show what happens when mhook hooks loop
This commit is contained in:
86
README.md
86
README.md
@@ -95,29 +95,14 @@ instruction lengths & offsets.
|
|||||||
|
|
||||||
|
|
||||||
0026 | 48 83 E0 01 | and rax,1
|
0026 | 48 83 E0 01 | and rax,1
|
||||||
002A | 74 17 | je test_cases.0043 ----+
|
002A | 74 17 | je test_cases.0043 --+
|
||||||
002C | 48 31 C0 | xor rax,rax |
|
002C | 48 31 C0 | xor rax,rax |
|
||||||
002F | 90 | nop |
|
002F | 90 | nop |
|
||||||
0030 | 90 | nop |
|
0030 | 90 | nop |
|
||||||
0031 | 90 | nop |
|
... |
|
||||||
0032 | 90 | nop |
|
0041 | 90 | nop |
|
||||||
0033 | 90 | nop |
|
0042 | 90 | nop |
|
||||||
0034 | 90 | nop |
|
0043 | C3 | ret <----------------+
|
||||||
0035 | 90 | nop |
|
|
||||||
0036 | 90 | nop |
|
|
||||||
0037 | 90 | nop |
|
|
||||||
0038 | 90 | nop |
|
|
||||||
0039 | 90 | nop |
|
|
||||||
003A | 90 | nop |
|
|
||||||
003B | 90 | nop |
|
|
||||||
003C | 90 | nop |
|
|
||||||
003D | 90 | nop |
|
|
||||||
003E | 90 | nop |
|
|
||||||
003F | 90 | nop |
|
|
||||||
0040 | 90 | nop |
|
|
||||||
0041 | 90 | nop |
|
|
||||||
0042 | 90 | nop |
|
|
||||||
0043 | C3 | ret <-----------------+
|
|
||||||
|
|
||||||
|
|
||||||
This function has a branch in the first 5 bytes. Hooking it detour-style isn't
|
This function has a branch in the first 5 bytes. Hooking it detour-style isn't
|
||||||
@@ -198,27 +183,46 @@ instructions that have been overwritten. Consider this:
|
|||||||
There's only 3 bytes that can be safely overwritten. Right after that is the
|
There's only 3 bytes that can be safely overwritten. Right after that is the
|
||||||
destination of the jump backwards. This is a very simple (and kinda pointless)
|
destination of the jump backwards. This is a very simple (and kinda pointless)
|
||||||
function so detecting that the loop might lead to problems shouldn't be a
|
function so detecting that the loop might lead to problems shouldn't be a
|
||||||
problem. Basically the same applies for the next example:
|
problem. But consider what happens with MHook (and all the others):
|
||||||
|
|
||||||
public _tail_recursion
|
_loop original:
|
||||||
_tail_recursion:
|
|
||||||
test ecx, ecx
|
|
||||||
je @is_0
|
|
||||||
mov eax, ecx
|
|
||||||
dec ecx
|
|
||||||
@loop:
|
|
||||||
test ecx, ecx
|
|
||||||
jz @tr_end
|
|
||||||
|
|
||||||
mul ecx
|
008C | 48 89 C8 | mov rax,rcx
|
||||||
dec ecx
|
008F | 48 F7 E1 | mul rcx
|
||||||
|
0092 | 90 | nop
|
||||||
|
0093 | 90 | nop
|
||||||
|
0094 | 90 | nop
|
||||||
|
0095 | E2 F8 | loop test_cases.008F
|
||||||
|
0097 | C3 | ret
|
||||||
|
|
||||||
jnz @loop
|
_loop hooked:
|
||||||
jmp @tr_end
|
|
||||||
@is_0:
|
008C | E9 0F 69 23 00 | jmp <MHook_Hooks::hookLoop>
|
||||||
mov eax, 1
|
0091 | E1 90 | loope test_cases.0023
|
||||||
@tr_end:
|
0093 | 90 | nop
|
||||||
ret
|
0094 | 90 | nop
|
||||||
|
0095 | E2 F8 | loop test_cases.008F
|
||||||
|
0097 | C3 | ret
|
||||||
|
|
||||||
|
trampoline:
|
||||||
|
|
||||||
|
00007FFF7CD200C0 | 48 89 C8 | mov rax,rcx
|
||||||
|
00007FFF7CD200C3 | 48 F7 E1 | mul rcx
|
||||||
|
00007FFF7CD200C6 | E9 C7 96 DC FF | jmp test_cases.0092
|
||||||
|
|
||||||
|
then executes:
|
||||||
|
|
||||||
|
0092 | 90 | nop
|
||||||
|
0093 | 90 | nop
|
||||||
|
0094 | 90 | nop
|
||||||
|
0095 | E2 F8 | loop test_cases.008F
|
||||||
|
|
||||||
|
But that jumps back into the middle of the jump and thus executes:
|
||||||
|
|
||||||
|
008F | 23 00 | and eax,dword ptr ds:[rax]
|
||||||
|
0091 | E1 90 | loope test_cases.0023
|
||||||
|
|
||||||
|
Which isn't right and will crash horribly.
|
||||||
|
|
||||||
(Preliminary) Results
|
(Preliminary) Results
|
||||||
=====================
|
=====================
|
||||||
|
|||||||
Reference in New Issue
Block a user