Code:
Func HookByRef()
$pID = Int(@AutoItPID)
$hHandle = OpenProcess($PROCESS_ALL_ACCESS,1,$pID)
$aModuleList = _WinAPI_EnumProcessModules($pID)
$dwBaseAddress = $aModuleList[1][0]
; 8B 40 14 89 11 EB E9 55 8B EC
$dwHookAddress = FindPattern($hHandle,"8B 40 14 89 11 EB E9 55 8B EC",False,$dwBaseAddress)
$dwJMPBack = "0x" & Hex($dwHookAddress+0x5,8)
$dwPage = "0x" & Hex(VirtualAllocEx($hHandle,0,0x20,0x3000,0x40),8)
$dwLastPTR = "0x" & Hex(VirtualAllocEx($hHandle,0,0x8,0x3000,0x40),8)
$sBytes = Calculate($dwPage, _
"0x8B4014" _ ; mov eax,[eax+14]
& "A3-" & $dwLastPTR & "-" _ ; mov [dwLastPTR],edi
& "8911" _ ; mov [ecx],edx
& "E9|" & $dwJMPBack & "|") ; jmp back
WriteProcessMemory($hHandle,$dwPage,"0x" & $sBytes,"Byte[" & StringLen($sBytes)/2 & "]")
$sBytes = Calculate($dwHookAddress, _
"0xE9|" & $dwPage & "|") ; jmp dwPage
WriteProcessMemory($hHandle,$dwHookAddress,"0x" & $sBytes,"Byte[" & StringLen($sBytes)/2 & "]")
Local $aReturn[2] = [$hHandle,$dwLastPTR]
Return $aReturn
EndFunc
Func VarGetPtr($hHandle,$dwLastPTR, ByRef $vVar)
Local $dwReturn
$sType = VarGetType($vVar)
If $sType = "String" Then
$dwReadPtr1 = "0x" & Hex(ReadProcessMemory($hHandle,$dwLastPTR,"dword"),8)
$dwReadPtr2 = "0x" & Hex(ReadProcessMemory($hHandle,$dwReadPtr1+0x8,"dword"),8)
$dwReturn = "0x" & Hex(ReadProcessMemory($hHandle,$dwReadPtr2,"dword"),8)
ElseIf $sType = "Int32" Or $sType = "Double" Then
$dwReturn = "0x" & Hex(ReadProcessMemory($hHandle,$dwLastPTR,"dword"),8)
EndIf
If $dwReturn <> "" Then
Return $dwReturn
Else
SetError(-1)
Return
EndIf
EndFunc