Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Copying instructions?

high6
high6
in Programming and Coding

Featured Replies

Posted

I want to make my own detours class. What reference should I use for the instructions and their sizes? Also is there anything more to it then just calculating their sizes and figuring out how much you need to copy?

NET or unmanaged code? You weren't really specific. If you look at the Detours package it will give you an idea of what is involved.

Basically the theme seems to be use a length disassembler to calculate minimum necessary instrutions to copy from the target function.

Allocating memory for a trampoline which can be called from within your hook procedure, copying the instructions there and assembling a jump back to the target function + length copied. Then a jump is assembled at the hooked function which jumps to your hook procedure.

This way, any call to that function will jump to your hook procedure and you can either pass it on to the target function by calling the trampoline or bypass it, as your needs dictate. Some people don't worry about the trampoline function, instead copying the code to their hook function and deciding in there where to continue execution.

There are other ways to hook also though, you can cycle through all loaded modules IAT's and replace pointers to the target function but then you need to monitor GetProcAddress and this is often bypassed by walking the export table instead of using GetProcAddress, as many packers will.

You can also hook via the export table of the module, replacing the RVA of the function with an RVA which will resolve to your hook function when the module base address is added to it. This can be bypassed by reading the file into memory and getting the addresses from the export table or using the buffered file to repair the export table of the already loaded module.

HR,

Ghandi

  • Author

unmanaged. And detours is the reason I want to write my own. It is a complete mess.

I guess by your response that you gained nothing from my reply? Glad i could be of assistance to you.

HR,

Ghandi

  • Author

Well I am looking for all the instructions operand sizes. I looked at http://ref.x86asm.net/geek32.html but it doesn't have the operand sizes.

Any specific reason you consider Detours a mess?

As for the operand question, check out HDE32:
/>http://patkov-site.narod.ru/

HDE32 is an upgraded version of ADE32 which you can find here:
/>http://www.projectvdc.com/public/Mobius/ADE32.h
/>http://www.projectvdc.com/public/Mobius/ADE32.cpp

(I dunno where the original author has these two files, so I used Google to get them. The original version that I saw had a full header with credits and such but it appears every version on Google has that removed or changed, so all credits to whomever the original author was.)

  • Author

Any specific reason you consider Detours a mess?

As for the operand question, check out HDE32:

http://patkov-site.narod.ru/

HDE32 is an upgraded version of ADE32 which you can find here:

http://www.projectvd.../Mobius/ADE32.h

http://www.projectvd...obius/ADE32.cpp

(I dunno where the original author has these two files, so I used Google to get them. The original version that I saw had a full header with credits and such but it appears every version on Google has that removed or changed, so all credits to whomever the original author was.)

It takes no advantages of C++. It might as well be written in C. Also when you remove a detour it "frees" the trampoline which causes problems. I looked through the code and it is a giant mess. It isn't even worth modifying to my needs. Might as well rewrite it entirely.

So there isn't something like that reference but with the sizes?

So there isn't something like that reference but with the sizes?
Basically the theme seems to be use a length disassembler to calculate minimum necessary instrutions to copy from the target function.

Seems like ghandi already answered your question? Just pass the pointer to an instruction to the LDE and it will simply return its size - just what you want. :)

As for Detours, didn't crash for me yet (didn't look in the code yet for exactly that reason). Used it in combination with several protections. The non-free version seems to support multiple threads and similar stuff as well.

  • Author

Seems like ghandi already answered your question? Just pass the pointer to an instruction to the LDE and it will simply return its size - just what you want. :)

As for Detours, didn't crash for me yet (didn't look in the code yet for exactly that reason). Used it in combination with several protections. The non-free version seems to support multiple threads and similar stuff as well.

I don't want to use an external library. I just want something like the reference I posted above but includes the operand sizes. That way I can write my own.

Detours is fine if you are using it statically. But once you start hooking/unhooking it gets messy real fast.

Edited by high6

If you want to code a LDE on your own, there's Art of Disassembly; boring and tedious task, if you ask me. ;) If you're searching for a table, take a look at deroko's LDE. decoder.h contains a table describing the opcode bytes (ModR/M, operand sizes etc) which can be used to calculate an instruction size.

I don't want to use an external library. I just want something like the reference I posted above but includes the operand sizes. That way I can write my own.

Detours is fine if you are using it statically. But once you start hooking/unhooking it gets messy real fast.

I use Detours in several different projects, hooking and unhooking in almost all of them and I have no problems or crashes with it unless the Detour is specifically wrong, which only occurs during debug processes and first writes of my stuff. If you continue to get crashes and/or have problems it could be due to invalid detours, wrong calling conventions, or you using the lib incorrectly.

As for "It takes no advantages of C++" why should it? There is no need for it to. The idea was to set it up like an API structure would be setup such as normal Win32 API. There is no reason to have a class based API for it. If you want it to, just code it yourself and wrap the Detours API to do it.

  • Author

I use Detours in several different projects, hooking and unhooking in almost all of them and I have no problems or crashes with it unless the Detour is specifically wrong, which only occurs during debug processes and first writes of my stuff. If you continue to get crashes and/or have problems it could be due to invalid detours, wrong calling conventions, or you using the lib incorrectly.

As for "It takes no advantages of C++" why should it? There is no need for it to. The idea was to set it up like an API structure would be setup such as normal Win32 API. There is no reason to have a class based API for it. If you want it to, just code it yourself and wrap the Detours API to do it.

Call DetourRemove from within the detour and it will crash. I just don't like the way Detours handles it. I rather more control.

If you want to code a LDE on your own, there's Art of Disassembly; boring and tedious task, if you ask me. ;) If you're searching for a table, take a look at deroko's LDE. decoder.h contains a table describing the opcode bytes (ModR/M, operand sizes etc) which can be used to calculate an instruction size.

So there isn't a table like above but with the sizes? :(

Edited by high6

Why would you attempt to remove the detour inside itself, of course it will crash. You are killing the code to be executed. If you need to remove the detour after something has occurred you need to think of a better method of handling it and not just trying to remove the detour inside itself. That's not the fault of the library, that's you using it incorrectly.

For example, you could use a boolean check to run something once like:

BOOL bRanOnce = FALSE;BOOL WINAPI Mine_SetFocus( HWND hWnd )
{
	if( ! bRanOnce )
	{
		bRanOnce = TRUE;
		return Real_SetFocus( NULL );
	}
	return Real_SetFocus( hWnd );
}

After the first call the API simply passes through your detour and handles normally.

  • Author

Why would you attempt to remove the detour inside itself, of course it will crash. You are killing the code to be executed. If you need to remove the detour after something has occurred you need to think of a better method of handling it and not just trying to remove the detour inside itself. That's not the fault of the library, that's you using it incorrectly.

For example, you could use a boolean check to run something once like:

BOOL bRanOnce = FALSE; BOOL WINAPI Mine_SetFocus( HWND hWnd ) { 	if( ! bRanOnce ) 	{ 		bRanOnce = TRUE; 		return Real_SetFocus( NULL ); 	} 	return Real_SetFocus( hWnd ); }

After the first call the API simply passes through your detour and handles normally.

That is why I want to write my own.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.