vehhook: fix lost hooks, fix thread safety; vthook: avoid accessing invalid memory in vt backup

Author: Rafael Stahl

.clang-format

@@ -6,6 +6,7 @@ AllowShortIfStatementsOnASingleLine: false
 AlwaysBreakTemplateDeclarations: true
 BreakBeforeBraces: Allman
 BreakConstructorInitializersBeforeComma: true
+BreakConstructorInitializers: BeforeComma
 ColumnLimit: 120
 ConstructorInitializerAllOnOneLineOrOnePerLine: true
 Cpp11BracedListStyle: false
@@ -14,6 +15,7 @@ IndentCaseLabels: false
 IndentWidth: 4
 KeepEmptyLinesAtTheStartOfBlocks: false
 MaxEmptyLinesToKeep: 2
+PackConstructorInitializers: CurrentLine
 PenaltyReturnTypeOnItsOwnLine: 10000
 PointerBindsToType: true
 SortIncludes: false

CMakeLists.txt

@@ -1,21 +1,20 @@
-CMAKE_MINIMUM_REQUIRED(VERSION 3.1 FATAL_ERROR)
-
+CMAKE_MINIMUM_REQUIRED(VERSION 3.10)
 PROJECT(hacklib_project)
 
 # set the default configuration to debug
 IF(NOT CMAKE_BUILD_TYPE)
     SET(CMAKE_BUILD_TYPE Debug)
 ENDIF()
 
-SET(PROJ_ROOT       "${CMAKE_CURRENT_SOURCE_DIR}")
+set(PROJ_ROOT "${CMAKE_CURRENT_SOURCE_DIR}")
 IF(CMAKE_SIZEOF_VOID_P EQUAL 8)
     SET(ARCH_64BIT TRUE)
     ADD_DEFINITIONS(-DARCH_64BIT)
-    SET(PROJ_BIN        ${PROJ_ROOT}/bin64)
-    SET(PROJ_LIB        ${PROJ_ROOT}/lib64)
+    SET(PROJ_BIN ${PROJ_ROOT}/bin64)
+    SET(PROJ_LIB ${PROJ_ROOT}/lib64)
 ELSE()
-    SET(PROJ_BIN        ${PROJ_ROOT}/bin)
-    SET(PROJ_LIB        ${PROJ_ROOT}/lib)
+    SET(PROJ_BIN ${PROJ_ROOT}/bin)
+    SET(PROJ_LIB ${PROJ_ROOT}/lib)
 ENDIF()
 
 # default output directories
@@ -38,7 +37,7 @@ ENDIF()
 SET_PROPERTY(GLOBAL PROPERTY USE_FOLDERS ON)
 SET(CMAKE_POSITION_INDEPENDENT_CODE ON)
 SET(CMAKE_DEBUG_POSTFIX "d")
-SET(CMAKE_CXX_STANDARD 14)
+SET(CMAKE_CXX_STANDARD 23)
 SET(CMAKE_CXX_STANDARD_REQUIRED ON)
 
 IF(WIN32)

src/hacklib/src/Hooker.cpp

@@ -50,6 +50,12 @@ class VTHookManager
         }
         else
         {
+            // Limit backup size by available readable memory region.
+            uintptr_t vtAddr = (uintptr_t)*instance;
+            const auto& memRegion = hl::GetMemoryByAddress(vtAddr);
+            uintptr_t maxSize = memRegion.base + memRegion.size - vtAddr;
+            vtBackupSize = std::min(vtBackupSize, (int)(maxSize / sizeof(void*)));
+
             // Create new fake VT (mirroring the original one).
             fakeVT = std::make_unique<FakeVT>(instance, vtBackupSize);
 
@@ -99,7 +105,8 @@ class VTHook : public IHook
 {
 public:
     VTHook(uintptr_t classInstance, int functionIndex, uintptr_t cbHook, int vtBackupSize)
-        : instance((uintptr_t**)classInstance), functionIndex(functionIndex)
+        : instance((uintptr_t**)classInstance)
+        , functionIndex(functionIndex)
     {
         g_vtHookManager.addHook(instance, functionIndex, cbHook, vtBackupSize);
     }
@@ -136,7 +143,10 @@ class DetourHook : public IHook
 {
 public:
     DetourHook(uintptr_t location, int offset, Hooker::HookCallback_t cbHook)
-        : location(location), offset(offset), cbHook(cbHook), wrapperCode(0x1000, 0xcc)
+        : location(location)
+        , offset(offset)
+        , cbHook(cbHook)
+        , wrapperCode(0x1000, 0xcc)
     {
     }
     ~DetourHook() override

src/hacklib/src/Hooker_VEH.cpp

@@ -39,15 +39,10 @@ class VEHHookManager
 
         return nullptr;
     }
-    Page* getPage(uintptr_t adr)
+    bool isPageHooked(uintptr_t adr)
     {
-        std::lock_guard<std::mutex> lock(m_pagesMutex);
-
-        auto it = m_pages.upper_bound(adr);
-        if (it != m_pages.end())
-            return (--it)->second.get();
-
-        return nullptr;
+        std::lock_guard lock(m_pagesMutex);
+        return getPage(adr) != nullptr;
     }
     void addHook(uintptr_t adr, hl::Hooker::HookCallback_t cbHook)
     {
@@ -63,6 +58,7 @@ class VEHHookManager
             }
         }
 
