Merge pull request #235 from EasyHook/develop

Develop 2.7.6684.0

DriverShared/ASM/HookSpecific_x64.asm

@@ -184,6 +184,11 @@ IsExecutedPtr:
 	db 0
 	
 ; ATTENTION: 64-Bit requires stack alignment (RSP) of 16 bytes!!
+	; Apply alignment trick: https://stackoverflow.com/a/9600102
+	push rsp
+	push [rsp]
+	and rsp, 0FFFFFFFFFFFFFFF0H
+	
 	mov rax, rsp
 	push rcx ; save not sanitized registers...
 	push rdx
@@ -225,8 +230,9 @@ CALL_NET_ENTRY:
 	
 ; call NET intro
 	lea rcx, [IsExecutedPtr + 8] ; Hook handle (only a position hint)
-	mov rdx, qword ptr [rsp + 32 + 4 * 16 + 4 * 8] ; push return address
-	lea r8, qword ptr [rsp + 32 + 4 * 16 + 4 * 8] ; push address of return address
+	; Here we are under the alignment trick.
+	mov r8, [rsp + 32 + 4 * 16 + 4 * 8 + 8] ; r8 = original rsp (address of return address)
+	mov rdx, [r8] ; return address (value stored in original rsp)
 	call qword ptr [NETIntro] ; Hook->NETIntro(Hook, RetAddr, InitialRSP);
 	
 ; should call original method?
@@ -247,7 +253,9 @@ CALL_NET_ENTRY:
 CALL_HOOK_HANDLER:
 ; adjust return address
 	lea rax, [CALL_NET_OUTRO]
-	mov qword ptr [rsp + 32 + 4 * 16 + 4 * 8], rax
+	; Here we are under the alignment trick.
+	mov r9, [rsp + 32 + 4 * 16 + 4 * 8 + 8] ; r9 = original rsp
+	mov qword ptr [r9], rax
 
 ; call hook handler
 	lea rax, [NewProc]
@@ -256,6 +264,8 @@ CALL_HOOK_HANDLER:
 CALL_NET_OUTRO: ; this is where the handler returns...
 
 ; call NET outro
+	; Here we are NOT under the alignment trick.
+	
 	push 0 ; space for return address
 	push rax
 	
@@ -294,6 +304,9 @@ TRAMPOLINE_EXIT:
 	pop rdx
 	pop rcx
 	
+	; Remove alignment trick: https://stackoverflow.com/a/9600102
+	mov rsp, [rsp + 8]
+	
 	jmp qword ptr[rax] ; ATTENTION: In case of hook handler we will return to CALL_NET_OUTRO, otherwise to the caller...
 	
 	

EasyHook.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
     <metadata>
         <id>EasyHook</id>
-        <version>2.7.6682.0</version>
+        <version>2.7.6684.0</version>
         <title>EasyHook</title>
         <authors>EasyHook</authors>
         <owners>EasyHook</owners>
@@ -13,7 +13,10 @@
 
 EasyHook currently supports injecting assemblies built for .NET Framework 3.5 and 4.0 and can also inject native DLLs.</description>
         <summary>The reinvention of Windows API Hooking</summary>
-        <releaseNotes>2.7.6682.0:
+        <releaseNotes>2.7.6684.0:
+1. x64 trampoline: ensure stack is 16 bytes aligned (#214 and #234)
+
+2.7.6682.0:
 1. Quoted service path to avoid path spaces vulnerability (outlined in CVE-2005-1185, CVE-2005-2938 and CVE-2000-1128)
 2. Rename CLIENT_ID struct to DBG_CLIENT_ID (fix build error on Windows SDK 10.0.16299.0) (#225)
 3. NuGet support for VS2017 (v141) native C/C++ package (#181)

EasyHookNative.autopkg

@@ -10,7 +10,7 @@
 nuget {
    nuspec {
       id = EasyHookNativePackage;
-      version : 2.7.6682.0;
+      version : 2.7.6684.0;
       title: EasyHook Native Package;
       authors: {EasyHook};
       owners: {EasyHook};
@@ -20,7 +20,10 @@ nuget {
       summary:The reinvention of Windows API Hooking;
       description: @"This project supports extending (hooking) unmanaged code (APIs) on 32- or 64-bit
 Windows XP SP2, Windows Vista x64, Windows Server 2008 x64, Windows 7, Windows 8.1, and Windows 10.";
-      releaseNotes: @"2.7.6682.0:
+      releaseNotes: @"2.7.6684.0:
+1. x64 trampoline: ensure stack is 16 bytes aligned (#214 and #234)
+
+2.7.6682.0:
 1. Quoted service path to avoid path spaces vulnerability (outlined in CVE-2005-1185, CVE-2005-2938 and CVE-2000-1128)
 2. Rename CLIENT_ID struct to DBG_CLIENT_ID (fix build error on Windows SDK 10.0.16299.0) (#225)
 3. NuGet support for VS2017 (v141) native C/C++ package (#181)