rallhook 0.7.0

data/ext/rallhook_base/distorm.h

@@ -0,0 +1,401 @@
+/* diStorm3 1.0.0 */
+
+/*
+distorm.h
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#ifndef DISTORM_H
+#define DISTORM_H
+
+/*
+ * 64 bit offsets support:
+ * If the diStorm library you use was compiled with 64 bits offsets,
+ * make sure you compile your own code with the following macro set:
+ * SUPPORT_64BIT_OFFSET
+ * Otherwise comment it out, or you will get a linker error of an unresolved symbol...
+ */
+
+/* TINYC has a problem with some 64bits library functions, so pass. */
+#ifndef __TINYC__
+	#ifndef _LIB /* Used only for library. */
+		/* Comment out the following line to disable 64 bits support */
+		#define SUPPORT_64BIT_OFFSET
+	#endif
+#endif
+
+/* If your compiler doesn't support stdint.h, define your own 64 bits type. */
+#ifdef SUPPORT_64BIT_OFFSET
+	#ifdef _MSC_VER
+		#define OFFSET_INTEGER unsigned __int64
+	#else
+		#include <stdint.h>
+		#define OFFSET_INTEGER uint64_t
+	#endif
+#else
+	/* 32 bit offsets are used. */
+	#define OFFSET_INTEGER unsigned long
+#endif
+
+#ifdef _MSC_VER
+/* Since MSVC isn't shipped with stdint.h, we will have our own: */
+typedef signed __int64		int64_t;
+typedef unsigned __int64	uint64_t;
+typedef signed __int32		int32_t;
+typedef unsigned __int32	uint32_t;
+typedef signed __int16		int16_t;
+typedef unsigned __int16	uint16_t;
+typedef signed __int8		int8_t;
+typedef unsigned __int8		uint8_t;
+#endif
+
+/* Support C++ compilers */
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+/* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */
+typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType;
+
+typedef OFFSET_INTEGER _OffsetType;
+
+typedef struct {
+	_OffsetType codeOffset;
+	const uint8_t* code;
+	int codeLen; /* Using signed integer makes it easier to detect an underflow. */
+	_DecodeType dt;
+	unsigned int features;
+} _CodeInfo;
+
+typedef enum { O_NONE, O_REG, O_IMM, O_IMM1, O_IMM2, O_DISP, O_SMEM, O_MEM, O_PC, O_PTR } _OperandType;
+
+typedef union {
+	/* Used by O_IMM: */
+	int8_t sbyte;
+	uint8_t byte;
+	int16_t sword;
+	uint16_t word;
+	int32_t sdword;
+	uint32_t dword;
+	int64_t sqword;
+	uint64_t qword;
+
+	/* Used by O_PC: */
+	_OffsetType addr;
+
+	/* Used by O_PTR: */
+	struct {
+		uint16_t seg;
+		/* Can be 16 or 32 bits, size is in ops[n].size. */
+		uint32_t off;
+	} ptr;
+	/* Used by O_IMM1 (i1) and O_IMM2 (i2). */
+	struct {
+		uint32_t i1;
+		uint32_t i2;
+	} ex;
+} _Value;
+
+typedef struct {
+	/* Type of operand:
+		O_NONE: operand is to be ignored.
+		O_REG: index holds global register index.
+		O_IMM: instruction.imm.
+		O_IMM1: instruction.imm.ex.i1.
+		O_IMM2: instruction.imm.ex.i2.
+		O_DISP: memory dereference with displacement only, instruction.disp.
+		O_SMEM: simple memory dereference with optional displacement (a single register memory dereference).
+		O_MEM: complex memory dereference (optional fields: s/i/b/disp).
+		O_PC: the relative address of a branch instruction (instruction.imm.addr).
+		O_PTR: the absolute target address of a far branch instruction (instruction.imm.ptr.seg/off).
+	*/
+	uint8_t type; /* _OperandType */
+
+	/* Index of:
+		O_REG: holds global register index
+		O_SMEM: holds the 'base' register. E.G: [ECX], [EBX+0x1234] are both in operand.index.
+		O_MEM: holds the 'index' register. E.G: [EAX*4] is in operand.index.
+	*/
+	uint8_t index;
+
+	/* Size of:
+		O_REG: register
+		O_IMM: instruction.imm
+		O_IMM1: instruction.imm.ex.i1
+		O_IMM2: instruction.imm.ex.i2
+		O_DISP: instruction.disp
+		O_SMEM: size of indirection.
