/* Desc: 一个可以运行时 Hook Mono 方法的工具,让你可以无需修改 UnityEditor.dll 等文件就可以重写其函数功能 Author: Misaka Mikoto Github: https://github.com/Misaka-Mikoto-Tech/MonoHook */ using DotNetDetour; using System; using System.Diagnostics; using System.Reflection; using System.Runtime.InteropServices; using Unity.Collections.LowLevel.Unsafe; #if UNITY_EDITOR using UnityEditor; #endif using UnityEngine; using System.Runtime.CompilerServices; /* >>>>>>> 原始 UnityEditor.LogEntries.Clear 一型(.net 4.x) 0000000000403A00 < | 55 | push rbp | 0000000000403A01 | 48 8B EC | mov rbp,rsp | 0000000000403A04 | 48 81 EC 80 00 00 00 | sub rsp,80 | 0000000000403A0B | 48 89 65 B0 | mov qword ptr ss:[rbp-50],rsp | 0000000000403A0F | 48 89 6D A8 | mov qword ptr ss:[rbp-58],rbp | 0000000000403A13 | 48 89 5D C8 | mov qword ptr ss:[rbp-38],rbx | << 0000000000403A17 | 48 89 75 D0 | mov qword ptr ss:[rbp-30],rsi | 0000000000403A1B | 48 89 7D D8 | mov qword ptr ss:[rbp-28],rdi | 0000000000403A1F | 4C 89 65 E0 | mov qword ptr ss:[rbp-20],r12 | 0000000000403A23 | 4C 89 6D E8 | mov qword ptr ss:[rbp-18],r13 | 0000000000403A27 | 4C 89 75 F0 | mov qword ptr ss:[rbp-10],r14 | 0000000000403A2B | 4C 89 7D F8 | mov qword ptr ss:[rbp-8],r15 | 0000000000403A2F | 49 BB 00 2D 1E 1A FE 7F 00 00 | mov r11,7FFE1A1E2D00 | 0000000000403A39 | 4C 89 5D B8 | mov qword ptr ss:[rbp-48],r11 | 0000000000403A3D | 49 BB 08 2D 1E 1A FE 7F 00 00 | mov r11,7FFE1A1E2D08 | >>>>>>> 二型(.net 2.x) 0000000000403E8F | 55 | push rbp | 0000000000403E90 | 48 8B EC | mov rbp,rsp | 0000000000403E93 | 48 83 EC 70 | sub rsp,70 | 0000000000403E97 | 48 89 65 C8 | mov qword ptr ss:[rbp-38],rsp | 0000000000403E9B | 48 89 5D B8 | mov qword ptr ss:[rbp-48],rbx | 0000000000403E9F | 48 89 6D C0 | mov qword ptr ss:[rbp-40],rbp | <<(16) 0000000000403EA3 | 48 89 75 F8 | mov qword ptr ss:[rbp-8],rsi | 0000000000403EA7 | 48 89 7D F0 | mov qword ptr ss:[rbp-10],rdi | 0000000000403EAB | 4C 89 65 D0 | mov qword ptr ss:[rbp-30],r12 | 0000000000403EAF | 4C 89 6D D8 | mov qword ptr ss:[rbp-28],r13 | 0000000000403EB3 | 4C 89 75 E0 | mov qword ptr ss:[rbp-20],r14 | 0000000000403EB7 | 4C 89 7D E8 | mov qword ptr ss:[rbp-18],r15 | 0000000000403EBB | 48 83 EC 20 | sub rsp,20 | 0000000000403EBF | 49 BB 18 3F 15 13 FE 7F 00 00 | mov r11,7FFE13153F18 | 0000000000403EC9 | 41 FF D3 | call r11 | 0000000000403ECC | 48 83 C4 20 | add rsp,20 | >>>>>>>>> arm64 il2cpp:00000000003DE714 F5 0F 1D F8 STR X21, [SP,#-0x10+var_20]! | << absolute safe il2cpp:00000000003DE718 F4 4F 01 A9 STP X20, X19, [SP,#0x20+var_10] | << may be safe il2cpp:00000000003DE71C FD 7B 02 A9 STP X29, X30, [SP,#0x20+var_s0] | il2cpp:00000000003DE720 FD 83 00 91 ADD X29, SP, #0x20 | il2cpp:00000000003DE724 B5 30 00 B0 ADRP X21, #_ZZ62GameObject_SetActive_mCF1EEF2A314F3AE | << dangerous: relative instruction, can not be overwritten il2cpp:00000000003DE728 A2 56 47 F9 LDR method, [X21,#_ZZ62GameObject_SetActive_mCF] ; | il2cpp:00000000003DE72C F3 03 01 2A MOV W19, W1 | */ namespace MonoHook { /// /// Hook 类,用来 Hook 某个 C# 方法 /// public unsafe class MethodHook { public string tag; public bool isHooked { get; private set; } public bool isPlayModeHook { get; private set; } public MethodBase targetMethod { get; private set; } // 需要被hook的目标方法 public MethodBase replacementMethod { get; private set; } // 被hook后的替代方法 public MethodBase proxyMethod { get; private set; } // 目标方法的代理方法(可以通过此方法调用被hook后的原方法) private IntPtr _targetPtr; // 目标方法被 jit 后的地址指针 private IntPtr _replacementPtr; private IntPtr _proxyPtr; private CodePatcher _codePatcher; #if UNITY_EDITOR /// /// call `MethodInfo.MethodHandle.GetFunctionPointer()` /// will visit static class `UnityEditor.IMGUI.Controls.TreeViewGUI.Styles` and invoke its static constructor, /// and init static filed `foldout`, but `GUISKin.current` is null now, /// so