ruptura
ruptura copied to clipboard
vezel-dev
A Windows DLL injection, function interception, and memory manipulation library for .NET.
This API should allow reading an existing virtual function table and replacing specific entries, as well as creating one from scratch. There should be support for replacing an existing table...
I just observed Microsoft Defender flagging the `hook` sample locally: ``` Unhandled exception: System.ComponentModel.Win32Exception (225): An error occurred trying to start process 'C:\Users\alex\source\repos\vezel\ruptura\src\samples\hook\bin\Debug\win-x64\hook.exe' with working directory 'C:\Users\alex\source\repos\vezel\ruptura\src\samples\hook'. Operation did not...
There are quite a few object types that are definitely worth supporting: * [Console](https://docs.microsoft.com/en-us/windows/console/console-handles) * [Event](https://docs.microsoft.com/en-us/windows/win32/sync/event-objects) * [File](https://docs.microsoft.com/en-us/windows/win32/fileio/file-objects) * [File Mapping](https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping) * [Heap](https://docs.microsoft.com/en-us/windows/win32/memory/heap-functions) * [Mutex](https://docs.microsoft.com/en-us/windows/win32/sync/mutex-objects) * [Pipe](https://docs.microsoft.com/en-us/windows/win32/ipc/pipes) * [Semaphore](https://docs.microsoft.com/en-us/windows/win32/sync/semaphore-objects) Some...
This is quite a difficult problem to solve, but it is possible. Instructions that use RIP-relative displacements have to be rewritten to equivalent sequences using absolute addresses. The tricky part...
Most of the stuff used in Vezel.Ruptura.Injection can be switched to these APIs now. It's a good way to dogfood those APIs. The following APIs aren't covered: - [ ]...
https://github.com/vezel-dev/ruptura/blob/b2bd417ca68f1065c0c9a92eb35f272ff130a31e/src/memory/Code/FunctionHook.cs#L183 Blocked on .NET runtime support: https://github.com/dotnet/runtime/issues/8300 Calling convention details: https://docs.microsoft.com/en-us/cpp/cpp/vectorcall
https://github.com/vezel-dev/ruptura/blob/70168266ca273ec99eee6baba89522c896150db6/src/memory/Diagnostics/CallFrame.cs#L43-L45 The issue is that the function pointer we get from `RuntimeMethodHandle.GetFunctionPointer()` points to the prestub for the method, but the instruction pointer we have (of course) points to the...
In theory, Ruptura + NativeAOT is a match made in heaven. We could just inject a NativeAOT-compiled DLL and directly invoke an entry point method in it, skipping `ruptura-.dll` and...
* Such a hook should receive a pointer to a machine context containing all register values from the target function at the point the hook is called. * The hook...
We would not want this to be the default, but if the user knows that the target function can accommodate an absolute jump (which could take up to 14 bytes),...