+		O_MEM: size of indirection.
+		O_PC: size of the relative offset
+		O_PTR: size of instruction.imm.ptr.off (16 or 32)
+	*/
+	uint16_t size;
+} _Operand;
+
+#define OPCODE_ID_NONE 0
+/* Instruction could not be disassembled. */
+#define FLAG_NOT_DECODABLE ((uint16_t)-1)
+/* The instruction locks memory access. */
+#define FLAG_LOCK (1 << 0)
+/* The instruction is prefixed with a REPNZ. */
+#define FLAG_REPNZ (1 << 1)
+/* The instruction is prefixed with a REP, this can be a REPZ, it depends on the specific instruction. */
+#define FLAG_REP (1 << 2)
+/* Indicates there is a hint taken for Jcc instructions only. */
+#define FLAG_HINT_TAKEN (1 << 3)
+/* Indicates there is a hint non-taken for Jcc instructions only. */
+#define FLAG_HINT_NOT_TAKEN (1 << 4)
+/* The Imm value is signed extended. */
+#define FLAG_IMM_SIGNED (1 << 5)
+
+/* No register was defined. */
+#define R_NONE ((uint8_t)-1)
+
+#define REGS64_BASE (0)
+#define REGS32_BASE (16)
+#define REGS16_BASE (32)
+#define REGS8_BASE (48)
+#define REGS8_REX_BASE (64)
+#define SREGS_BASE (68)
+/* #define RIP 74 */
+#define FPUREGS_BASE (75)
+#define MMXREGS_BASE (83)
+#define SSEREGS_BASE (91)
+#define AVXREGS_BASE (107)
+#define CREGS_BASE (123)
+#define DREGS_BASE (132)
+
+/*
+ * Operand Size or Adderss size are stored inside the flags:
+ * 0 - 16 bits
+ * 1 - 32 bits
+ * 2 - 64 bits
+ * 3 - reserved
+ *
+ * If you call these macros more than once, you will have to clean the bits before doing so.
+ */
+#define FLAG_SET_OPSIZE(di, size) ((di->flags) |= (((size) & 3) << 6))
+#define FLAG_SET_ADDRSIZE(di, size) ((di->flags) |= (((size) & 3) << 8))
+#define FLAG_GET_OPSIZE(flags) (((flags) >> 6) & 3)
+#define FLAG_GET_ADDRSIZE(flags) (((flags) >> 8) & 3)
+/* To get the LOCK/REPNZ/REP prefixes. */
+#define FLAG_GET_PREFIX(flags) ((flags) & 7)
+
+/*
+ * Macros to extract segment registers from segmentInfo:
+ */
+#define SEGMENT_DEFAULT 0x80
+#define SEGMENT_SET(di, seg) ((di->segment) |= seg)
+#define SEGMENT_GET(segment) (((segment) == R_NONE) ? R_NONE : ((segment) & 0x7f))
+#define SEGMENT_IS_DEFAULT(segment) (((segment) & SEGMENT_DEFAULT) == SEGMENT_DEFAULT)
+
+#define OPERANDS_NO (4)
+
+typedef struct {
+	/* Virtual address of first byte of instruction. */
+	_OffsetType addr;
+	/* Size of the whole instruction. */
+	uint8_t size;
+	/* General flags of instruction, holds prefixes and more, if FLAG_NOT_DECODABLE, instruction is invalid. */
+	uint16_t flags;
+	/* Segment information of memory indirection, default segment, or overriden one, can be -1. */
+	uint8_t segment;
+	/* Used by ops[n].type == O_MEM. Base global register index (might be R_NONE), scale size (2/4/8), ignored for 0 or 1. */
+	uint8_t base, scale;
+	uint8_t dispSize;
+	/* ID of opcode in the global opcode table. Use for mnemonic look up. */
+	uint16_t opcode;
+	/* Up to four operands per instruction, ignored if ops[n].type == O_NONE. */
+	_Operand ops[OPERANDS_NO];
+	/* Used by ops[n].type == O_SMEM/O_MEM/O_DISP. Its size is dispSize. */
+	uint64_t disp;
+	/* Used by ops[n].type == O_IMM/O_IMM1&O_IMM2/O_PTR/O_PC. Its size is ops[n].size. */
+	_Value imm;
+	/* Unused prefixes mask, for each bit that is set that prefix is not used (LSB is byte [addr + 0]). */
+	uint16_t unusedPrefixesMask;
+	/* Meta defines the instruction set class, and the flow control flags. Use META macros. */
+	uint8_t meta;
+} _DInst;
+
+/* Static size of strings. Do not change this value. */
+#define MAX_TEXT_SIZE (32)
+typedef struct {
+	unsigned int length;
+	unsigned char p[MAX_TEXT_SIZE]; /* p is a null terminated string. */
+} _WString;
+
+/*
+ * Old decoded instruction structure in text format.
