BlackBone
Windows memory hacking library
 All Classes Functions
RemoteContext.hpp
1 #pragma once
2 
3 #include "../../Include/Winheaders.h"
4 #include "../ProcessMemory.h"
5 #include "../ProcessCore.h"
6 #include "../Threads/Thread.h"
7 #include "../../Include/Macro.h"
8 
9 namespace blackbone
10 {
11 
15 class RemoteContext
16 {
17 public:
18  BLACKBONE_API RemoteContext( class ProcessMemory& memory, Thread& thd, _CONTEXT64& ctx,
19  ptr_t frame_ptr, BOOL x64, int wordSize )
20  : _memory( memory )
21  , _thd( thd )
22  , _ctx( ctx )
23  , _x64Target( x64 )
24  , _wordSize( wordSize )
25  , _frame_ptr( frame_ptr != 0 ? frame_ptr : ctx.Rsp )
26  {
27  }
28 
29  BLACKBONE_API ~RemoteContext()
30  {
31  }
32 
33  // Native context
34  BLACKBONE_API inline _CONTEXT64& native()
35  {
36  return _ctx;
37  }
38 
43  BLACKBONE_API inline Thread& getThread()
44  {
45  return _thd;
46  }
47 
52  BLACKBONE_API inline const ptr_t returnAddress() const
53  {
54  ptr_t val = 0;
55  _memory.Read( _frame_ptr, _wordSize, &val );
56 
57  return val;
58  }
59 
65  BLACKBONE_API inline bool returnAddress( ptr_t val ) const
66  {
67  return (_memory.Write( _frame_ptr, _wordSize, &val ) == STATUS_SUCCESS);
68  }
69 
75  BLACKBONE_API inline void setReturnValue( ptr_t val ) const
76  {
77  memcpy( &_ctx.Rax, &val, _wordSize );
78  }
79 
84  BLACKBONE_API ptr_t hookReturn()
85  {
86  ptr_t val = returnAddress();
87  SET_BIT( val, (_wordSize * 8 - 1) );
88  if (returnAddress( val ) == false)
89  return 0;
90 
91  return val;
92  }
93 
98  BLACKBONE_API ptr_t unhookReturn()
99  {
100  auto val = returnAddress();
101  RESET_BIT( val, (_wordSize * 8 - 1) );
102  if (!returnAddress( val ))
103  return 0;
104 
105  return val;
106  }
107 
116  BLACKBONE_API DWORD64 getArg( int index )
117  {
118  if(_x64Target)
119  {
120  switch (index)
121  {
122  case 0:
123  return _ctx.Rcx;
124  case 1:
125  return _ctx.Rdx;
126  case 2:
127  return _ctx.R8;
128  case 3:
129  return _ctx.R9;
130 
131  default:
132  return _memory.Read<DWORD64>( _ctx.Rsp + 0x30 + (index - 4 ) * _wordSize );
133  }
134  }
135  else
136  {
137  DWORD64 val = 0;
138  _memory.Read( _ctx.Rsp + 4 + index * _wordSize, _wordSize, &val );
139  return val;
140  }
141  }
142 
151  BLACKBONE_API bool setArg( int index, DWORD64 val )
152  {
153  if (_x64Target)
154  {
155  switch (index)
156  {
157  case 0:
158  _ctx.Rcx = val;
159  break;
160 
161  case 1:
162  _ctx.Rdx = val;
163  break;
164 
165  case 2:
166  _ctx.R8 = val;
167  break;
168 
169  case 3:
170  _ctx.R9 = val;
171  break;
172 
173  default:
174  return (_memory.Write( _ctx.Rsp + 0x30 + (index - 4) * _wordSize, val ) == STATUS_SUCCESS);
175  }
176 
177  return true;
178  }
179  else
180  {
181  return (_memory.Write( _ctx.Rsp + 4 + index * _wordSize, _wordSize, &val ) == STATUS_SUCCESS);
182  }
183  }
184 
185 
190  BLACKBONE_API DWORD lastError()
191  {
192  ptr_t pteb = 0;
193  LONG offset = 0;
194 
195  if( _x64Target )
196  {
197  pteb = _thd.teb( (_TEB64*)nullptr );
198  offset = FIELD_OFFSET( _TEB64, LastErrorValue );
199  }
200  else
201  {
202  pteb = _thd.teb( (_TEB32*)nullptr );
203  offset = FIELD_OFFSET( _TEB32, LastErrorValue );
204  }
205 
206  if (pteb)
207  return _memory.Read<DWORD>( pteb + offset );
208 
209  return 0xFFFFFFFF;
210  }
211 
216  BLACKBONE_API DWORD lastError( DWORD newError )
217  {
218  ptr_t pteb = 0;
219  LONG offset = 0;
220 
221  if (_x64Target)
222  {
223  pteb = _thd.teb( (_TEB64*)nullptr );
224  offset = FIELD_OFFSET( _TEB64, LastErrorValue );
225  }
226  else
227  {
228  pteb = _thd.teb( (_TEB32*)nullptr );
229  offset = FIELD_OFFSET( _TEB32, LastErrorValue );
230  }
231 
232  if (pteb)
233  return _memory.Write( pteb + offset, newError );
234 
235  return 0xFFFFFFFF;
236  }
237 
238 
243  BLACKBONE_API ptr_t getUserContext()
