fix

MliKiowa · MliKiowa · commit e416a4d19218 · 2025-05-05T18:04:44.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+build/*
+.vscode
+build
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -0,0 +1,19 @@
+cmake_minimum_required (VERSION 3.8)
+
+if (POLICY CMP0141)
+  cmake_policy(SET CMP0141 NEW)
+  set(CMAKE_MSVC_DEBUG_INFORMATION_FORMAT "$<IF:$<AND:$<C_COMPILER_ID:MSVC>,$<CXX_COMPILER_ID:MSVC>>,$<$<CONFIG:Debug,RelWithDebInfo>:EditAndContinue>,$<$<CONFIG:Debug,RelWithDebInfo>:ProgramDatabase>>")
+endif()
+
+project ("NapCat")
+set(CMAKE_CXX_STANDARD 26)
+set(CMAKE_POLICY_DEFAULT_CMP0077 NEW)
+set(BIT7Z_AUTO_FORMAT true)
+
+if(MSVC)
+	add_compile_options("$<$<C_COMPILER_ID:MSVC>:/utf-8>")
+	add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/utf-8>")
+endif()
+add_subdirectory ("hook")
+add_subdirectory("main")
+# 移动NUCAT资源文件进主程序 Debug目录
diff --git a/README.md b/README.md
@@ -1,2 +1,10 @@
-# NTQQAntiRecall
-NTQQ反撤回
+# 基于NTQQ实现的防撤回
+
+原理可见 [ntrecall](https://napneko.github.io/other/ntrecall)
+
+## 适配对象
+Windows QQ 9.9.19 34740 已测试
+
+## 使用介绍
+
+下载压缩包将两个文件丢进QQ.exe所在目录 为NapCatBootMain.exe 建立桌面快捷即可
diff --git a/hook/CMakeLists.txt b/hook/CMakeLists.txt
@@ -0,0 +1,16 @@
+cmake_minimum_required(VERSION 3.12)
+
+if (POLICY CMP0141)
+  cmake_policy(SET CMP0141 NEW)
+  set(CMAKE_MSVC_DEBUG_INFORMATION_FORMAT "$<IF:$<AND:$<C_COMPILER_ID:MSVC>,$<CXX_COMPILER_ID:MSVC>>,$<$<CONFIG:Debug,RelWithDebInfo>:EditAndContinue>,$<$<CONFIG:Debug,RelWithDebInfo>:ProgramDatabase>>")
+endif()
+
+project(NapCatWinBootHook)
+set(CMAKE_CXX_STANDARD 26)
+
+if(MSVC)
+	add_compile_options("$<$<C_COMPILER_ID:MSVC>:/utf-8>")
+	add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/utf-8>")
+endif()
+file(GLOB SOURCES "*.cpp")
+add_library(NapCatWinBootHook SHARED ${SOURCES})
diff --git a/hook/ExecutableAnalyse.cpp b/hook/ExecutableAnalyse.cpp
@@ -0,0 +1,52 @@
+#include "ExecutableAnalyse.h"
+
+#if defined(_LINUX_PLATFORM_)
+uint64_t SearchRangeAddressInModule(std::shared_ptr<hak::proc_maps> module, const std::vector<uint8_t> &pattern, uint64_t searchStartRVA, uint64_t searchEndRVA)
+{
+    uint8_t *base = reinterpret_cast<uint8_t *>(module->start());
+    uint8_t *searchStart = base + searchStartRVA;
+    uint8_t *searchEnd;
+    if (searchEndRVA == 0)
+        searchEnd = reinterpret_cast<uint8_t *>(module->end());
+    else
+        searchEnd = base + searchEndRVA;
+
+    // 确保搜索范围有效
+    if (searchEnd > reinterpret_cast<uint8_t *>(module->end())){
+        printf("out of moudle end");
+        searchEnd = reinterpret_cast<uint8_t *>(module->end());
+    }
+    for (uint8_t *current = searchStart; current < searchEnd; ++current)
+        if (std::equal(pattern.begin(), pattern.end(), current))
+            return reinterpret_cast<int64_t>(current);
+
+    return 0;
+}
+#elif defined(_WIN_PLATFORM_)
+uint64_t SearchRangeAddressInModule(HMODULE module, const std::vector<uint8_t> &pattern, uint64_t searchStartRVA, uint64_t searchEndRVA)
+{
+    HANDLE processHandle = GetCurrentProcess();
+    MODULEINFO modInfo;
+    if (!GetModuleInformation(processHandle, module, &modInfo, sizeof(MODULEINFO)))
+    {
+        return 0;
+    }
+    // 在模块内存范围内搜索模式
+    uint8_t *base = static_cast<uint8_t *>(modInfo.lpBaseOfDll);
+    uint8_t *searchStart = base + searchStartRVA;
+    if (searchEndRVA == 0)
+    {
+        // 如果留空表示搜索到结束
+        searchEndRVA = modInfo.SizeOfImage;
+    }
+    uint8_t *searchEnd = base + searchEndRVA;
+
+    // 确保搜索范围有效
+    if (searchStart >= base && searchEnd <= base + modInfo.SizeOfImage)
