Add detour reHook()

stevemk14ebr · Sep 21, 2020 · 6b418e0 · 6b418e0
1 parent b3c0baf
commit 6b418e0
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 13 deletions.
diff --git a/UnitTests/TestDetourx64.cpp b/UnitTests/TestDetourx64.cpp
@@ -111,6 +111,19 @@ TEMPLATE_TEST_CASE("Testing 64 detours", "[x64Detour],[ADetour]", PLH::CapstoneD
 		REQUIRE(detour.unHook() == true);
 	}
 
+	SECTION("Normal function rehook")
+	{
+		PLH::StackCanary canary;
+		PLH::x64Detour detour((char*)&hookMe1, (char*)h_hookMe1, &hookMe1Tramp, dis);
+		REQUIRE(detour.hook() == true);
+
+		effects.PushEffect();
+		REQUIRE(detour.reHook() == true); // can only really test this doesn't cause memory corruption easily
+		hookMe1();
+		REQUIRE(effects.PopEffect().didExecute());
+		REQUIRE(detour.unHook() == true);
+	}
+
 	// In release mode win apis usually go through two levels of jmps 
 	/*
 	0xe9 ... jmp iat_thunk

diff --git a/UnitTests/TestDetourx86.cpp b/UnitTests/TestDetourx86.cpp
@@ -141,6 +141,18 @@ TEMPLATE_TEST_CASE("Testing x86 detours", "[x86Detour],[ADetour]", PLH::Capstone
 		REQUIRE(detour.unHook() == true);
 	}
 
+	SECTION("Normal function rehook") {
+		PLH::x86Detour detour((char*)&hookMe1, (char*)h_hookMe1, &hookMe1Tramp, dis);
+		REQUIRE(detour.hook() == true);
+
+		effects.PushEffect();
+		REQUIRE(detour.reHook() == true); // can only really test this doesn't cause memory corruption easily
+		volatile auto result = hookMe1();
+		PH_UNUSED(result);
+		REQUIRE(effects.PopEffect().didExecute());
+		REQUIRE(detour.unHook() == true);
+	}
+
 	SECTION("Jmp into prologue w/ src in range") {
 		PLH::x86Detour detour((char*)&hookMe2, (char*)&h_nullstub, &nullTramp, dis);
 

diff --git a/asmjit b/asmjit
diff --git a/polyhook2/Detour/ADetour.hpp b/polyhook2/Detour/ADetour.hpp
@@ -75,6 +75,13 @@ class Detour : public PLH::IHook {
 
 	virtual bool unHook() override;
 
+	/**
+	This is for restoring hook bytes if a 3rd party uninstalled them.
+	DO NOT call this after unHook(). This may only be called after hook() 
+	but before unHook()
+	**/
+	virtual bool reHook();
+
 	virtual HookType getType() const override {
 		return HookType::Detour;
 	}
@@ -90,6 +97,14 @@ class Detour : public PLH::IHook {
 
 	PLH::insts_t			m_originalInsts;
 
+	/*Save the instructions used for the hook so that we can re-write in rehook()
+	Note: There's a nop range we store too so that it doesn't need to be re-calculated
+	*/
+	PLH::insts_t            m_hookInsts;
+	uint16_t                m_nopProlOffset;
+	uint16_t                m_nopSize;
+	uint32_t                m_hookSize;
+
 	/**Walks the given vector of instructions and sets roundedSz to the lowest size possible that doesn't split any instructions and is greater than minSz.
 	If end of function is encountered before this condition an empty optional is returned. Returns instructions in the range start to adjusted end**/
 	std::optional<insts_t> calcNearestSz(const insts_t& functionInsts, const uint64_t minSz,

