE_HANDLER) {
return FALSE;
}
}

int __cdecl _tmain(__in int argc, __in_ecount_z(argc) _TCHAR* argv[], __in_z _TCHAR* envp[])
{
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(argv);
UNREFERENCED_PARAMETER(envp);

if (InitializeTrampoline())
{
_tprintf(_T("trampoline address found!"));
#ifdef TEST_TRAMPOLINE
HWND hWnd = FindWindow(_T("Notepad"), NULL);
if (hWnd != NULL)
_PostMessage(hWnd, WM_CLOSE, 0, 0);
#endif
return EXIT_SUCCESS;
}
else
{
_ftprintf(stderr, _T("error occurred, exception triggered while trying to find hotpatch prologue..."));
return EXIT_FAILURE;
}
}

#endif

HECHOS EN LOS MEJORES FOROS DE