{ std::vector

sections; auto sectionsSize = GetNTHeaders()->FileHeader.NumberOfSections; auto section = IMAGE_FIRST_SECTION(GetNTHeaders()); for (WORD i = 0; i < sectionsSize; i++, section++) { auto secName = std::string((char*)section->Name); sections.push_back({ secName, *section }); } return sections; } static auto GetSection(std::string sectionName) -> Section { for (auto& section : GetAllSections()) { if (section.sectionName == sectionName) { return section; } } MemcuryThrow("Section not found"); return Section{}; } auto GetSectionSize() -> uint32_t { return rawSection.Misc.VirtualSize; } auto GetSectionStart() -> Address { return Address(GetModuleBase() + rawSection.VirtualAddress); } auto GetSectionEnd() -> Address { return Address(GetSectionStart() + GetSectionSize()); } auto isInSection(Address address) -> bool { return address >= GetSectionStart() && address < GetSectionEnd(); } }; } class Scanner { PE::Address _address; public: Scanner(PE::Address address) : _address(address) { } static auto SetTargetModule(const char* moduleName) -> void { PE::SetCurrentModule(moduleName); } static auto FindPatternEx(HANDLE handle, const char* pattern, const char* mask, uint64_t begin, uint64_t end) -> Scanner { auto scan = [](const char* pattern, const char* mask, char* begin, unsigned int size) -> char* { size_t patternLen = strlen(mask); for (unsigned int i = 0; i < size - patternLen; i++) { bool found = true; for (unsigned int j = 0; j < patternLen; j++) { if (mask[j] != '?' && pattern[j] != *(begin + i + j)) { found = false; break; } } if (found) return (begin + i); } return nullptr; }; uint64_t match = NULL; SIZE_T bytesRead; char* buffer = nullptr; MEMORY_BASIC_INFORMATION mbi = { 0 }; uint64_t curr = begin; for (uint64_t curr = begin; curr < end; curr += mbi.RegionSize) { if (!VirtualQueryEx(handle, (void*)curr, &mbi, sizeof(mbi))) continue; if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS) continue; buffer = new char[mbi.RegionSize]; if (ReadProcessMemory(handle, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead)) { char* internalAddr = scan(pattern, mask, buffer, (unsigned int)bytesRead); if (internalAddr != nullptr) { match = curr + (uint64_t)(internalAddr - buffer); break; } } } delete[] buffer; MemcuryAssertM(match != 0, "FindPatternEx return nullptr"); return Scanner(match); } static auto FindPatternEx(HANDLE handle, const char* sig) -> Scanner { char pattern[100]; char mask[100]; char lastChar = ' '; unsigned int j = 0; for (unsigned int i = 0; i < strlen(sig); i++) { if ((sig[i] == '?' || sig[i] == '*') && (lastChar != '?' && lastChar != '*')) { pattern[j] = mask[j] = '?'; j++; } else if (isspace(lastChar)) { pattern[j] = lastChar = (char)strtol(&sig[i], 0, 16); mask[j] = 'x'; j++; } lastChar = sig[i]; } pattern[j] = mask[j] = '\0'; auto module = (uint64_t)GetModuleHandle(nullptr); return FindPatternEx(handle, pattern, mask, module, module + Memcury::PE::GetNTHeaders()->OptionalHeader.SizeOfImage); } static auto FindPattern(const char* signature, bool bWarnIfNotFound = true) -> Scanner { PE::Address add{ nullptr }; const auto sizeOfImage = PE::GetNTHeaders()->OptionalHeader.SizeOfImage; auto patternBytes = ASM::pattern2bytes(signature); const auto scanBytes = reinterpret_cast(PE::GetModuleBase()); const auto s = patternBytes.size(); const auto d = patternBytes.data(); for (auto i = 0ul; i < sizeOfImage - s; ++i) { bool found = true; for (auto j = 0ul; j < s; ++j) { if (scanBytes[i + j] != d[j] && d[j] != -1) { found = false; break; } } if (found) { add = reinterpret_cast(&scanBytes[i]); break; } } // MemcuryAssertM(add != 0, "FindPattern return nullptr"); if (bWarnIfNotFound) { if (add == 0) { LOG_WARN(LogMemory, "Failed to find {}", signature); // MessageBoxA(0, ("FindPattern " + std::string(signature) + " null").c_str(), "Memcury", MB_ICONERROR); } } return Scanner(add); } static auto FindPointerRef(void* Pointer, int useRefNum = 0, bool bUseFirstResult = false) -> Scanner // credit me and ender { PE::Address add{ nullptr }; auto textSection = PE::Section::GetSection(".text"); const auto scanBytes = reinterpret_cast(textSection.GetSectionStart().Get()); int aa = 0; // scan only text section for (DWORD i = 0x0; i < textSection.GetSectionSize(); i++) { if ((scanBytes[i] == ASM::CMOVL || scanBytes[i] == ASM::CMOVS) && (scanBytes[i + 1] == ASM::LEA || scanBytes[i + 1] == 0x8B)) { if (PE::Address(&scanBytes[i]).RelativeOffset(3).GetAs() == Pointer) { add = PE::Address(&scanBytes[i]); // LOG_INFO(LogDev, "2add: 0x{:x}", add.Get() - __int64(GetModuleHandleW(0))); if (bUseFirstResult) return Scanner(add); /* if (++aa > useRefNum) break; */ } } if (scanBytes[i] == ASM::CALL) { if (PE::Address(&scanBytes[i]).RelativeOffset(1).GetAs() == Pointer) { add = PE::Address(&scanBytes[i]); // LOG_INFO(LogDev, "1add: 0x{:x}", add.Get() - __int64(GetModuleHandleW(0))); if (bUseFirstResult) return Scanner(add); /* if (++aa > useRefNum) break; */ } } } if (add == 0) { MessageBoxA(0, "FindPointerRef return nullptr", "Memcury", MB_OK); } else { // MessageBoxA(0, std::format("FindPointerRef return 0x{:x}", add.Get() - __int64(GetModuleHandleW(0))).c_str(), "Memcury", MB_OK); } return Scanner(add); } // Supports wide and normal strings both std and pointers template static auto FindStringRef(T string, bool bWarnIfNotFound = true, int useRefNum = 0, bool bIsInFunc = false) -> Scanner { PE::Address add{ nullptr }; constexpr auto bIsWide = std::is_same::value; constexpr auto bIsChar = std::is_same::value; constexpr auto bIsPtr = bIsWide || bIsChar; auto textSection = PE::Section::GetSection(".text"); auto rdataSection = PE::Section::GetSection(".rdata"); const auto scanBytes = reinterpret_cast(textSection.GetSectionStart().Get()); int aa = 0; // scan only text section for (DWORD i = 0x0; i < textSection.GetSectionSize(); i++) { if ((scanBytes[i] == ASM::CMOVL || scanBytes[i] == ASM::CMOVS) && scanBytes[i + 1] == ASM::LEA) { auto stringAdd = PE::Address(&scanBytes[i]).RelativeOffset(3); // Check if the string is in the .rdata section if (rdataSection.isInSection(stringAdd)) { auto strBytes = stringAdd.GetAs(); // Check if the first char is printable if (ASM::byteIsAscii(strBytes[0])) { if constexpr (!bIsPtr) { // typedef T::value_type char_type; using char_type = std::decay_t>; auto lea = stringAdd.GetAs(); T leaT(lea); if (leaT == string) { add = PE::Address(&scanBytes[i]); if (++aa > useRefNum) break; } } else { auto lea = stringAdd.GetAs(); if constexpr (bIsWide) { if (wcscmp(string, lea) == 0) { add = PE::Address(&scanBytes[i]); if (++aa > useRefNum) break; } } else { if (strcmp(string, lea) == 0) { add = PE::Address(&scanBytes[i]); if (++aa > useRefNum) break; } } } } } } } // MemcuryAssertM(add != 0, "FindStringRef return nullptr"); if (bWarnIfNotFound) { if (add == 0) { if constexpr (bIsWide) { std::wstring wstr = std::wstring(string); LOG_WARN(LogMemory, "Failed to find String {}", std::string(wstr.begin(), wstr.end())); // auto aaa = (L"failed FindStringRef " + std::wstring(string)); // MessageBoxA(0, std::string(aaa.begin(), aaa.end()).c_str(), "Memcury", MB_ICONERROR); } else { LOG_WARN(LogMemory, "Failed to find String {}", string); // MessageBoxA(0, ("failed FindStringRef " + std::string(string)).c_str(), "Memcury", MB_ICONERROR); } } } if (add.Get()) { if (bIsInFunc) { for (int i = 0; i < 300; i++) { if (*(uint8_t*)(add.Get() - i) == 0x48 && *(uint8_t*)(add.Get() - i + 1) == 0x83) { // MessageBoxA(0, std::format("0x{:x}", (__int64(add.Get() - i) - __int64(GetModuleHandleW(0)))).c_str(), "Memcury", MB_OK); auto beginFunc = Scanner(add.Get() - i); auto ref = FindPointerRef(beginFunc.GetAs()); return ref; } } } } return Scanner(add); } auto Jump() -> Scanner { _address.Jump(); return *this; } inline auto ScanFor(std::vector opcodesToFind, bool forward = true, int toSkip = 0) -> Scanner { const auto scanBytes = _address.GetAs(); for (auto i = (forward ? 