Check if functions are actually hooked before un-hooking

2 years ago · 6888381b41
parent 6a13b23783
commit 6888381b41
3 changed files with 26 additions and 5 deletions
--- a/GlosSITarget/AppLauncher.cpp
+++ b/GlosSITarget/AppLauncher.cpp
@ -167,6 +167,7 @@ void AppLauncher::getProcessHwnds()
 #ifdef _WIN32
 void AppLauncher::UnPatchValveHooks()
 {
+    // TODO: move and re-use reusable unhook util from HidHide.cpp
    spdlog::debug("Unpatching Valve CreateProcess hook...");
    // need to load addresses that way.. Otherwise we may land before some jumps...
    auto kernel32dll = GetModuleHandle(L"kernel32.dll");
@ -176,12 +177,18 @@ void AppLauncher::UnPatchValveHooks()
            DWORD dw_old_protect, dw_bkup;
            const auto len = CREATE_PROC_ORIG_BYTES.size();
            VirtualProtect(address, len, PAGE_EXECUTE_READWRITE, &dw_old_protect); //Change permissions of memory..
-            for (DWORD i = 0; i < len; i++)                                        //unpatch Valve's hook
-            {
-                *(address + i) = CREATE_PROC_ORIG_BYTES[i];
+            const auto opcode = *(address); 
+            if (opcode != 0xE9 && opcode != 0xE8 && opcode != 0xEB && opcode != 0xEA && opcode != 0xFF) {
+                spdlog::debug("\"CreateProcessW\" Doesn't appear to be hooked, skipping!");
+                VirtualProtect(address, len, dw_old_protect, &dw_bkup); // Revert permission change...
+            } else {
+                for (DWORD i = 0; i < len; i++) // unpatch Valve's hook
+                {
+                    *(address + i) = CREATE_PROC_ORIG_BYTES[i];
+                }
+                VirtualProtect(address, len, dw_old_protect, &dw_bkup); // Revert permission change...
+                spdlog::trace("Unpatched CreateProcessW");   
            }
-            VirtualProtect(address, len, dw_old_protect, &dw_bkup); //Revert permission change...
-            spdlog::trace("Unpatched CreateProcessW");
        }
        else {
            spdlog::error("failed to unpatch CreateProcessW");
--- a/GlosSITarget/HidHide.cpp
+++ b/GlosSITarget/HidHide.cpp
@ -191,6 +191,12 @@ void HidHide::UnPatchHook(const std::string& name, HMODULE module)
    DWORD dw_old_protect, dw_bkup;
    const auto len = bytes.size();
    VirtualProtect(address, len, PAGE_EXECUTE_READWRITE, &dw_old_protect); // Change permissions of memory..
+    const auto opcode = *(address);
+    if (!std::ranges::any_of(JUMP_INSTR_OPCODES, [&opcode](const auto& op) { return op == opcode; })) {
+        spdlog::debug("\"{}\" Doesn't appear to be hooked, skipping!", name);
+        VirtualProtect(address, len, dw_old_protect, &dw_bkup); // Revert permission change...
+        return;
+    }
    for (DWORD i = 0; i < len; i++)                                        // unpatch Valve's hook
    {
        *(address + i) = bytes[i];
--- a/GlosSITarget/HidHide.h
+++ b/GlosSITarget/HidHide.h
@ -85,6 +85,14 @@ class HidHide {
        {"HidP_GetButtonCaps", "\x48\x83\xEC\x48\x49"},
    };

+    static inline const std::vector<uint8_t> JUMP_INSTR_OPCODES = {
+        0xE9,
+        0xE8,
+        0xEB,
+        0xEA,
+        0xFF
+    };
+
    static void UnPatchValveHooks();
    static void UnPatchHook(const std::string& name, HMODULE module);