diff --git a/sources/ADetour.cpp b/sources/ADetour.cpp
@@ -192,3 +192,14 @@ bool PLH::Detour::unHook() {
 	m_hooked = false;
 	return true;
 }
+
+bool PLH::Detour::reHook()
+{
+	MemoryProtector prot(m_fnAddress, m_hookSize, ProtFlag::R | ProtFlag::W | ProtFlag::X, *this);
+	m_disasm.writeEncoding(m_hookInsts, *this);
+
+	// Nop the space between jmp and end of prologue
+	assert(m_hookSize >= m_nopProlOffset);
+	writeNop(m_fnAddress + m_nopProlOffset, m_nopSize);
+	return true;
+}
diff --git a/sources/x64Detour.cpp b/sources/x64Detour.cpp
@@ -238,8 +238,10 @@ bool PLH::x64Detour::hook() {
 	}
 
 	*m_userTrampVar = m_trampoline;
+	m_hookSize = (uint32_t)roundProlSz;
+	m_nopProlOffset = (uint16_t)minProlSz;
 
-	MemoryProtector prot(m_fnAddress, roundProlSz, ProtFlag::R | ProtFlag::W | ProtFlag::X, *this);
+	MemoryProtector prot(m_fnAddress, m_hookSize, ProtFlag::R | ProtFlag::W | ProtFlag::X, *this);
 	// we're really space constrained, try to do some stupid hacks like checking for 0xCC's near us
 	auto cave = findNearestCodeCave<8>(m_fnAddress);
 	if (!cave) {
@@ -248,13 +250,13 @@ bool PLH::x64Detour::hook() {
 	}
 
 	MemoryProtector holderProt(*cave, 8, ProtFlag::R | ProtFlag::W | ProtFlag::X, *this, false);
-	const auto prolJmp = makex64MinimumJump(m_fnAddress, m_fnCallback, *cave);
-	m_disasm.writeEncoding(prolJmp, *this);
+	m_hookInsts = makex64MinimumJump(m_fnAddress, m_fnCallback, *cave);
+	m_disasm.writeEncoding(m_hookInsts, *this);
 
 	// Nop the space between jmp and end of prologue
-	assert(roundProlSz >= minProlSz);
-	const uint8_t nopSz = (uint8_t)(roundProlSz - minProlSz);
-	writeNop(m_fnAddress + minProlSz, nopSz);
+	assert(m_hookSize >= m_nopProlOffset);
+	m_nopSize = (uint16_t)(m_hookSize - m_nopProlOffset);
+	writeNop(m_fnAddress + m_nopProlOffset, m_nopSize);
 
 	m_hooked = true;
 	return true;

diff --git a/sources/x86Detour.cpp b/sources/x86Detour.cpp
@@ -88,15 +88,17 @@ bool PLH::x86Detour::hook() {
 	}
 
 	*m_userTrampVar = m_trampoline;
+	m_hookSize = (uint32_t)roundProlSz;
+	m_nopProlOffset = (uint16_t)minProlSz;
 
-	MemoryProtector prot(m_fnAddress, roundProlSz, ProtFlag::R | ProtFlag::W | ProtFlag::X, *this);
-	const auto prolJmp = makex86Jmp(m_fnAddress, m_fnCallback);
-	m_disasm.writeEncoding(prolJmp, *this);
+	MemoryProtector prot(m_fnAddress, m_hookSize, ProtFlag::R | ProtFlag::W | ProtFlag::X, *this);
+	m_hookInsts = makex86Jmp(m_fnAddress, m_fnCallback);
+	m_disasm.writeEncoding(m_hookInsts, *this);
 
 	// Nop the space between jmp and end of prologue
-	assert(roundProlSz >= minProlSz);
-	const uint8_t nopSz = (uint8_t)(roundProlSz - minProlSz);
-	writeNop(m_fnAddress + minProlSz, nopSz);
+	assert(m_hookSize >= m_nopProlOffset);
+	m_nopSize = (uint16_t)(m_hookSize - m_nopProlOffset);
+	writeNop(m_fnAddress + m_nopProlOffset, m_nopSize);
 
 	m_hooked = true;
 	return true;