1 : -1); forward ? (i < 2048) : (i > -2048); forward ? i++ : i--) { bool found = true; for (int k = 0; k < opcodesToFind.size() && found; k++) { auto& currentOpcode = opcodesToFind[k]; if (currentOpcode == -1) continue; // std::cout << std::format("[{} {}] 0x{:x}\n", i, k, currentOpcode); found = currentOpcode == scanBytes[i + k]; } if (found) { _address = &scanBytes[i]; if (toSkip != 0) { return ScanFor(opcodesToFind, forward, toSkip - 1); } break; } } return *this; } auto FindFunctionBoundary(bool forward = false) -> Scanner { const auto scanBytes = _address.GetAs(); for (auto i = (forward ? 1 : -1); forward ? (i < 2048) : (i > -2048); forward ? i++ : i--) { if ( // ASM::byteIsA(scanBytes[i], ASM::MNEMONIC::JMP_REL8) || // ASM::byteIsA(scanBytes[i], ASM::MNEMONIC::JMP_REL32) || // ASM::byteIsA(scanBytes[i], ASM::MNEMONIC::JMP_EAX) || ASM::byteIsA(scanBytes[i], ASM::MNEMONIC::RETN_REL8) || ASM::byteIsA(scanBytes[i], ASM::MNEMONIC::RETN) || ASM::byteIsA(scanBytes[i], ASM::MNEMONIC::INT3)) { _address = (uintptr_t)&scanBytes[i + 1]; break; } } return *this; } auto RelativeOffset(uint32_t offset) -> Scanner { if (!_address.Get()) { LOG_WARN(LogMemory, "Trying to relative offset an invalid offset!"); return *this; } _address.RelativeOffset(offset); return *this; } auto AbsoluteOffset(uint32_t offset) -> Scanner { _address.AbsoluteOffset(offset); return *this; } template auto GetAs() -> T { return _address.GetAs(); } auto Get() -> uintptr_t { return _address.Get(); } auto IsValid() -> bool { return _address.IsValid(); } }; /* Bad don't use it tbh... */ class TrampolineHook { void** originalFunctionPtr; PE::Address originalFunction; PE::Address hookFunction; PE::Address allocatedPage; std::vector restore; void PointToCodeIfNot(PE::Address& ptr) { auto bytes = ptr.GetAs(); if (ASM::byteIsA(bytes[0], ASM::MNEMONIC::JMP_REL32)) { ptr = bytes + 5 + *(int32_t*)&bytes[1]; } } void* AllocatePageNearAddress(void* targetAddr) { SYSTEM_INFO sysInfo; GetSystemInfo(&sysInfo); const uint64_t PAGE_SIZE = sysInfo.dwPageSize; uint64_t startAddr = (uint64_t(targetAddr) & ~(PAGE_SIZE - 1)); // round down to nearest page boundary uint64_t minAddr = fmin(startAddr - 0x7FFFFF00, (uint64_t)sysInfo.lpMinimumApplicationAddress); uint64_t maxAddr = fmax(startAddr + 0x7FFFFF00, (uint64_t)sysInfo.lpMaximumApplicationAddress); uint64_t startPage = (startAddr - (startAddr % PAGE_SIZE)); for (uint64_t pageOffset = 1; pageOffset; pageOffset++) { uint64_t byteOffset = pageOffset * PAGE_SIZE; uint64_t highAddr = startPage + byteOffset; uint64_t lowAddr = (startPage > byteOffset) ? startPage - byteOffset : 0; bool needsExit = highAddr > maxAddr && lowAddr < minAddr; if (highAddr < maxAddr) { void* outAddr = VirtualAlloc((void*)highAddr, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (outAddr) return outAddr; } if (lowAddr > minAddr) { void* outAddr = VirtualAlloc((void*)lowAddr, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (outAddr != nullptr) return outAddr; } if (needsExit) { break; } } return nullptr; } void WriteAbsoluteJump(void* jumpLocation, void* destination) { uint8_t