+        for (uint8_t *current = searchStart; current < searchEnd; ++current)
+            if (std::equal(pattern.begin(), pattern.end(), current))
+                return reinterpret_cast<uint64_t>(current);
+
+    return 0;
+}
+#endif
diff --git a/hook/ExecutableAnalyse.h b/hook/ExecutableAnalyse.h
@@ -0,0 +1,24 @@
+#include <iostream>
+#include <fstream>
+#include <vector>
+#include <string>
+
+// #define _LINUX_PLATFORM_
+#define _WIN_PLATFORM_
+
+#define _X64_ARCH_
+
+#if defined(_WIN_PLATFORM_)
+#include <Windows.h>
+#include <psapi.h>
+#elif defined(_LINUX_PLATFORM_)
+#include <proc_maps.h>
+#endif
+
+// std::vector<char> ReadFileToMemory(const std::string &filePath);
+// size_t SearchHexPattern(const std::vector<char> &data, const std::string &hexPattern);
+#if defined(_LINUX_PLATFORM_)
+uint64_t SearchRangeAddressInModule(std::shared_ptr<hak::proc_maps> module, const std::vector<uint8_t> &pattern, uint64_t searchStartRVA = 0, uint64_t searchEndRVA = 0);
+#elif defined(_WIN_PLATFORM_)
+uint64_t SearchRangeAddressInModule(HMODULE module, const std::vector<uint8_t> &pattern, uint64_t searchStartRVA = 0, uint64_t searchEndRVA = 0);
+#endif
diff --git a/hook/HookHelper.h b/hook/HookHelper.h
@@ -0,0 +1,192 @@
+#include <string>
+// 跨平台兼容个灯
+#include <iostream>
+#define _WIN_PLATFORM_
+
+#if defined(_WIN_PLATFORM_)
+#include <Windows.h>
+#elif defined(_LINUX_PLATFORM_)
+#include <cstring>
+#include <unistd.h>
+#include <sys/mman.h>
+#endif
+
+void *GetCallAddress(uint8_t *ptr)
+{
+	// 读取操作码
+	if (ptr[0] != 0xE8)
+	{
+		printf("Not a call instruction!\n");
+		return 0;
+	}
+
+	// 读取相对偏移量
+	int32_t relativeOffset = *reinterpret_cast<int32_t *>(ptr + 1);
+
+	// 计算函数地址
+	uint8_t *callAddress = ptr + 5; // call 指令占 5 个字节
+	void *functionAddress = callAddress + relativeOffset;
+
+	return reinterpret_cast<void *>(functionAddress);
+}
+
+void *SearchAndFillJump(uint64_t baseAddress, void *targetAddress)
+{
+	uint8_t jumpInstruction[] = {
+		0x49, 0xBB,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x41, 0xFF, 0xE3};
+
+	memcpy(jumpInstruction + 2, &targetAddress, 8);
+
+	// Iterate through memory regions
+	uint64_t searchStart = baseAddress - 0x7fffffff;
+	uint64_t searchEnd = baseAddress + 0x7fffffff;
+
+#if defined(_WIN_PLATFORM_)
+	while (searchStart < searchEnd - sizeof(jumpInstruction))
+	{
+		MEMORY_BASIC_INFORMATION mbi;
+		if (VirtualQuery(reinterpret_cast<void *>(searchStart), &mbi, sizeof(mbi)) == 0)
+			break;
+		if (mbi.State == MEM_COMMIT)
+		{
+			for (char *addr = static_cast<char *>(mbi.BaseAddress); addr < static_cast<char *>(mbi.BaseAddress) + mbi.RegionSize - 1024 * 5; ++addr)
+			{
+
+				bool isFree = true;
+				for (int i = 0; i < 1024 * 5; ++i)
+				{
+					if (addr[i] != 0)
+					{
+						isFree = false;
+						break;
+					}
+				}
+				if (isFree)
+				{
+					DWORD oldProtect;
+					addr += 0x200;
+					// printf("addr: %p\n", addr);
+
+					if (!VirtualProtect(addr, sizeof(jumpInstruction), PAGE_EXECUTE_READWRITE, &oldProtect))
+						break;
+					memcpy(addr, jumpInstruction, sizeof(jumpInstruction));
+					if (!VirtualProtect(addr, sizeof(jumpInstruction), PAGE_EXECUTE_READ, &oldProtect))
+						break;
+
+					return addr;
+				}
+			}
+		}
+		searchStart += mbi.RegionSize;
+	}
+#elif defined(_LINUX_PLATFORM_)
+	// 保证地址对齐
+	searchStart &= 0xfffffffffffff000;
+	searchStart += 0x1000;
+	searchEnd &= 0xfffffffffffff000;
+
+	auto pmap = hak::get_maps();
+	do
+	{
+		auto fpmap = pmap;
+		pmap = fpmap->next();
+		if (std::min(pmap->start(), searchEnd) - std::max(fpmap->end(), searchStart) > 0x2000) // 搜索一片 0x2000 大小的空区域
