From 6888381b4137c59d4ac449ff0037b532db47ac66 Mon Sep 17 00:00:00 2001 From: Peter Repukat Date: Sat, 24 Sep 2022 19:31:01 +0200 Subject: [PATCH] Check if functions are actually hooked before un-hooking --- GlosSITarget/AppLauncher.cpp | 17 ++++++++++++----- GlosSITarget/HidHide.cpp | 6 ++++++ GlosSITarget/HidHide.h | 8 ++++++++ 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/GlosSITarget/AppLauncher.cpp b/GlosSITarget/AppLauncher.cpp index e660331..2d2da76 100644 --- a/GlosSITarget/AppLauncher.cpp +++ b/GlosSITarget/AppLauncher.cpp @@ -167,6 +167,7 @@ void AppLauncher::getProcessHwnds() #ifdef _WIN32 void AppLauncher::UnPatchValveHooks() { + // TODO: move and re-use reusable unhook util from HidHide.cpp spdlog::debug("Unpatching Valve CreateProcess hook..."); // need to load addresses that way.. Otherwise we may land before some jumps... auto kernel32dll = GetModuleHandle(L"kernel32.dll"); @@ -176,12 +177,18 @@ void AppLauncher::UnPatchValveHooks() DWORD dw_old_protect, dw_bkup; const auto len = CREATE_PROC_ORIG_BYTES.size(); VirtualProtect(address, len, PAGE_EXECUTE_READWRITE, &dw_old_protect); //Change permissions of memory.. - for (DWORD i = 0; i < len; i++) //unpatch Valve's hook - { - *(address + i) = CREATE_PROC_ORIG_BYTES[i]; + const auto opcode = *(address); + if (opcode != 0xE9 && opcode != 0xE8 && opcode != 0xEB && opcode != 0xEA && opcode != 0xFF) { + spdlog::debug("\"CreateProcessW\" Doesn't appear to be hooked, skipping!"); + VirtualProtect(address, len, dw_old_protect, &dw_bkup); // Revert permission change... + } else { + for (DWORD i = 0; i < len; i++) // unpatch Valve's hook + { + *(address + i) = CREATE_PROC_ORIG_BYTES[i]; + } + VirtualProtect(address, len, dw_old_protect, &dw_bkup); // Revert permission change... + spdlog::trace("Unpatched CreateProcessW"); } - VirtualProtect(address, len, dw_old_protect, &dw_bkup); //Revert permission change... - spdlog::trace("Unpatched CreateProcessW"); } else { spdlog::error("failed to unpatch CreateProcessW"); diff --git a/GlosSITarget/HidHide.cpp b/GlosSITarget/HidHide.cpp index f1071b8..a9697ba 100644 --- a/GlosSITarget/HidHide.cpp +++ b/GlosSITarget/HidHide.cpp @@ -191,6 +191,12 @@ void HidHide::UnPatchHook(const std::string& name, HMODULE module) DWORD dw_old_protect, dw_bkup; const auto len = bytes.size(); VirtualProtect(address, len, PAGE_EXECUTE_READWRITE, &dw_old_protect); // Change permissions of memory.. + const auto opcode = *(address); + if (!std::ranges::any_of(JUMP_INSTR_OPCODES, [&opcode](const auto& op) { return op == opcode; })) { + spdlog::debug("\"{}\" Doesn't appear to be hooked, skipping!", name); + VirtualProtect(address, len, dw_old_protect, &dw_bkup); // Revert permission change... + return; + } for (DWORD i = 0; i < len; i++) // unpatch Valve's hook { *(address + i) = bytes[i]; diff --git a/GlosSITarget/HidHide.h b/GlosSITarget/HidHide.h index 0f9c020..2e9ceb3 100644 --- a/GlosSITarget/HidHide.h +++ b/GlosSITarget/HidHide.h @@ -85,6 +85,14 @@ class HidHide { {"HidP_GetButtonCaps", "\x48\x83\xEC\x48\x49"}, }; + static inline const std::vector JUMP_INSTR_OPCODES = { + 0xE9, + 0xE8, + 0xEB, + 0xEA, + 0xFF + }; + static void UnPatchValveHooks(); static void UnPatchHook(const std::string& name, HMODULE module);