Jump to content
Tuts 4 You

Copying instructions?


high6

Recommended Posts

I want to make my own detours class. What reference should I use for the instructions and their sizes? Also is there anything more to it then just calculating their sizes and figuring out how much you need to copy?

Link to comment

NET or unmanaged code? You weren't really specific. If you look at the Detours package it will give you an idea of what is involved.

Basically the theme seems to be use a length disassembler to calculate minimum necessary instrutions to copy from the target function.

Allocating memory for a trampoline which can be called from within your hook procedure, copying the instructions there and assembling a jump back to the target function + length copied. Then a jump is assembled at the hooked function which jumps to your hook procedure.

This way, any call to that function will jump to your hook procedure and you can either pass it on to the target function by calling the trampoline or bypass it, as your needs dictate. Some people don't worry about the trampoline function, instead copying the code to their hook function and deciding in there where to continue execution.

There are other ways to hook also though, you can cycle through all loaded modules IAT's and replace pointers to the target function but then you need to monitor GetProcAddress and this is often bypassed by walking the export table instead of using GetProcAddress, as many packers will.

You can also hook via the export table of the module, replacing the RVA of the function with an RVA which will resolve to your hook function when the module base address is added to it. This can be bypassed by reading the file into memory and getting the addresses from the export table or using the buffered file to repair the export table of the already loaded module.

HR,

Ghandi

Link to comment

Any specific reason you consider Detours a mess?

As for the operand question, check out HDE32:
/>http://patkov-site.narod.ru/

HDE32 is an upgraded version of ADE32 which you can find here:
/>http://www.projectvdc.com/public/Mobius/ADE32.h
/>http://www.projectvdc.com/public/Mobius/ADE32.cpp

(I dunno where the original author has these two files, so I used Google to get them. The original version that I saw had a full header with credits and such but it appears every version on Google has that removed or changed, so all credits to whomever the original author was.)

Link to comment

Any specific reason you consider Detours a mess?

As for the operand question, check out HDE32:

http://patkov-site.narod.ru/

HDE32 is an upgraded version of ADE32 which you can find here:

http://www.projectvd.../Mobius/ADE32.h

http://www.projectvd...obius/ADE32.cpp

(I dunno where the original author has these two files, so I used Google to get them. The original version that I saw had a full header with credits and such but it appears every version on Google has that removed or changed, so all credits to whomever the original author was.)

It takes no advantages of C++. It might as well be written in C. Also when you remove a detour it "frees" the trampoline which causes problems. I looked through the code and it is a giant mess. It isn't even worth modifying to my needs. Might as well rewrite it entirely.

So there isn't something like that reference but with the sizes?

Link to comment
So there isn't something like that reference but with the sizes?
Basically the theme seems to be use a length disassembler to calculate minimum necessary instrutions to copy from the target function.

Seems like ghandi already answered your question? Just pass the pointer to an instruction to the LDE and it will simply return its size - just what you want. :)

As for Detours, didn't crash for me yet (didn't look in the code yet for exactly that reason). Used it in combination with several protections. The non-free version seems to support multiple threads and similar stuff as well.

Link to comment

Seems like ghandi already answered your question? Just pass the pointer to an instruction to the LDE and it will simply return its size - just what you want. :)

As for Detours, didn't crash for me yet (didn't look in the code yet for exactly that reason). Used it in combination with several protections. The non-free version seems to support multiple threads and similar stuff as well.

I don't want to use an external library. I just want something like the reference I posted above but includes the operand sizes. That way I can write my own.

Detours is fine if you are using it statically. But once you start hooking/unhooking it gets messy real fast.

Edited by high6
Link to comment

If you want to code a LDE on your own, there's Art of Disassembly; boring and tedious task, if you ask me. ;) If you're searching for a table, take a look at deroko's LDE. decoder.h contains a table describing the opcode bytes (ModR/M, operand sizes etc) which can be used to calculate an instruction size.

Link to comment

I don't want to use an external library. I just want something like the reference I posted above but includes the operand sizes. That way I can write my own.

Detours is fine if you are using it statically. But once you start hooking/unhooking it gets messy real fast.

I use Detours in several different projects, hooking and unhooking in almost all of them and I have no problems or crashes with it unless the Detour is specifically wrong, which only occurs during debug processes and first writes of my stuff. If you continue to get crashes and/or have problems it could be due to invalid detours, wrong calling conventions, or you using the lib incorrectly.

As for "It takes no advantages of C++" why should it? There is no need for it to. The idea was to set it up like an API structure would be setup such as normal Win32 API. There is no reason to have a class based API for it. If you want it to, just code it yourself and wrap the Detours API to do it.

Link to comment

I use Detours in several different projects, hooking and unhooking in almost all of them and I have no problems or crashes with it unless the Detour is specifically wrong, which only occurs during debug processes and first writes of my stuff. If you continue to get crashes and/or have problems it could be due to invalid detours, wrong calling conventions, or you using the lib incorrectly.

As for "It takes no advantages of C++" why should it? There is no need for it to. The idea was to set it up like an API structure would be setup such as normal Win32 API. There is no reason to have a class based API for it. If you want it to, just code it yourself and wrap the Detours API to do it.

Call DetourRemove from within the detour and it will crash. I just don't like the way Detours handles it. I rather more control.

If you want to code a LDE on your own, there's Art of Disassembly; boring and tedious task, if you ask me. ;) If you're searching for a table, take a look at deroko's LDE. decoder.h contains a table describing the opcode bytes (ModR/M, operand sizes etc) which can be used to calculate an instruction size.

So there isn't a table like above but with the sizes? :(

Edited by high6
Link to comment

Why would you attempt to remove the detour inside itself, of course it will crash. You are killing the code to be executed. If you need to remove the detour after something has occurred you need to think of a better method of handling it and not just trying to remove the detour inside itself. That's not the fault of the library, that's you using it incorrectly.

For example, you could use a boolean check to run something once like:

BOOL bRanOnce = FALSE;BOOL WINAPI Mine_SetFocus( HWND hWnd )
{
if( ! bRanOnce )
{
bRanOnce = TRUE;
return Real_SetFocus( NULL );
}
return Real_SetFocus( hWnd );
}

After the first call the API simply passes through your detour and handles normally.

Link to comment

Why would you attempt to remove the detour inside itself, of course it will crash. You are killing the code to be executed. If you need to remove the detour after something has occurred you need to think of a better method of handling it and not just trying to remove the detour inside itself. That's not the fault of the library, that's you using it incorrectly.

For example, you could use a boolean check to run something once like:

BOOL bRanOnce = FALSE; BOOL WINAPI Mine_SetFocus( HWND hWnd ) { 	if( ! bRanOnce ) 	{ 		bRanOnce = TRUE; 		return Real_SetFocus( NULL ); 	} 	return Real_SetFocus( hWnd ); }

After the first call the API simply passes through your detour and handles normally.

That is why I want to write my own.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...