+ * Used only for backward compatibility with diStorm64.
+ * This structure holds all information the disassembler generates per instruction.
+ */
+typedef struct {
+	_WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
+	_WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
+	_WString instructionHex; /* Hex dump - little endian, including prefixes. */
+	unsigned int size; /* Size of decoded instruction. */
+	_OffsetType offset; /* Start offset of the decoded instruction. */
+} _DecodedInst;
+
+/* Get the ISC of the instruction, used with the definitions below. */
+#define META_GET_ISC(meta) (((meta) >> 3) & 0x1f)
+/* Get the flow control flags of the instruction, see 'features for decompose' below. */
+#define META_GET_FC(meta) ((meta) & 0x7)
+
+/*
+ * Instructions Set classes:
+ * if you want a better understanding of the available classes, look at disOps project, file: x86sets.py.
+ */
+/* Indicates the instruction belongs to the General Integer set. */
+#define ISC_INTEGER 1
+/* Indicates the instruction belongs to the 387 FPU set. */
+#define ISC_FPU 2
+/* Indicates the instruction belongs to the P6 set. */
+#define ISC_P6 3
+/* Indicates the instruction belongs to the MMX set. */
+#define ISC_MMX 4
+/* Indicates the instruction belongs to the SSE set. */
+#define ISC_SSE 5
+/* Indicates the instruction belongs to the SSE2 set. */
+#define ISC_SSE2 6
+/* Indicates the instruction belongs to the SSE3 set. */
+#define ISC_SSE3 7
+/* Indicates the instruction belongs to the SSSE3 set. */
+#define ISC_SSSE3 8
+/* Indicates the instruction belongs to the SSE4.1 set. */
+#define ISC_SSE4_1 9
+/* Indicates the instruction belongs to the SSE4.2 set. */
+#define ISC_SSE4_2 10
+/* Indicates the instruction belongs to the AMD's SSE4.A set. */
+#define ISC_SSE4_A 11
+/* Indicates the instruction belongs to the 3DNow! set. */
+#define ISC_3DNOW 12
+/* Indicates the instruction belongs to the 3DNow! Extensions set. */
+#define ISC_3DNOWEXT 13
+/* Indicates the instruction belongs to the VMX (Intel) set. */
+#define ISC_VMX 14
+/* Indicates the instruction belongs to the SVM (AMD) set. */
+#define ISC_SVM 15
+/* Indicates the instruction belongs to the AVX (Intel) set. */
+#define ISC_AVX 16
+/* Indicates the instruction belongs to the FMA (Intel) set. */
+#define ISC_FMA 17
+/* Indicates the instruction belongs to the AES/AVX (Intel) set. */
+#define ISC_AES 18
+/* Indicates the instruction belongs to the CLMUL (Intel) set. */
+#define ISC_CLMUL 19
+
+/* Features for decompose: */
+#define DF_NONE 0
+/* The decoder will limit addresses to a maximum of 16 bits. */
+#define DF_MAXIMUM_ADDR16 1
+/* The decoder will limit addresses to a maximum of 32 bits. */
+#define DF_MAXIMUM_ADDR32 2
+/* The decoder will return only flow control instructions (and filter the others internally). */
+#define DF_RETURN_FC_ONLY 4
+/* The decoder will stop and return to the caller when the instruction 'CALL' (near and far) was decoded. */
+#define DF_STOP_ON_CALL 8
+/* The decoder will stop and return to the caller when the instruction 'RET' (near and far) was decoded. */
+#define DF_STOP_ON_RET 0x10
+/* The decoder will stop and return to the caller when the instruction system-call/ret was decoded. */
+#define DF_STOP_ON_SYS 0x20
+/* The decoder will stop and return to the caller when any of the branch 'JMP', (near and far) instructions were decoded. */
+#define DF_STOP_ON_BRANCH 0x40
+/* The decoder will stop and return to the caller when any of the conditional branch instruction were decoded. */
+#define DF_STOP_ON_COND_BRANCH 0x80
+/* The decoder will stop and return to the caller when the instruction 'INT' (INT, INT1, INTO, INT 3) was decoded. */
+#define DF_STOP_ON_INT 0x100