we should wait until `GUISKin.current` has a valid value /// private static FieldInfo s_fi_GUISkin_current; #endif static MethodHook() { #if UNITY_EDITOR s_fi_GUISkin_current = typeof(GUISkin).GetField("current", BindingFlags.Static | BindingFlags.NonPublic); #endif } /// /// 创建一个 Hook /// /// 需要替换的目标方法 /// 准备好的替换方法 /// 如果还需要调用原始目标方法,可以通过此参数的方法调用,如果不需要可以填 null public MethodHook(MethodBase targetMethod, MethodBase replacementMethod, MethodBase proxyMethod, string data = "") { this.targetMethod = targetMethod; this.replacementMethod = replacementMethod; this.proxyMethod = proxyMethod; this.tag = data; CheckMethod(); } public void Install() { if (LDasm.IsiOS()) // iOS 不支持修改 code 所在区域 page return; if (isHooked) return; #if UNITY_EDITOR if (s_fi_GUISkin_current.GetValue(null) != null) DoInstall(); else EditorApplication.update += OnEditorUpdate; #else DoInstall(); #endif isPlayModeHook = Application.isPlaying; } public void Uninstall() { if (!isHooked) return; _codePatcher.RemovePatch(); isHooked = false; HookPool.RemoveHooker(targetMethod); } #region private private void DoInstall() { if (targetMethod == null || replacementMethod == null) throw new Exception("none of methods targetMethod or replacementMethod can be null"); HookPool.AddHook(targetMethod, this); if (_codePatcher == null) { if (GetFunctionAddr()) { #if ENABLE_HOOK_DEBUG UnityEngine.Debug.Log($"Original [{targetMethod.DeclaringType.Name}.{targetMethod.Name}]: {HookUtils.HexToString(_targetPtr.ToPointer(), 64, -16)}"); UnityEngine.Debug.Log($"Original [{replacementMethod.DeclaringType.Name}.{replacementMethod.Name}]: {HookUtils.HexToString(_replacementPtr.ToPointer(), 64, -16)}"); if(proxyMethod != null) UnityEngine.Debug.Log($"Original [{proxyMethod.DeclaringType.Name}.{proxyMethod.Name}]: {HookUtils.HexToString(_proxyPtr.ToPointer(), 64, -16)}"); #endif CreateCodePatcher(); _codePatcher.ApplyPatch(); #if ENABLE_HOOK_DEBUG UnityEngine.Debug.Log($"New [{targetMethod.DeclaringType.Name}.{targetMethod.Name}]: {HookUtils.HexToString(_targetPtr.ToPointer(), 64, -16)}"); UnityEngine.Debug.Log($"New [{replacementMethod.DeclaringType.Name}.{replacementMethod.Name}]: {HookUtils.HexToString(_replacementPtr.ToPointer(), 64, -16)}"); if(proxyMethod != null) UnityEngine.Debug.Log($"New [{proxyMethod.DeclaringType.Name}.{proxyMethod.Name}]: {HookUtils.HexToString(_proxyPtr.ToPointer(), 64, -16)}"); #endif } } isHooked = true; } private void CheckMethod() { if (targetMethod == null || replacementMethod == null) throw new Exception("MethodHook:targetMethod and replacementMethod and proxyMethod can not be null"); string methodName = $"{targetMethod.DeclaringType.Name}.{targetMethod.Name}"; if (targetMethod.IsAbstract) throw new Exception($"WRANING: you can not hook abstract method [{methodName}]"); #if UNITY_EDITOR int minMethodBodySize = 10; { if ((targetMethod.MethodImplementationFlags & MethodImplAttributes.InternalCall) != MethodImplAttributes.InternalCall) { int codeSize = targetMethod.GetMethodBody().GetILAsByteArray().Length; // GetMethodBody can not call on il2cpp if (codeSize < minMethodBodySize) UnityEngine.Debug.LogWarning($"WRANING: you can not hook method [{methodName}], cause its method body is too short({codeSize}), will random crash on IL2CPP release mode"); } } if(proxyMethod != null) { methodName = $"{proxyMethod.DeclaringType.Name}.