absJumpInstructions[] = { ASM::Mnemonic("CMOVNS"), 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r10, addr 0x41, 0xFF, 0xE2 // jmp r10 }; auto destination64 = (uint64_t)destination; memcpy(&absJumpInstructions[2], &destination64, sizeof(destination64)); memcpy(jumpLocation, absJumpInstructions, sizeof(absJumpInstructions)); } uintptr_t PrepareRestore() { /* This is not a correct way to do it at all, since not all functions sub from the stack This needs so much more tests, but it works for now. */ Scanner scanner(originalFunction); scanner.ScanFor({ 0x48, 0x83, 0xEC }); // sub rsp auto restoreSize = scanner.Get() - originalFunction.Get(); MemcuryAssert(restoreSize > 0 && restoreSize < 0x100); restore.reserve(restoreSize); for (auto i = 0; i < restoreSize; i++) { restore.push_back(originalFunction.GetAs()[i]); } return restoreSize; } void WriteRestore() { auto restorePtr = allocatedPage + ASM::SIZE_OF_JMP_ABSLOUTE_INSTRUCTION + 2; memcpy(restorePtr.GetAs(), restore.data(), restore.size()); *originalFunctionPtr = restorePtr.GetAs(); // Write a jump back to where the execution should resume restorePtr.AbsoluteOffset((uint32_t)restore.size()); auto contuineExecution = originalFunction + restore.size(); WriteAbsoluteJump(restorePtr.GetAs(), contuineExecution.GetAs()); } auto PrepareJMPInstruction(uint64_t dst) { uint8_t bytes[5] = { ASM::Mnemonic("JMP_REL32"), 0x0, 0x0, 0x0, 0x0 }; const uint64_t relAddr = dst - (originalFunction.Get() + ASM::SIZE_OF_JMP_RELATIVE_INSTRUCTION); memcpy(bytes + 1, &relAddr, 4); return std::move(bytes); } bool IsHooked() { return originalFunction.GetAs()[0] == ASM::Mnemonic("JMP_REL32"); } public: TrampolineHook(void** originalFunction, void* hookFunction) { this->originalFunctionPtr = originalFunction; this->originalFunction = *originalFunction; this->hookFunction = hookFunction; PointToCodeIfNot(this->originalFunction); PointToCodeIfNot(this->hookFunction); }; bool Commit() { auto fnStart = originalFunction.GetAs(); auto restoreSize = PrepareRestore(); if (!allocatedPage.IsValid()) { allocatedPage = AllocatePageNearAddress(fnStart); } memset(allocatedPage.GetAs(), ASM::MNEMONIC::INT3, 0x1000); WriteAbsoluteJump(allocatedPage.GetAs(), hookFunction.GetAs()); DWORD oldProtect; VirtualProtect(fnStart, 1024, PAGE_EXECUTE_READWRITE, &oldProtect); auto jmpInstruction = PrepareJMPInstruction(allocatedPage.Get()); WriteRestore(); memset(fnStart, ASM::MNEMONIC::INT3, restoreSize); memcpy(fnStart, jmpInstruction, ASM::SIZE_OF_JMP_RELATIVE_INSTRUCTION); return true; } bool Revert() { auto fnStart = originalFunction.GetAs(); DWORD oldProtect; VirtualProtect(fnStart, 1024, PAGE_EXECUTE_READWRITE, &oldProtect); memcpy(fnStart, restore.data(), restore.size()); *originalFunctionPtr = originalFunction.GetAs(); // VirtualFree(allocatedPage.GetAs(), 0x1000, MEM_RELEASE); return true; } auto Toggle() { if (IsHooked()) Revert(); else Commit(); return IsHooked(); } }; namespace VEHHook { struct HOOK_INFO { void* Original; void* Detour; HOOK_INFO(void* Original, void* Detour) : Original(Original) , Detour(Detour) { } }; inline std::vector Hooks; inline std::vector HookProtections; inline HANDLE ExceptionHandler; inline long Handler(EXCEPTION_POINTERS* Exception) { if (Exception->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION) { auto Itr = std::find_if(Hooks.begin(), Hooks.end(), [Rip = Exception->ContextRecord->Rip](const HOOK_INFO& Hook) { return Hook.Original == (void*)Rip; }); if (Itr != Hooks.end()) { Exception->ContextRecord->Rip = (uintptr_t)Itr->Detour; } Exception->ContextRecord->EFlags |= 0x100; // SINGLE_STEP_FLAG return EXCEPTION_CONTINUE_EXECUTION; } else if (Exception->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP) { // TODO: