Re: Skybuck's API hooking idea (Replacing the hook, with a jump to injected function) (replacing: "jmp dword ptr [$0040f2fc]" with a "call [$0040f2fc]" possible ?)
- From: "robertwessel2@xxxxxxxxx" <robertwessel2@xxxxxxxxx>
- Date: 31 Jan 2007 12:27:07 -0800
On Jan 31, 9:37 am, "Skybuck Flying" <s...@xxxxxxxxxxx> wrote:
Hello,
Skybuck's API hooking idea is:
Replace the "hook" with "a jump to the injected function".
Delphi generates a "hook" for imported routines. (Maybe there is a common
term for this kind of "hook" ? Maybe "dynamic runtime loaded function link"
or something ?)
The "hook" seems to be a jump to the DLL function address (this address is
stored somewhere at a memory location and loaded and jumped to).
( Example: jmp dword ptr [$0040f2fc] )
This jump instruction should be changed/replaced into a "jump to injected
function".
The injected function should change/convert the "hook" into a "call" so that
the DLL function returns to the "call site" inside the injected function, so
that the injected function can spy on the results from the api
call/function.
However I am not sure if this idea is possible.
Below it's explained in more detail:
The Delphi compiler generates the following code when calling a DLL
interface/imported function:
...
...
Call SomeImportedAPIfunction:
...
...
Label/function/implementation SomeImportedAPIfunction:
jmp dword ptr [$0040f2fc] // jumps to DLLfunction
DLLfunction:
... code ...
RET // returns to call some api.
I want to change the implementation of the SomeImportedAPIfunction.
So I want to change the instructions above to:
...
...
Call SomeImportedAPIfunction:
...
...
Label/function/implementation SomeImportedAPIfunction:
jump to InjectedFunction // implementation changed.
Label/function/implementation InjectedFunction:
call [$0040f2fc] ? instead of jmp dword ptr [$0040f2fc] // call ?
instead of jump to DLLfunction
// DLL function should return here.
...
inspect/process/spy on api result.
...
ret // return to "Call SomeImportedAPIfunction" call site.
DLLfunction:
... code ...
RET // return to "Call [$0040f2fc] " call site.
So the question is:
Is it possible to turn "jmp dword ptr [$0040f2fc]" into a "call [$0040f2fc]"
or something like that ?
Notes:
$0040f2fc is probably a pointer pointing to the imported DLL function
address.
[$0040f2fc] is probably the memory cell containing the imported DLL function
address.
dword ptr is probably a typecast.
Also another question is:
Is it possible to turn "jmp dword ptr [$0040f2fc]" into a "jmp
InjectedFunction" or something like that ? ;) (probably :))
You can't directly convert the jmp into a call because the call will
push a return address onto the stack, messing up the parameters as
need by the called function. If you do that, you need to provide a
trampoline function which recopies the parameters on the stack.
That's actually a fairly common technique, although doing it
generically is tricky if you don't know how much parameter data is on
the stack.
An alternative is to alter the return address on the stack to point to
your intercept code. This requires some care because you have to save
the *real* return address somewhere and eventually jump to it. This
is not so simple in the face of possible callbacks from the OS and
threads, but not impossible.
A third option is to patch the code your going to return to (the usual
int 3), but that means you need to unpatch it when you get back.
Anyway, there's an Intel paper on the subject:
http://www.intel.com/cd/ids/developer/asmo-na/eng/downloads/95865.htm
Also, several MSJ articles you should read:
"Learn System-Level Win32 Coding Techniques by Writing an API Spy
Program" in the December 1994 issue of MSJ (unfortunately MS does no
have this online anymore, but you can find bits and pieces on non-MS
sites.
http://www.microsoft.com/msj/0298/bugslayer0298.aspx
http://www.microsoft.com/msj/0699/Bugslayer/Bugslayer0699.aspx
.
- Prev by Date: Re: i disagree
- Next by Date: Re: i disagree
- Previous by thread: urgent requirement for project leader/apm required
- Index(es):
Relevant Pages
|