+/* The decoder will stop and return to the caller when any flow control instruction was decoded. */
+#define DF_STOP_ON_FLOW_CONTROL (DF_STOP_ON_CALL | DF_STOP_ON_RET | DF_STOP_ON_SYS | DF_STOP_ON_BRANCH | DF_STOP_ON_COND_BRANCH | DF_STOP_ON_INT)
+
+/* Indicates the instruction is not a flow-control instruction. */
+#define FC_NONE 0
+/* Indicates the instruction is one of: CALL, CALL FAR. */
+#define FC_CALL 1
+/* Indicates the instruction is one of: RET, IRET, RETF. */
+#define FC_RET 2
+/* Indicates the instruction is one of: SYSCALL, SYSRET, SYSENTER, SYSEXIT. */
+#define FC_SYS 3
+/* Indicates the instruction is one of: JMP, JMP FAR. */
+#define FC_BRANCH 4
+/*
+ * Indicates the instruction is one of:
+ * JCXZ, JO, JNO, JB, JAE, JZ, JNZ, JBE, JA, JS, JNS, JP, JNP, JL, JGE, JLE, JG, LOOP, LOOPZ, LOOPNZ.
+ */
+#define FC_COND_BRANCH 5
+/* Indiciates the instruction is one of: INT, INT1, INT 3, INTO, UD2. */
+#define FC_INT 6
+
+/* Return code of the decoding function. */
+typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR, DECRES_FILTERED} _DecodeResult;
+
+#ifndef _LIB /* Don't redefine those exports when compiling the library itself, only for library-user project. */
+
+/* distorm_decode
+ * Input:
+ *         offset - Origin of the given code (virtual address that is), NOT an offset in code.
+ *         code - Pointer to the code buffer to be disassembled.
+ *         length - Amount of bytes that should be decoded from the code buffer.
+ *         dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits).
+ *         result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions.
+ *         maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound.
+ *         usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array.
+ * Output: usedInstructionsCount will hold the number of entries used in the result array
+ *         and the result array itself will be filled with the disassembled instructions.
+ * Return: DECRES_SUCCESS on success (no more to disassemble), DECRES_INPUTERR on input error (null code buffer, invalid decoding mode, etc...),
+ *         DECRES_MEMORYERR when there are not enough entries to use in the result array, BUT YOU STILL have to check for usedInstructionsCount!
+ * Side-Effects: Even if the return code is DECRES_MEMORYERR, there might STILL be data in the
+ *               array you passed, this function will try to use as much entries as possible!
+ * Notes:  1)The minimal size of maxInstructions is 15.
+ *         2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block!
+ */
+#ifdef SUPPORT_64BIT_OFFSET
+	_DecodeResult distorm_decompose64(const _CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	_DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	void distorm_format64(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
+	#define distorm_decompose distorm_decompose64
+	#define distorm_decode distorm_decode64
+	#define distorm_format distorm_format64
+#else
+	_DecodeResult distorm_decompose32(const _CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	_DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
+	#define distorm_decompose distorm_decompose32
+	#define distorm_decode distorm_decode32
+	#define distorm_format distorm_format32
+#endif
+
+/*
+ * distorm_version
+ * Input:
+ *        none
+ *
+ * Output: unsigned int - version of compiled library.
+ */
+extern unsigned int distorm_version();
+
+#endif /* _LIB */
+
+#ifdef __cplusplus
+} /* End Of Extern */
+#endif
+
+#endif /* DISTORM_H */

data/ext/rallhook_base/extconf.rb

@@ -0,0 +1,21 @@
+require 'mkmf'
+dir_config('rallhook_base')
+CONFIG['CC'] = 'gcc'
+
+ruby_version = Config::CONFIG["ruby_version"]
+ruby_version = ruby_version.split(".")[0..1].join(".")
