How to make a Hook and Trampoline function in one for WinAPI hooking

Question

So I have been learning about the concept of hooking and using trampolines in order to bypass/execute data in a WinAPI hook function (In a different executable file, using DLL injection). So far I know how to make it (the trampoline and hook) using a mixture of assembly and C, but I can't seem to do it with just using C, as I seem to be missing something. I'd appreciate if someone could tell me what I'm doing wrong and how to fix it up.

Right now my code:

#include <Windows.h>

unsigned char* address = 0;

__declspec(naked) int __stdcall MessageBoxAHookTrampoline(HWND Window, char* Message, char* Title, int Type) {
    __asm
    {
        push ebp
        mov ebp, esp
        mov eax, address
        add eax, 5
        jmp eax
    }
}

int __stdcall MessageBoxAHook(HWND Window, char* Message, char* Title, int Type) {
    wchar_t* WMessage = L"Hooked!";
    wchar_t* WTitle = L"Success!";
    MessageBoxW(0, WMessage, WTitle, 0);
    return MessageBoxAHookTrampoline(Window, Message, Title, Type);
}

unsigned long __stdcall Thread(void* Context) {
    address = (unsigned char*)GetProcAddress(LoadLibraryA("user32"), "MessageBoxA");
    ULONG OP = 0;
    if (VirtualProtect(address, 1, PAGE_EXECUTE_READWRITE, &OP)) {
        memset(address, 0x90, 5);
        *address = 0xE9;
        *(unsigned long*)(address + 1) = (unsigned long)MessageBoxAHook - (unsigned long)address - 5;
    }
    else {
        MessageBoxA(0, "Failed to change protection", "RIP", 0);
    }
    return 1;
}

// Entry point.
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        CreateThread(0, 0, Thread, 0, 0, 0);
    }
    else if (fdwReason == DLL_PROCESS_DETACH) {

    }
    return true;
}

So question is: How would I make a function say InstallHook that will install the hook and return a trampoline so I can use it easily? Function prototype probably would be: void* InstallHook(void* originalFunc, void* targetFunc, int jumpsize), or so I've understood reading online, but unsure what jumpsize would be used for.

So far I know that the first 5 bytes must be preserved and restored, and then there's a jump to the address of the original hooked function. So I'd have to use malloc to allocate memory, memcpy to copy bytes over, the 0xE9 is the value of a jump instruction and such, but I just don't know how to implement it using just pure C. I figure it would be something similar to the code in this question. So how can I write a hook function that returns a trampoline using pure C for WinAPI functions?

Answer 1

If I understood the question correctly, you want to avoid "hard-coding" the trampoline function in assembly, presumably so you could have multiple trampolines in use at the same time without duplicating the code. You can achieve this using VirtualAlloc (malloc won't work since the returned memory won't be executable).

I wrote this from memory without access to a compiler so it might have some minor bugs, but the general idea is here. Normally you would also use VirtualProtect to change the page permissions to r-x instead of rwx once you're done modifying it, but I've left that out for the sake of simplicity:

void *CreateTrampoline(void *originalFunc)
{
    /* Allocate the trampoline function */
    uint8_t *trampoline = VirtualAlloc(
        NULL,
        5 + 5, /* 5 for the prologue, 5 for the JMP */
        MEM_COMMIT | MEM_RESERVE,
        PAGE_EXECUTE_READWRITE); /* Make trampoline executable */

    /* Copy the original function's prologue */
    memcpy(trampoline, originalFunc, 5);

    /* JMP rel/32 opcode */
    trampoline[5] = 0xE9;

    /* JMP rel/32 operand */
    uint32_t jmpDest = (uint32_t)originalFunc + 5; /* Skip original prologue */
    uint32_t jmpSrc = (uint32_t)trampoline + 10; /* Starting after the JMP */
    uint32_t delta = jmpDest - jmpSrc;
    memcpy(trampoline + 6, &delta, 4);

    return trampoline;
}

Your InstallHook function would then just call CreateTrampoline to create a trampoline, then patch the first 5 bytes of the original function with a JMP rel/32 to your hook.

Be warned, this only works on WinAPI functions, because Microsoft requires that they have a 5-byte prologue to enable hot-patching (which is what you're doing here). Normal functions do not have this requirement -- usually they only start with push ebp; mov ebp, esp which is only 3 bytes (and sometimes not even that, if the compiler decides to optimize it out).

Edit: here's how the math works:

                          _______________delta______________
                         |                                  |
trampoline               |                  originalFunc    |
    |                    |                        |         |
    v                    |                        v         v
    [prologue][jmp delta]                         [prologue][rest of func]
    |________||_________|                         |________|
         5    +    5                                   5