I'm not sure why it fails. RestoreCode is pretty simple. Here's how the code looks like (in Delphi):
Code: Select all
function RestoreCode(code: pointer) : bool; stdcall;
var module : HMODULE;
orgCode : int64;
s1 : AnsiString;
op : dword;
begin
result := false;
if FindModule(code, module, s1) and WasCodeChanged(module, code, orgCode) and (orgCode <> 0) then begin
if VirtualProtect(code, 8, PAGE_EXECUTE_READWRITE, @op) then begin
result := true;
if not AtomicMove(@orgCode, code, sizeOf(orgCode)) then
int64(code^) := orgCode;
FlushInstructionCache(code, sizeOf(orgCode));
VirtualProtect(code, 8, op, @op);
end;
end;
end;
Basically it loads the original DLL (which contains the API you want to restore) from harddisk, gets the first 8 bytes of the API code from there, then tries to unprotect the API and restore the code. It's very simple and straighforward. So if RestoreCode fails, that either means that:
1) Loading the original DLL from harddisk and getting the first 8 bytes of the API code failed for some unknown reason (unlikely).
2) The code wasn't really changed. Maybe NtHookEngine uses IAT patching instead of API code overwriting? RestoreCode only uninstalls API code hooks, not IAT patching.
3) Maybe unprotecting the API (VirtualProtect) failed for some reason?
4) Maybe NtHookEngine has hooked a different address than you or madCodeHook thought? Using "(LONG_PTR)MessageBoxA" may not always directly point to the user32.dll API. It may point to a JMP which points to user32.dll. It's better to use GetProcAddress().
I don't really have the time to analyze why RenewCode() doesn't work for you, but it seems somewhat unlikely to be a bug in madCodeHook (although it's not impossible, of course).