ShadowPlay_Patcher/memory.cpp at master · furyzenblade/ShadowPlay_Patcher · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#include "memory.h"
#include "utils.h"      // For toLower

#include <iostream>     // For std::cout
// TODO: Consider defining a Result struct instead to return error messages (E.g.: std::optional<Result> and return std::nullopt)
// instead of printing them to the console directly in the function.

#include <tlhelp32.h>   // CreateToolhelp32Snapshot

std::vector<DWORD> getProcessesByName(const std::wstring& processName) {
    std::vector<DWORD> processIDs;
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE) {
        return processIDs;
    }

    if (!Process32First(hProcessSnap, &pe32)) {
        CloseHandle(hProcessSnap);
        return processIDs;
    }

    std::wstring targetName = toLower(processName);
    do {
        if (toLower(pe32.szExeFile) == targetName) {
            processIDs.push_back(pe32.th32ProcessID);
        }
    } while (Process32Next(hProcessSnap, &pe32));

    CloseHandle(hProcessSnap);
    return processIDs;
}

bool isModuleLoaded(DWORD processID, const std::wstring& moduleName) {
    HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
    MODULEENTRY32 me32;
    me32.dwSize = sizeof(MODULEENTRY32);

    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processID);
    if (hModuleSnap == INVALID_HANDLE_VALUE) {
        return false;
    }

    if (!Module32First(hModuleSnap, &me32)) {
        CloseHandle(hModuleSnap);
        return false;
    }

    std::wstring targetModuleName = toLower(moduleName);

    do {
        if (toLower(me32.szModule) == targetModuleName || toLower(me32.szExePath) == targetModuleName) {
            CloseHandle(hModuleSnap);
            return true;
        }
    } while (Module32Next(hModuleSnap, &me32));

    CloseHandle(hModuleSnap);
    return false;
}

uintptr_t getRemoteModuleBaseAddress(HANDLE hProcess, const wchar_t* moduleName) {
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, GetProcessId(hProcess));
    if (hSnapshot == INVALID_HANDLE_VALUE) return 0;

    MODULEENTRY32 me;
    me.dwSize = sizeof(MODULEENTRY32);
    uintptr_t moduleBase = 0;
    if (Module32First(hSnapshot, &me)) {
        do {
            if (_wcsicmp(me.szModule, moduleName) == 0) {
                moduleBase = (uintptr_t)me.modBaseAddr;
                break;
            }
        } while (Module32Next(hSnapshot, &me));
    }
    CloseHandle(hSnapshot);
    return moduleBase;
}

uintptr_t getExportedFunctionAddress(HANDLE hProcess, uintptr_t moduleBase, const wchar_t* moduleName, const char* functionName) {
    // Load the specified module locally (will just increase reference count if already loaded)
    // Only used to get a handle to the module
    HMODULE hLocalModule = LoadLibrary(moduleName);
    if (!hLocalModule) return 0;

    // Get the address of the function in the local module
    FARPROC localProcAddress = GetProcAddress(hLocalModule, functionName);
    if (!localProcAddress) {
        FreeLibrary(hLocalModule);
        return 0;
    }

    // Calculate the offset of the function within the local module
    uintptr_t offset = (uintptr_t)localProcAddress - (uintptr_t)hLocalModule;

    // Free the local module (decrease reference count)
    FreeLibrary(hLocalModule);

    // TODO: Maybe refactor to only return the offset
    // Address of the function in the remote module
    return moduleBase + offset;
}

uintptr_t allocateMemoryNearAddress(HANDLE process, uintptr_t desiredAddress, SIZE_T size, DWORD protection, SIZE_T range) {
    /* Default/optional args:
    // DWORD protection     = PAGE_EXECUTE_READWRITE
    // SIZE_T range         = 0x20000000 - 0x2000
    */

    const SIZE_T step = 0x1000; // One page (4KB)
    uintptr_t baseAddress = desiredAddress - range;
    uintptr_t endAddress = desiredAddress + range;

    for (uintptr_t address = baseAddress; address < endAddress; address += step) {
        void* allocatedMemory = VirtualAllocEx(
            process,
            reinterpret_cast<void*>(address),
            size,
            MEM_RESERVE | MEM_COMMIT,
            protection
        );

        if (allocatedMemory != NULL) {
            return reinterpret_cast<uintptr_t>(allocatedMemory);
        }
    }

    return NULL;
}

bool assembleJumpNearInstruction(uint8_t* buffer, uintptr_t sourceAddress, uintptr_t targetAddress) {
    // TODO: Use dynamic byte array or force length of 5 bytes

    // Calculate the relative offset for the jump
    intptr_t jumpOffset = targetAddress - (sourceAddress + 5); // 5 is the size of the JMP instruction

    if (std::abs(jumpOffset) > 0x7FFFFFFF) { // Check if the offset is within 32-bit range
        return false;
    }

    // Assemble the JMP instruction (E9 offset)
    buffer[0] = 0xE9; // JMP opcode
    *reinterpret_cast<int32_t*>(buffer + 1) = static_cast<int32_t>(jumpOffset);

    return true;
}

bool writeMemory(HANDLE hProcess, uintptr_t address, const void* buffer, SIZE_T size) {
    SIZE_T written;
    return WriteProcessMemory(hProcess, reinterpret_cast<void*>(address), buffer, size, &written) && written == size;
}

bool writeMemoryWithProtection(HANDLE hProcess, uintptr_t address, const void* buffer, SIZE_T size) {
    DWORD oldProtect;

    // Change memory protection to allow writing
    if (!VirtualProtectEx(hProcess, reinterpret_cast<void*>(address), size, PAGE_EXECUTE_READWRITE, &oldProtect)) {
        std::cout << "Error: Could not change memory protection" << std::endl;
        return false;
    }

    bool success = writeMemory(hProcess, address, buffer, size);

    // Restore the original memory protection
    if (!VirtualProtectEx(hProcess, reinterpret_cast<void*>(address), size, oldProtect, &oldProtect)) {
        std::cout << "Error: Could not restore memory protection" << std::endl;
        return false;
    }

    return success;
}

bool writeMemoryWithProtectionDynamic(HANDLE hProcess, uintptr_t address, const std::vector<uint8_t>& buffer) {
    // TODO: Make overload for writeMemoryWithProtection
    DWORD oldProtect;

    // Change memory protection to allow writing
    if (!VirtualProtectEx(hProcess, reinterpret_cast<void*>(address), buffer.size(), PAGE_EXECUTE_READWRITE, &oldProtect)) {
        std::wcout << L"Error: Could not change memory protection" << std::endl;
        return false;
    }

    // Write the memory
    bool success = writeMemory(hProcess, address, buffer.data(), buffer.size());

    // Restore the original memory protection
    if (!VirtualProtectEx(hProcess, reinterpret_cast<void*>(address), buffer.size(), oldProtect, &oldProtect)) {
        std::wcout << L"Error: Could not restore memory protection" << std::endl;
        return false;
    }

    return success;
}