+
+$LIBS = $LIBS + " -ldistorm64"
+
+if ruby_version == "1.8"
+	$CFLAGS = $CFLAGS + " -DRUBY1_8"
+elsif ruby_version == "1.9"
+	$CFLAGS = $CFLAGS + " -DRUBY1_9"
+else
+	print "ERROR: unknown ruby version: #{ruby_version}\n"
+	print "try passing the rubyversion by argument (1.8 or 1.9)\n"
+end
+
+create_makefile('rallhook_base')
+
+

data/ext/rallhook_base/hook.c

@@ -0,0 +1,165 @@
+/*
+
+This file is part of the rallhook project, http://github.com/tario/rallhook
+
+Copyright (c) 2009-2010 Roberto Dario Seminara <robertodarioseminara@gmail.com>
+
+rallhook is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+rallhook is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with rallhook.  if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#include "hook.h"
+#include <sys/mman.h>
+#include "distorm.h"
+#include "string.h"
+#include "errno.h"
+#include "ruby.h"
+
+int get_instructions_size(void* code, int size) {
+	_DecodedInst decodedInstructions[32];
+
+	_OffsetType offset = 0;
+
+	unsigned int decodedInstructionsCount;
+
+	#ifdef __x86_64__
+		_DecodeType dt = Decode64Bits;
+	#elif __i386__
+		_DecodeType dt = Decode32Bits;
+	#else
+		#error "unknown architecture"
+	#endif
+
+	distorm_decode(offset, code, size, dt, decodedInstructions, 32, &decodedInstructionsCount);
+
+	int i;
+	int totalsize = 0;
+	int minsize = get_jmp_size();
+	for (i = 0; i < decodedInstructionsCount; i++) {
+		totalsize = totalsize + decodedInstructions[i].size;
+		if (totalsize >= minsize) {
+			return totalsize;
+		}
+	}
+
+	return totalsize;
+
+}
+
+
+void unprotect(void* ptr) {
+#if __x86_64__
+	unsigned long int mask = 0xFFFFFFFFFFFF000;
+	int ret = mprotect( (void*) ( ( (unsigned long int)ptr ) & mask ), 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC);
+
+	if (ret == -1) {
+		rb_bug("mprotect failed: %s", strerror(errno));
+	}
+#elif __i386__
+	unsigned int mask = 0xFFFFFFFFFFFF000;
+	int ret = mprotect( (void*) ( ( (unsigned int)ptr ) & mask ), 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC);
+
+	if (ret == -1) {
+		rb_bug("mprotect failed: %s", strerror(errno));
+	}
+#else
+	#error "unknow architecture"
+#endif
+}
+
+void inconditional_jump(void* where, void* to) {
+
+#if __x86_64__
+	unsigned char* p = (unsigned char*)where;
+
+	p[0] = 0x48; // movl XXX, %rax
+	p[1] = 0xb8;
+
+	void** address = (void**)(p+2);
+
+	p[10] = 0xff; // jmp %rax
+	p[11] = 0xe0;
+
+	*address = to;
+#elif __i386__
+	unsigned char* p = (unsigned char*)where;
+
+	p[0] = 0x68; // pushl
+	void** address = (void**)(p+1);
+	*address = to;
+	p[5] = 0xc3; // ret
+#else
+	#error "unknow architecture"
+#endif
+}
+
+void* put_jmp_hook_with_regs(void* function_address, void* fake_function, int instructions_size) {
+	typedef unsigned char uchar;
+
+	uchar* p_copy = (uchar*)malloc(0x1000);
+	uchar* p = (uchar*)function_address;
+	uchar* p_regs = (uchar*)malloc(0x1000);
+
+	unprotect(p_copy);
+	unprotect(p);
+	unprotect(p_regs);
+
+	memcpy(p_copy, p, instructions_size);
+
+	p_regs[0] = 0x54; // push esp
+	p_regs[1] = 0x51; // push ecx
+	p_regs[2] = 0x52; // push edx
+	p_regs[3] = 0x50; // push eax
+	p_regs[4] = 0xb8; // movl %eax, ???????
