/*
Pintool to detect API hooks in a process
c0d3inj3cT
*/

#include <stdio.h>
#include <iostream>
#include "pin.H"

int i=0;

void VirtualProtectHandler(void *address, int newProtect)
{
	if(newProtect == 0x40)
	{
		PIN_LockClient();
		RTN lrtn = RTN_FindByAddress((ADDRINT) address);
		if(RTN_Valid(lrtn))
		{
			i++;
			
			string symbolName = RTN_Name(lrtn);
			symbolName = PIN_UndecorateSymbolName(symbolName, UNDECORATION_COMPLETE);
			
			printf("VirtualProtect(%p) ==> %s\n", address, symbolName.c_str());
		}
		PIN_UnlockClient();
	}
}

void Image(IMG img, void *v)
{	
	RTN rtn = RTN_FindByName(img, "VirtualProtect");
	if(RTN_Valid(rtn))
	{
		RTN_Open(rtn);
		
		RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR) VirtualProtectHandler, IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_FUNCARG_ENTRYPOINT_VALUE, 2, IARG_END);
		
		RTN_Close(rtn);
	}
}

void Fini(INT32 code, void *v)
{
	printf("There are %d functions hooked\n", i);
}

INT32 Usage()
{
	printf("There was an error\n");
	return -1;
}

int main(int argc, char *argv[])
{
    PIN_InitSymbols();
	
    if( PIN_Init(argc,argv) )
    {
        return Usage();
    }
    
    IMG_AddInstrumentFunction(Image, 0);
    PIN_AddFiniFunction(Fini, 0);

    PIN_StartProgram();
    
    return 0;
}