Re: Need a jump opcode generator.
- From: "Skybuck Flying" <spam@xxxxxxxxxxx>
- Date: Fri, 27 Jul 2007 11:57:36 +0200
Ah yes I see what happens and I understand the doc now.
The E9 is a 32 bit relative jump instruction.
For the CPU to understand where to jump to it needs to read the next 4
bytes.
And apperently intel increment the extended instruction pointer accordinly.
So the eip always points completely to the next instruction.
So the jump instruction is interpreted by the cpu as a 5 byte instruction.
So here is the correct code which is tested and working ! Really nice too:
Example:
// vSendTo points to original winsock 2 sendto.
// generate jump in original winsock 2 sendto to injected sendto:
byte( pointer(vSendTo)^ ) := $E9;
pointer( pointer( integer(vSendTo)+1 )^ ) := pointer(
integer(@injected_sendto) - (integer(vSendTo)+5) );
// stub which contains the replaced 5 bytes:
byte( pointer(integer(vSendToStub) + 5)^ ) := $E9;
pointer( pointer(integer(vSendToStub) + 6)^ ) := pointer( integer(
integer(vSendTo) + 5 ) - (integer(vSendToStub)+10) );
The stub hasn't been tested yet.
However the injected functions have been tested... and they return to the
original winsock 2 sendto caller.. which is real nice.
No problems so far.
So the injected functions currently behave like they could completely
replace the winsock 2 functions.
Now the idea is for the sendto and recvfrom injected functions to "call" or
"jump" to the stub... the stub executes the 5 original bytes from the
sendto/recvfrom functions... and then jumps to the location in the original
sendto/recvfrom functions and executes the original instructions... and
finally a return ofcourse will be done... which would force the return to
the original caller.
Hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm this is now what I want...
What I want is to return to the one who called the stub....
So all that is necessary to achieve this is for the injected functions to
simply "call" the stubs. (So don't jump to the stubs;))
This will push a the return address on the stack... which will force the
original sendto/recvfrom function to return to the injected functions.. so
that the injected functions can do pre and post processing.
And then the injected functions will return and return to the original
sendto caller etc.
So the only thing which is probably need is for the injected function to
call the stub like so:
TsendTo_Prototype(vSendToStub)( parameters );
This should work very nicely...
Gonna test it ;)
For a moment there I was worried I had to do a jump and that's ofcourse not
really possible in Delphi... but calls very nicely possible ;) heheh
I checked and yup that's how I designed it and that's also how the api spy
tutorial on the internet describes it.
Calling a 5 byte stub is just weird LOL hehehehehehehehhe.
But it's gonna work.
(The stub has a jump at the end instead of a return ;))
Bye,
Skybuck ;)
.
- Follow-Ups:
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- References:
- Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Re: Need a jump opcode generator.
- From: Skybuck Flying
- Need a jump opcode generator.
- Prev by Date: Re: Need a jump opcode generator.
- Next by Date: Re: Need a jump opcode generator.
- Previous by thread: Re: Need a jump opcode generator.
- Next by thread: Re: Need a jump opcode generator.
- Index(es):
Relevant Pages
|
