//Write g_abOriTextout to the end of Hook function(NOP addr), then write the jmp instruction.
VirtualProtectEx(hProcess, (LPVOID)dwNOPAddr, 10, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, (LPVOID)dwNOPAddr, g_abOriCode, sizeof(g_abOriCode), NULL);
//Generate the jmp TextoutA + 5
__asm
{
mov eax, g_oriTextout;
mov ebx, dwNOPAddr;
add ebx, 5;
sub eax, ebx;
mov dword ptr[g_abJmpCode+1], eax;
}
WriteProcessMemory(hProcess, (LPVOID)(dwNOPAddr+5), g_abJmpCode, sizeof(g_abJmpCode), NULL);
VirtualProtectEx(hProcess, (LPVOID)dwNOPAddr, 10, dwOldFlag, NULL);
g_blHooked = TRUE;
if(TRUE)
return TRUE;
HookLabel:
NAKED_PROLOG ( ) ;
int nx, ny;
LPCSTR lp;
lp = NULL;
_asm
{
mov esi, ebp;
add esi, 0Ch;
lea edi, nx;
movsd;
lea edi, ny;
movsd;
lea edi, lp;
movsd;
}
WriteLog_F("Try to ouput \"%s\" at (%d,%d)\n", lp, nx, ny);
// Do the common epilog.
EPILOG_COMMON ( ) ;
NOPLabel:
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
}
LRESULT WINAPI UninstallTextoutHook()
{
if (!g_blHooked)
return FALSE;
//Restore the first 5 bytes code of TextOutA
DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, dwProcessId);
if (NULL == hProcess)
return FALSE;
DWORD dwOldFlag;
VirtualProtectEx(hProcess, g_oriTextout, 5, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, g_oriTextout, g_abOriCode, sizeof(g_abOriCode), NULL);
VirtualProtectEx(hProcess, g_oriTextout, 5, dwOldFlag, NULL);
g_blHooked = FALSE;
return TRUE;
}