+		{
+			void *addr = mmap(reinterpret_cast<void *>(std::max(fpmap->end(), searchStart)), 0x2000, PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+			// printf("addr: %p\n", addr);
+			if (addr == MAP_FAILED)
+			{
+				printf("mmap failed\n");
+				continue;
+			}
+			if (reinterpret_cast<uint64_t>(addr) > searchEnd - sizeof(jumpInstruction))
+			{
+				munmap(addr, 0x2000);
+				printf("addr > searchEnd\n");
+				continue;
+			}
+			memcpy(addr, jumpInstruction, sizeof(jumpInstruction));
+			if (mprotect(addr, 0x2000, PROT_READ | PROT_EXEC) == -1) // 设置内存 r-w
+			{
+				munmap(addr, 0x2000);
+				printf("mprotect failed\n");
+				continue;
+			}
+			return addr;
+		}
+	} while (pmap->next() != nullptr);
+
+#endif
+	return nullptr;
+}
+
+bool Hook(uint8_t *callAddr, void *lpFunction)
+{
+	uint64_t startAddr = reinterpret_cast<uint64_t>(callAddr) + 5;
+	int64_t distance = reinterpret_cast<uint64_t>(lpFunction) - startAddr;
+#if defined(_WIN_PLATFORM_)
+	// printf("Hooking %p to %p, distance: %lld\n", callAddr, lpFunction, distance);
+
+	DWORD oldProtect;
+	DWORD reProtect;
+	if (!VirtualProtect(callAddr, 10, PAGE_EXECUTE_READWRITE, &oldProtect))
+	{
+		printf("VirtualProtect failed\n");
+		return false;
+	}
+	if (distance < INT32_MIN || distance > INT32_MAX)
+	{
+		void *new_ret = SearchAndFillJump(startAddr, lpFunction);
+		if (new_ret == nullptr)
+		{
+			printf("Can't find a place to jump\n");
+			return false;
+		}
+		distance = reinterpret_cast<uint64_t>(new_ret) - startAddr;
+		// printf("new_ret: %p, new_distance: %lld\n", new_ret, distance);
+	}
+	// 直接进行小跳转
+	memcpy(callAddr + 1, reinterpret_cast<int32_t *>(&distance), 4); // 修改 call 地址
+	if (!VirtualProtect(callAddr, 10, oldProtect, &reProtect))		 // 恢复原来的内存保护属性
+	{
+		std::cout << GetLastError()<<"/"<<callAddr<<"/"<<oldProtect<<"/"<<reProtect;
+		printf("VirtualProtect failed\n");
+		return false;
+	}
+	return true;
+#elif defined(_LINUX_PLATFORM_)
+	// printf("Hooking %p to %p, distance: %ld\n", callAddr, lpFunction, distance);
+
+	auto get_page_addr = [](void *addr) -> void *
+	{
+		return (void *)((uintptr_t)addr & ~(getpagesize() - 1));
+	};
+
+	if (mprotect(get_page_addr(callAddr), 2 * getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC) == -1) // 设置内存可写 两倍 pagesize 防止处于页边界
+	{
+		printf("mprotect failed\n");
+		return false;
+	}
+	if (distance < INT32_MIN || distance > INT32_MAX)
+	{
+		void *new_ret = SearchAndFillJump(startAddr, lpFunction);
+		if (new_ret == nullptr)
+		{
+			printf("Can't find a place to jump\n");
+			return false;
+		}
+		distance = reinterpret_cast<uint64_t>(new_ret) - startAddr;
+		// printf("new_ret: %p, new_distance: %ld\n", new_ret, distance);
+	}
+
+	memcpy(callAddr + 1, reinterpret_cast<int32_t *>(&distance), 4);					   // 修改 call 地址
+	if (mprotect(get_page_addr(callAddr), 2 * getpagesize(), PROT_READ | PROT_EXEC) == -1) // 还原内存保护属性
+	{
+		printf("mprotect failed\n");
+		return false;
+	}
+	return true;
+#endif
+}
diff --git a/hook/NapCat.exe.manifest b/hook/NapCat.exe.manifest
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
+  <assemblyIdentity type="win32" name="cn.nanaeo.nucat" version="6.0.0.0"/>
+  <application>
+    <windowsSettings>
+      <activeCodePage xmlns="http://schemas.microsoft.com/SMI/2019/WindowsSettings">UTF-8</activeCodePage>
+    </windowsSettings>
+  </application>
+</assembly>
diff --git a/hook/hook.cpp b/hook/hook.cpp
diff --git a/main/CMakeLists.txt b/main/CMakeLists.txt
diff --git a/main/main.cpp b/main/main.cpp