find a way to only vp the function that about to get executed for (auto& Hook : Hooks) { DWORD dwOldProtect; VirtualProtect(Hook.Original, 1, PAGE_EXECUTE_READ | PAGE_GUARD, &dwOldProtect); } return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } inline bool Init() { if (ExceptionHandler == nullptr) { ExceptionHandler = AddVectoredExceptionHandler(true, (PVECTORED_EXCEPTION_HANDLER)Handler); } return ExceptionHandler != nullptr; } inline bool AddHook(void* Target, void* Detour) { if (ExceptionHandler == nullptr) { return false; } if (Util::IsSamePage(Target, Detour)) { return false; } if (!VirtualProtect(Target, 1, PAGE_EXECUTE_READ | PAGE_GUARD, &HookProtections.emplace_back())) { HookProtections.pop_back(); return false; } Hooks.emplace_back(Target, Detour); return true; } inline bool RemoveHook(void* Original) { auto Itr = std::find_if(Hooks.begin(), Hooks.end(), [Original](const HOOK_INFO& Hook) { return Hook.Original == Original; }); if (Itr == Hooks.end()) { return false; } const auto ProtItr = HookProtections.begin() + std::distance(Hooks.begin(), Itr); Hooks.erase(Itr); DWORD dwOldProtect; bool Ret = VirtualProtect(Original, 1, *ProtItr, &dwOldProtect); HookProtections.erase(ProtItr); return false; } } } inline int HexToDec(std::string hexValue) { int len = hexValue.size(); // Initializing base value to 1, i.e 16 ^ 0 int base = 1; int dec_value = 0; // extracting characters as digits from last // character for (int i = len - 1; i >= 0; i--) { if (hexValue[i] >= '0' && hexValue[i] <= '9') { dec_value += (int(hexValue[i]) - 48) * base; // incrementing base by power base = base * 16; } // if character lies in 'A' - 'F' , converting // it to integral 10 - 15 by subtracting 55 // from ASCII value else if (hexValue[i] >= 'A' && hexValue[i] <= 'F') { dec_value += (int(hexValue[i]) - 55) * base; // incrementing base by power base = base * 16; } } return dec_value; } inline std::string GetBytes(uintptr_t Address, int count = 10) { std::string Bytes; for (int i = 0; i < count; i++) { auto byte = *(uint8_t*)(Address + i) & 0xff; auto Byte = (byte == 0) ? "? " : std::format("{:x} ", byte); if (Byte.length() == 2 && byte != 0) // 2 because of the space Byte = "0" + Byte; Bytes += Byte; } std::transform(Bytes.begin(), Bytes.end(), Bytes.begin(), ::toupper); return Bytes; } inline bool IsBadReadPtr(void* p) { MEMORY_BASIC_INFORMATION mbi = { 0 }; if (::VirtualQuery(p, &mbi, sizeof(mbi))) { DWORD mask = (PAGE_READONLY | PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY); bool b = !(mbi.Protect & mask); // check the page is not a guard page if (mbi.Protect & (PAGE_GUARD | PAGE_NOACCESS)) b = true; return b; } return true; } static void VirtualSwap(void** VTable, int Idx, void* NewFunc) { DWORD dwProtection; VirtualProtect(&VTable[Idx], 8, PAGE_EXECUTE_READWRITE, &dwProtection); VTable[Idx] = NewFunc; DWORD dwTemp; VirtualProtect(&VTable[Idx], 8, dwProtection, &dwTemp); } // Finds a string ref, then goes searches xref of the function that it's in and returns that address. inline uintptr_t FindFunctionCall(const wchar_t* Name, const std::vector& Bytes = std::vector{ 0x48, 0x89, 0x5C }, int skip = 0) // credit ender & me { auto FunctionPtr = Memcury::Scanner::FindStringRef(Name, true, skip).ScanFor({ 0x48, 0x8D, 0x0D }).RelativeOffset(3).GetAs(); auto PtrRef = Memcury::Scanner::FindPointerRef(FunctionPtr); /* if (!PtrRef.Get() || PtrRef.Get() == __int64(FunctionPtr)) { std::wstring NameWStr = std::wstring(Name); LOG_WARN(LogMemory, "Failed to find pointer reference for {}", std::string(NameWStr.begin(), NameWStr.end())); return 0; } */ return PtrRef.ScanFor(Bytes, false).Get(); }