{proxyMethod.Name}"; int codeSize = proxyMethod.GetMethodBody().GetILAsByteArray().Length; if (codeSize < minMethodBodySize) UnityEngine.Debug.LogWarning($"WRANING: size of method body[{methodName}] is too short({codeSize}), will random crash on IL2CPP release mode, please fill some dummy code inside"); if ((proxyMethod.MethodImplementationFlags & MethodImplAttributes.NoOptimization) != MethodImplAttributes.NoOptimization) throw new Exception($"WRANING: method [{methodName}] must has a Attribute `MethodImpl(MethodImplOptions.NoOptimization)` to prevent code call to this optimized by compiler(pass args by shared stack)"); } #endif } private void CreateCodePatcher() { long addrOffset = Math.Abs(_targetPtr.ToInt64() - _proxyPtr.ToInt64()); if(_proxyPtr != IntPtr.Zero) addrOffset = Math.Max(addrOffset, Math.Abs(_targetPtr.ToInt64() - _proxyPtr.ToInt64())); if (LDasm.IsARM()) { if (IntPtr.Size == 8) _codePatcher = new CodePatcher_arm64_near(_targetPtr, _replacementPtr, _proxyPtr); else if (addrOffset < ((1 << 25) - 1)) _codePatcher = new CodePatcher_arm32_near(_targetPtr, _replacementPtr, _proxyPtr); else if (addrOffset < ((1 << 27) - 1)) _codePatcher = new CodePatcher_arm32_far(_targetPtr, _replacementPtr, _proxyPtr); else throw new Exception("address of target method and replacement method are too far, can not hook"); } else { if (IntPtr.Size == 8) { if(addrOffset < 0x7fffffff) // 2G _codePatcher = new CodePatcher_x64_near(_targetPtr, _replacementPtr, _proxyPtr); else _codePatcher = new CodePatcher_x64_far(_targetPtr, _replacementPtr, _proxyPtr); } else _codePatcher = new CodePatcher_x86(_targetPtr, _replacementPtr, _proxyPtr); } } /// /// 获取对应函数jit后的native code的地址 /// private bool GetFunctionAddr() { _targetPtr = GetFunctionAddr(targetMethod); _replacementPtr = GetFunctionAddr(replacementMethod); _proxyPtr = GetFunctionAddr(proxyMethod); if (_targetPtr == IntPtr.Zero || _replacementPtr == IntPtr.Zero) return false; if (proxyMethod != null && _proxyPtr == null) return false; if(_replacementPtr == _targetPtr) { throw new Exception($"the addresses of target method {targetMethod.Name} and replacement method {replacementMethod.Name} can not be same"); } if (LDasm.IsThumb(_targetPtr) || LDasm.IsThumb(_replacementPtr)) { throw new Exception("does not support thumb arch"); } return true; } [StructLayout(LayoutKind.Sequential, Pack = 1)] // 好像在 IL2CPP 里无效 private struct __ForCopy { public long __dummy; public MethodBase method; } /// /// 获取方法指令地址 /// /// /// private IntPtr GetFunctionAddr(MethodBase method) { if (method == null) return IntPtr.Zero; if (!LDasm.IsIL2CPP()) return method.MethodHandle.GetFunctionPointer(); else { /* // System.Reflection.MonoMethod typedef struct Il2CppReflectionMethod { Il2CppObject object; const MethodInfo *method; Il2CppString *name; Il2CppReflectionType *reftype; } Il2CppReflectionMethod; typedef Il2CppClass Il2CppVTable; typedef struct Il2CppObject { union { Il2CppClass *klass; Il2CppVTable *vtable; }; MonitorData *monitor; } Il2CppObject; typedef struct MethodInfo { Il2CppMethodPointer methodPointer; // this is the pointer to native code of method InvokerMethod invoker_method; const char* name; Il2CppClass *klass; const Il2CppType *return_type; const ParameterInfo* parameters; // ... } */ __ForCopy __forCopy = new __ForCopy() { method = method }; long* ptr = &__forCopy.__dummy; ptr++; // addr of _forCopy.method IntPtr methodAddr = IntPtr.Zero; if (sizeof(IntPtr) == 8) { long methodDataAddr = *(long*)ptr; byte* ptrData = (byte*)methodDataAddr + sizeof(IntPtr) * 2; // offset of Il2CppReflectionMethod::const MethodInfo *method; long methodPtr = 0; methodPtr = *(long*)ptrData; methodAddr = new IntPtr(*(long*)methodPtr); // MethodInfo::Il2CppMethodPointer methodPointer; } else { int methodDataAddr = *(int*)ptr; byte* ptrData = (byte*)methodDataAddr + sizeof(IntPtr) * 2; // offset of Il2CppReflectionMethod::const MethodInfo *method; int methodPtr = 0; methodPtr = *(int*)ptrData; methodAddr = new IntPtr(*(int*)methodPtr); } return methodAddr; } } #if UNITY_EDITOR private void OnEditorUpdate() { if (s_fi_GUISkin_current.GetValue(null) != null) { DoInstall(); EditorApplication.update -= OnEditorUpdate; } } #endif #endregion } }