patching operation code known as opcodes
-
Hello i searched on the web but didnt find any good info how to do it. Could anyone post a example or refer me somewhere where i can read up on them i would like to hook a function using opcodes. Thnx
NT based API hooking is also good is it really necessary for you to hook with the functions using op codes. otherwise my suggestion is NT based :- API hooking revealed[^] kernel based:- API Hooking (LoadLibrary)[^]
Величие не Бога может быть недооценена.
-
NT based API hooking is also good is it really necessary for you to hook with the functions using op codes. otherwise my suggestion is NT based :- API hooking revealed[^] kernel based:- API Hooking (LoadLibrary)[^]
Величие не Бога может быть недооценена.
-
Hello i searched on the web but didnt find any good info how to do it. Could anyone post a example or refer me somewhere where i can read up on them i would like to hook a function using opcodes. Thnx
In order to properly perform the type of hook operation you are describing you will need to implement some type of code relocation functionality. This is typically done by relocating one opcode at a time until enough memory is available to insert the patched code (or hook). This requires that each opcode and any operands be decoded and then encoded at a new location. Simply copying the opcode may not be sufficient if it uses relative addressing. From a top level view you would typically do the following: 1. Allocate enough memory for the original code to be copied to. See VirtualAllocEx() in the Windows SDK. 2. Decode a single opcode. 3. Encode/assemble the opcode at it's new location. 4. Repeat steps 2 and 3 until there is enough memory available to insert the hook. 5. Insert a jmp operation at the end of the relocated opcodes. This typically points to the end of the decode stream (or pointer if you prefer). 6. Insert the hook code (typically a jmp to your code). You end up with something like this:
Before code relocation
user code -> | LoadLibrary (movable) | LoadLibrary main codeAfter code relocation
user code -> * jmp to your code * LoadLibrary main code
| |
| |
your code -> LoadLibrary (moved)Before you begin you will probably want to familiarize yourself with the target CPU. Assuming that you are targeting Intel platforms visit "Intel® 64 and IA-32 Architectures Software Developer's Manuals[^]" for a list of references. The reference manuals will tell you how each instruction is composed and what if any operands need to be processed. It will also tell you how each operand is composed, which addressing modes apply to each opcode and give you a list of all opcode modifiers (prefix bytes) and what they mean. For an example of how to decode an opcode check out http://udis86.sourceforge.net/[^]
1300 calories of pure beef goodness can't be wrong!
-
In order to properly perform the type of hook operation you are describing you will need to implement some type of code relocation functionality. This is typically done by relocating one opcode at a time until enough memory is available to insert the patched code (or hook). This requires that each opcode and any operands be decoded and then encoded at a new location. Simply copying the opcode may not be sufficient if it uses relative addressing. From a top level view you would typically do the following: 1. Allocate enough memory for the original code to be copied to. See VirtualAllocEx() in the Windows SDK. 2. Decode a single opcode. 3. Encode/assemble the opcode at it's new location. 4. Repeat steps 2 and 3 until there is enough memory available to insert the hook. 5. Insert a jmp operation at the end of the relocated opcodes. This typically points to the end of the decode stream (or pointer if you prefer). 6. Insert the hook code (typically a jmp to your code). You end up with something like this:
Before code relocation
user code -> | LoadLibrary (movable) | LoadLibrary main codeAfter code relocation
user code -> * jmp to your code * LoadLibrary main code
| |
| |
your code -> LoadLibrary (moved)Before you begin you will probably want to familiarize yourself with the target CPU. Assuming that you are targeting Intel platforms visit "Intel® 64 and IA-32 Architectures Software Developer's Manuals[^]" for a list of references. The reference manuals will tell you how each instruction is composed and what if any operands need to be processed. It will also tell you how each operand is composed, which addressing modes apply to each opcode and give you a list of all opcode modifiers (prefix bytes) and what they mean. For an example of how to decode an opcode check out http://udis86.sourceforge.net/[^]
1300 calories of pure beef goodness can't be wrong!