readme & issues
This commit is contained in:
21
issues.md
Normal file
21
issues.md
Normal file
@@ -0,0 +1,21 @@
|
||||
+ unimportant
|
||||
++ feature request
|
||||
+++ bug
|
||||
|
||||
+++ fix relative calls in build_trampoline()
|
||||
|
||||
++Detect loops to the start of the function to be hooked
|
||||
start:
|
||||
jmp hook_function
|
||||
bla
|
||||
jXX start+3
|
||||
How to fix that:
|
||||
Also fix that jump
|
||||
Copy more into the trampoline
|
||||
|
||||
++ search for code caves and use those
|
||||
|
||||
++ more jump types in is_jump()
|
||||
|
||||
+ fix disassemble_func()
|
||||
+ fix is_end_of_function()
|
||||
36
readme.md
Normal file
36
readme.md
Normal file
@@ -0,0 +1,36 @@
|
||||
x64hook is a hooking library for x64 code that aims to be able to patch everything!
|
||||
|
||||
The general problems with hooking general functions are:
|
||||
1) The code to be overwritten with the jump to your code has relative jumps (forward) or calls.
|
||||
Those need to be fixed in the trampoline. As the trampoline is probably out of reach for 32bit
|
||||
jumps all the fixed jumps need to be x64 RIP relative jumps.
|
||||
|
||||
Conditional jumps are also handled - there are no jcc rel64 instructions though.
|
||||
That means that the condition is inverted as to jump, over the fixup code, further
|
||||
in the trampoline. The fixup code then is a unconditional 64bit jump.
|
||||
|
||||
2) The functions loops back into the code that has to be overwritten - that happens for functions
|
||||
with a loop (duh!) but also in case of tail-recursion optimization.
|
||||
|
||||
Currently hooking such functions is not supported and in fact this is not even detected.
|
||||
Detection: Search for the end of the function (which has its own problems), keep track of all jumps into the
|
||||
first few bytes.
|
||||
|
||||
3) Other threads might try to execute the code as it is overwritten - if that happens shit hits the fan
|
||||
and the normal working of the application *will* be disrupted.
|
||||
There are two methods of overcoming that problem:
|
||||
a) "The stop-the-world approach" stops all threads to hinder them from executing.
|
||||
That makes the hooking time intensive and easily detectable.
|
||||
b) Writing all the problematic modifications atomically. That's not doable for > 8bytes.
|
||||
How is that write reflected in the instruction cache?
|
||||
Instruction fetches follow a different memory model (no lock/unlock & µOp Caches)
|
||||
c) The approach described in "Living on the edge: Rapid-toggline probes with cross modification on x86"
|
||||
Firstly writing a INT3 to the code which lets all other threads who execute that code jump into an newly
|
||||
installed execution handler with a spin loop until the hooking is done - i.e. execution can be safely
|
||||
resumed.
|
||||
Then the code is overwritten atomically with respect to cache lines.
|
||||
Lastly the exception handler is deactived.
|
||||
|
||||
|
||||
As this is a x64 hooking library running on x64 the overwritten code is fairly long, making the occurence of
|
||||
the problems detailed above very likely.
|
||||
Reference in New Issue
Block a user