Orkblutt
April 25th, 2008, 04:46
Hi,
i'm trying to hook a fastcall function... I'm patching to jmp into my hook and jumping back at the end to continue the normal execution flow...
here the function i'm trying to hook
<div style="margin:20px; margin-top:5px"><div class="smallfont" style="margin-bottom:2px">Code:</div><pre class="alt2" style="margin:0px; padding:6px; border:solid 1px; width:90%; height:80px; overflow:auto"><div dir="ltr" style="text-align:left;">
.text:010873F6 ; int __fastcall BlahBlahBlah(int,int,int,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
.text:010873F6 ?BlahBlahBlah@@YGHPAXPBXKPAKPAU_OVERLAPPED@@@Z proc near
.text:010873F6 ; CODE XREF: sub_10948BC+1Cp
.text:010873F6
.text:010873F6 arg_0 = dword ptr 8
.text:010873F6 lpBuffer = dword ptr 0Ch
.text:010873F6 nNumberOfBytesToWrite= dword ptr 10h
.text:010873F6 lpNumberOfBytesWritten= dword ptr 14h
.text:010873F6 lpOverlapped = dword ptr 18h
.text:010873F6
.text:010873F6 mov edi, edi
.text:010873F8 push ebp ; lpBuffer
.text:010873F9 mov ebp, esp
.text:010873FB push esi ; hFile
.text:010873FC push edi
.text:010873FD push [ebp+arg_0]
.text:01087400 call sub_10872FE
.text:01087405 xor esi, esi
....
....
.text:0108747A mov esi, ds:__imp__WriteFile@20 ; WriteFile(x,x,x,x,x)
.text:01087480 push ebx
.text:01087481 push [ebp+lpOverlapped] ; lpOverlapped
.text:01087484 mov ecx, eax
.text:01087486 and ecx, 1
.text:01087489 sub eax, ecx
.text:0108748B shl eax, 9
.text:0108748E push edi ; lpNumberOfBytesWritten
.text:0108748F mov ebx, eax
.text:01087491 push ebx ; nNumberOfBytesToWrite
.text:01087492 push [ebp+lpBuffer] ; lpBuffer
.text:01087495 push hFile ; hFile
.text:0108749B call esi ; WriteFile(x,x,x,x,x) ; WriteFile(x,x,x,x,x)
</div></pre></div>
here my hooking code
BOOL PATCH_InsertJump (DWORD Address,DWORD Destination, BYTE* origopcode, int len)
{
DWORD OldProtect;
if(!VirtualProtect((LPVOID)Address,5,PAGE_READWRITE,&OldProtect))
return false;
memcpy(origopcode, (const void*)Address, len);
*(BYTE*)(Address) = 0xE9;
*(DWORD*)(Address+1) = Destination - (Address + 5);
return (BOOL)VirtualProtect((LPVOID)Address,5,OldProtect,NULL);
}
BOOL RestoreOriginalOpcodes(DWORD Address, BYTE* origopcode, int len)
{
DWORD OldProtect;
if(!VirtualProtect((LPVOID)Address,len,PAGE_READWRITE,&OldProtect))
return false;
memcpy((void*)Address, (const void*)origopcode, len);
return (BOOL)VirtualProtect((LPVOID)Address,len,OldProtect,NULL);
}
#define HOOK_OFFSET 0x1087484
#define PATCH_LEN 5
BYTE origopcode[PATCH_LEN] = {0};
DWORD Hook2Return, sEAX;
PVOID pBuffer;
__declspec(naked) void BlahBlahBlahHook()
{
__asm
{
// storing eax value
mov sEAX, eax
// getting the buffer from the stack
mov eax, [esp + 8]
mov pBuffer, eax
// restoring eax...
mov eax, sEAX
// overwritten code...
mov ecx, eax
and ecx, 1
}
__asm pushad
debug.Write("%s", (char*)pBuffer);
__asm popad;
__asm jmp Hook2Return;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved

{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
PATCH_InsertJump( HOOK_OFFSET ,(DWORD)&VTI_WriteFileHook, (BYTE*)origopcode, PATCH_LEN);
Hook2Return = HOOK_OFFSET + PATCH_LEN;
}
else if(ul_reason_for_call == DLL_PROCESS_DETACH)
{
RestoreOriginalOpcodes(HOOK_OFFSET, (BYTE*)origopcode, PATCH_LEN);
}
return TRUE;
}
now when i'm injecting that dll into my target, the target crash even before to call the Blahblahblah function...
<div style="margin:20px; margin-top:5px; "><div class="smallfont" style="margin-bottom:2px">Quote:</div><table cellpadding="6" cellspacing="0" border="1" width="90%"><tr><td class="alt2" style="border:1px inset"><i>Exception non gérée à 0x010871b1 dans target.exe : 0xC0000005: Access violation.</i></td></tr></table></div>
in debugger:
<div style="margin:20px; margin-top:5px"><div class="smallfont" style="margin-bottom:2px">Code:</div><pre class="alt2" style="margin:0px; padding:6px; border:solid 1px; width:90%; height:80px; overflow:auto"><div dir="ltr" style="text-align:left;">
OtherFunctionThanBlahblahblah:
010871B1 mov edi,edi ; edi = 0x000000FF
010871B3 push ebp
010871B4 mov ebp,esp
010871B6 push edi
...
BlahBlahBlah
010873F6 mov edi,edi
010873F8 push ebp
010873F9 mov ebp,esp
010873FB push esi
010873FC push edi
010873FD push dword ptr [ebp+8]
01087400 call VTI_Init+0AEh (10872FEh)
01087405 xor esi,esi
01087407 sub eax,esi
...
01087477 mov edi,dword ptr [ebp+14h]
0108747A mov esi,dword ptr [__imp__WriteFile@20 (1001250h)]
01087480 push ebx
01087481 push dword ptr [ebp+18h]
01087484 jmp BlahBlahBlahHook (12E1110h)
01087489 sub eax,ecx
0108748B shl eax,9
0108748E push edi
0108748F mov ebx,eax
01087491 push ebx
</div></pre></div>
Suggestions are welcome cause i can't find atm why this error....
I'm not sure i can write the real target name... can i?
regards,
orkblutt