244  {
245  auto pteb = _thd.teb( (_TEB64*)nullptr );
246 
247  if (pteb)
248  return _memory.Read<ptr_t>( pteb + FIELD_OFFSET( _NT_TIB_T<DWORD64>, ArbitraryUserPointer ) );
249 
250  return 0;
251  }
252 
257  BLACKBONE_API bool setUserContext( ptr_t context )
258  {
259  auto pteb = _thd.teb( (_TEB64*)nullptr );
260  if(pteb)
261  {
262  if (_memory.Write( pteb + FIELD_OFFSET( _NT_TIB_T<DWORD64>, ArbitraryUserPointer ), context ) == STATUS_SUCCESS)
263  return true;
264  }
265 
266  return false;
267  }
268 
269 
270 private:
271  RemoteContext( const RemoteContext& ) = delete;
272  RemoteContext& operator = ( const RemoteContext& ) = delete;
273 
274 private:
275  ProcessMemory& _memory; // Process memory routines
276  Thread& _thd; // Current thread
277  _CONTEXT64& _ctx; // Current thread context
278 
279  BOOL _x64Target = FALSE; // Target process is 64 bit
280  int _wordSize = 4; // 4 for x86, 8 for x64
281  ptr_t _frame_ptr = 0; // Top stack frame pointer
282 };
283 
284 }
blackbone::RemoteContext::getUserContext
BLACKBONE_API ptr_t getUserContext()
Get arbitrary thread data
Definition: RemoteContext.hpp:243
blackbone::RemoteContext::getThread
BLACKBONE_API Thread & getThread()
Get current process thread where exception occurred
Definition: RemoteContext.hpp:43
blackbone::RemoteContext::hookReturn
BLACKBONE_API ptr_t hookReturn()
Raise exception on function return
Definition: RemoteContext.hpp:84
blackbone::RemoteContext::lastError
BLACKBONE_API DWORD lastError(DWORD newError)
Set last thread error code
Definition: RemoteContext.hpp:216
blackbone::ProcessMemory::Read
BLACKBONE_API NTSTATUS Read(ptr_t dwAddress, size_t dwSize, PVOID pResult, bool handleHoles=false)
Read data
Definition: ProcessMemory.cpp:81
blackbone::_TEB_T
Definition: NativeStructures.h:71
blackbone::RemoteContext::setArg
BLACKBONE_API bool setArg(int index, DWORD64 val)
Set argument value. For x86 function works only with stack arguments. For x64 only integer arguments ...
Definition: RemoteContext.hpp:151
blackbone::_NT_TIB_T
Definition: NativeStructures.h:44
blackbone::RemoteContext::setUserContext
BLACKBONE_API bool setUserContext(ptr_t context)
Set arbitrary thread data
Definition: RemoteContext.hpp:257
blackbone::ProcessMemory
Definition: ProcessMemory.h:13
blackbone::RemoteContext::returnAddress
BLACKBONE_API const ptr_t returnAddress() const
Definition: RemoteContext.hpp:52
blackbone::ProcessMemory::Write
BLACKBONE_API NTSTATUS Write(ptr_t pAddress, size_t dwSize, const void *pData)
Write data
Definition: ProcessMemory.cpp:131
blackbone::RemoteContext
Remote function context during hook breakpoint.
Definition: RemoteContext.hpp:15
blackbone::RemoteContext::returnAddress
BLACKBONE_API bool returnAddress(ptr_t val) const
Set return address of current frame
Definition: RemoteContext.hpp:65
blackbone::RemoteContext::getArg
BLACKBONE_API DWORD64 getArg(int index)
Get argument value. Argument index is 0 based. For x86 function works only with stack arguments For x...
Definition: RemoteContext.hpp:116
blackbone::Thread::teb
BLACKBONE_API ptr_t teb(_TEB32 *pteb=nullptr) const
Get WOW64 TEB
Definition: Thread.cpp:41
blackbone::RemoteContext::lastError
BLACKBONE_API DWORD lastError()
Get last thread error code
Definition: RemoteContext.hpp:190
blackbone::Thread
Thread management
Definition: Thread.h:44
blackbone::_CONTEXT_T< DWORD64 >
Definition: NativeStructures.h:442
blackbone
Definition: AsmHelper32.cpp:6
blackbone::RemoteContext::setReturnValue
BLACKBONE_API void setReturnValue(ptr_t val) const
Set new integer return value. Has no effect on FPU. Has effect only if called in return callback ...
Definition: RemoteContext.hpp:75
blackbone::RemoteContext::unhookReturn
BLACKBONE_API ptr_t unhookReturn()
Remove exception on return
Definition: RemoteContext.hpp:98