+        std::lock_guard lock(m_pagesMutex);
         auto page = getPage(adr);
         if (page)
         {
@@ -74,42 +70,45 @@ class VEHHookManager
             uintptr_t lowerBound = region.base;
             uintptr_t upperBound = lowerBound + hl::GetPageSize();
 
-            std::lock_guard<std::mutex> lock(m_pagesMutex);
             m_pages[lowerBound] = std::make_unique<Page>(lowerBound, upperBound);
-            m_pages[upperBound] = nullptr;
+            m_pages.try_emplace(upperBound, nullptr);
         }
     }
     void removeHook(uintptr_t adr)
     {
         m_hooks.erase(adr);
 
-        auto page = getPage(adr);
-        if (page)
         {
-            if (page->m_refs == 1)
+            std::unique_lock lock(m_pagesMutex);
+            auto page = getPage(adr);
+            if (page)
             {
-                // Trigger the guard page violation to remove it. VEH will not handle the
-                // exception so we can be sure the guard page protection was removed.
-                [&] {
-                    __try
+                if (page->m_refs == 1)
+                {
+                    lock.unlock();
+                    // Trigger the guard page violation to remove it. VEH will not handle the
+                    // exception so we can be sure the guard page protection was removed.
+                    [&]
                     {
-                        while (true)
+                        __try
                         {
-                            auto x = *(volatile int*)adr;
+                            while (true)
+                            {
+                                auto x = *(volatile int*)adr;
+                            }
                         }
-                    }
-                    __except (EXCEPTION_EXECUTE_HANDLER)
-                    {
-                    }
-                }();
-
-                std::lock_guard<std::mutex> lock(m_pagesMutex);
-                m_pages.erase(page->m_end);
-                m_pages.erase(page->m_begin);
-            }
-            else
-            {
-                page->m_refs--;
+                        __except (EXCEPTION_EXECUTE_HANDLER)
+                        {
+                        }
+                    }();
+
+                    lock.lock();
+                    m_pages.erase(page->m_begin);
+                }
+                else
+                {
+                    page->m_refs--;
+                }
             }
         }
 
@@ -121,6 +120,17 @@ class VEHHookManager
         }
     }
 
+private:
+    // Caller must lock.
+    Page* getPage(uintptr_t adr)
+    {
+        auto it = m_pages.upper_bound(adr);
+        if (it != m_pages.end())
+            return (--it)->second.get();
+
+        return nullptr;
+    }
+
 private:
     PVOID m_pExHandler = nullptr;
     std::map<uintptr_t, hl::Hooker::HookCallback_t> m_hooks;
@@ -243,7 +253,7 @@ static void checkForHookAndCall(uintptr_t adr, CONTEXT* pCtx)
 
 static LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS exc)
 {
-    static uintptr_t guardFaultAdr;
+    thread_local uintptr_t guardFaultAdr;
 
     CONTEXT* pCtx = exc->ContextRecord;
 
@@ -285,7 +295,7 @@ static LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS exc)
         // Single-step exeption occured. Single-step flag is cleared now.
 
         // Check if we are within a page that contains hooks.
-        if (g_vehHookManager.getPage(pCtx->REG_INSTRUCTIONPTR))
+        if (g_vehHookManager.isPageHooked(pCtx->REG_INSTRUCTIONPTR))
         {
             // We are still on a hooked page. Continue single-stepping.
             pCtx->EFlags |= 0x100;
@@ -296,7 +306,7 @@ static LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS exc)
         {
             // We stepped out of a hooked page.
             // Check if the page that was last guarded still contains a hook.
-            if (g_vehHookManager.getPage(guardFaultAdr))
+            if (g_vehHookManager.isPageHooked(guardFaultAdr))
             {
                 // Restore guard page protection.
                 DWORD oldProt;

src/hacklib/src/Logging.cpp

@@ -59,10 +59,10 @@ static std::string GetCodeStr(const char* file, const char* func, int line)
     return str;
 }
 
-static void LogString(const std::string& str)
+static void LogString(const std::string& str, bool raw)
 {
     std::string logStr = str;
-    if (g_cfg.logTime)
+    if (!raw && g_cfg.logTime)
     {
         logStr = GetTimeStr() + " " + str;
     }
@@ -97,7 +97,7 @@ void hl::LogDebug(const char* file, const char* func, int line, const char* form
     va_start(vl, format);
     FormatStr str(format, vl);
 
-    LogString(GetCodeStr(file, func, line) + " " + str.str());
+    LogString(GetCodeStr(file, func, line) + " " + str.str(), false);
 
     va_end(vl);
 }
@@ -108,7 +108,7 @@ void hl::LogError(const char* file, const char* func, int line, const char* form
     va_start(vl, format);
     FormatStr str(format, vl);
 
-    LogString(GetCodeStr(file, func, line) + " ERROR: " + str.str());
+    LogString(GetCodeStr(file, func, line) + " ERROR: " + str.str(), false);
 
     va_end(vl);
 }
@@ -119,7 +119,7 @@ void hl::LogError(const char* format, ...)
     va_start(vl, format);
     FormatStr str(format, vl);
 
-    LogString(std::string("ERROR: ") + str.str());
+    LogString(std::string("ERROR: ") + str.str(), false);
 
     va_end(vl);
 }
@@ -130,7 +130,7 @@ void hl::LogRaw(const char* format, ...)
     va_start(vl, format);
     FormatStr str(format, vl);
 
-    LogString(str.str());
+    LogString(str.str(), true);
 
     va_end(vl);
 }