+	p_regs[9] = 0xff; // call *%eax
+	p_regs[10] = 0xd0; //
+	p_regs[11] = 0x83; // add $0x10, %esp
+	p_regs[12] = 0xc4; //
+	p_regs[13] = 0x10; //
+	p_regs[14] = 0xc3; // ret
+
+	*((void**)(p_regs+5))=fake_function;
+
+	inconditional_jump(p, p_regs);
+	inconditional_jump(p_copy+instructions_size, p+instructions_size);
+
+	return (void*)p_copy;
+}
+
+void* put_jmp_hook(void* function_address, void* fake_function, int instructions_size) {
+	typedef unsigned char uchar;
+
+	uchar* p_copy = (uchar*)malloc(0x1000);
+	uchar* p = (uchar*)function_address;
+
+	unprotect(p_copy);
+	unprotect(p);
+
+	memcpy(p_copy, p, instructions_size);
+
+	inconditional_jump(p, fake_function);
+	inconditional_jump(p_copy+instructions_size, p+instructions_size);
+
+	return (void*)p_copy;
+}
+
+int get_jmp_size() {
+	#if __x86_64__
+	return 12;
+	#elif __i386__
+	return 6;
+	#else
+		#error "unknown architecture"
+	#endif
+}

data/ext/rallhook_base/hook.h

@@ -0,0 +1,30 @@
+/*
+
+This file is part of the rallhook project, http://github.com/tario/rallhook
+
+Copyright (c) 2009-2010 Roberto Dario Seminara <robertodarioseminara@gmail.com>
+
+rallhook is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+rallhook is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with rallhook.  if not, see <http://www.gnu.org/licenses/>.
+
+*/
+#ifndef __HOOK_H
+#define __HOOK_H
+
+void* put_jmp_hook(void* function_address, void* fake_function, int instructions_size);
+void* put_jmp_hook_with_regs(void* function_address, void* fake_function, int instructions_size);
+int get_jmp_size();
+
+extern int get_instructions_size(void* code, int size);
+
+#endif

data/ext/rallhook_base/hook_rb_call.c

@@ -0,0 +1,88 @@
+/*
+
+This file is part of the rallhook project, http://github.com/tario/rallhook
+
+Copyright (c) 2009-2010 Roberto Dario Seminara <robertodarioseminara@gmail.com>
+
+rallhook is free software: you can redistribute it and/or modify
+it under the terms of the gnu general public license as published by
+the free software foundation, either version 3 of the license, or
+(at your option) any later version.
+
+rallhook is distributed in the hope that it will be useful,
+but without any warranty; without even the implied warranty of
+merchantability or fitness for a particular purpose.  see the
+gnu general public license for more details.
+
+you should have received a copy of the gnu general public license
+along with rallhook.  if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#include "hook_rb_call.h"
+#include "hook.h"
+#include "ruby_symbols.h"
+#include "ruby_version.h"
+#include "distorm.h"
+
+#ifndef __USE_GNU
+#define __USE_GNU
+#endif
+
+#include <dlfcn.h>
+
+void* rb_call_original = 0;
+void* vm_call_method_original = 0;
+
+void* hook_vm_call_method(void *fake_function) {
+	if (vm_call_method_original == 0) {
+		return 0;
+	}
+	int inst_size = get_instructions_size(vm_call_method_original, 256);
+
+#ifdef __i386__
+	return put_jmp_hook_with_regs(vm_call_method_original, fake_function, inst_size);
+#endif
+
+#ifdef __x86_64__
+	return put_jmp_hook(vm_call_method_original, fake_function, inst_size);
+#endif
+
+}
+
+void* hook_rb_call(void* fake_function) {
+	if (rb_call_original == 0) {
+		return 0;
+	}
+	int inst_size = get_instructions_size(rb_call_original, 256);
+
+#ifdef __i386__
+	return put_jmp_hook_with_regs(rb_call_original, fake_function, inst_size);
+#endif
+
+#ifdef __x86_64__
+	return put_jmp_hook(rb_call_original, fake_function, inst_size);
+#endif
+
+}
+
+void init_hook_rb_call() {
+	void* handle = dlopen(current_libruby(),0x101);
+	char* rb_funcall = (char*)dlsym(handle, "rb_funcall");
+	Dl_info info;
+	dladdr(rb_funcall, &info);
+
+	unsigned char* base = (unsigned char*)info.dli_fbase;
+
+	#ifdef RUBY1_8
+	rb_call_original = ruby_resolv(base, "rb_call");
+	#endif
+
+	// in the ruby 1.9 source, the rb_call0 acts as rb_call (and vm_call0 acts as rb_call0)
+	#ifdef RUBY1_9
+	vm_call_method_original = ruby_resolv(base, "vm_call_method");
+	rb_call_original = ruby_resolv(base, "rb_call0");
+	#endif
+
+}
+