BanMe
September 18th, 2009, 12:10
the idea is pretty simple..especially if you are doing a inline 'patching' approach..
Code:
push Parameter1
push Parameter2
Call API
in asm terms it looks like this essentially...
Code:
push DWORD
push DWORD
call DWORD
now lets say you have the hooking code already done,something that is patched to some address in the 'target' permanently.
you should not modify the stack in the hooking code unless you are not returning to the called function..Call DWORD..in which case you should clean the stack yourself of the unused parameters..but I wont go over that..
so in order to avoid modifying the stack code similar to this should be used..
Code:
pushad
..actual code that performs filtering of denial of service or bypass or w/e...
popad
jmp to_original_funtion
so now that you know what trampoline hook 'should' look like this does not mean that it has to look like this..but w/e.. so where the first line of the hooking code starts, is the address of the hook you want to jmp to..
so that after the hooking is done the example from above looks like this..
Code:
push DWORD
push DWORD
jmp hook
I hope this helps
It prolly doesn't..so..
Code:
wtf:
00401080 55 push ebp
00401081 8B EC mov ebp,esp
00401083 6A 01 push 1
00401085 6A FF push 0FFFFFFFFh
00401087 FF 15 F8 60 40 00 call dword ptr [__imp__SleepEx@8 (4060F8h)]
0040108D 5D pop ebp
0040108E C3 ret
--- No source file -------------------------------------------------------------
0040108F CC int 3
say this is the target funtion we want to hook with our inline patch..
and say 004013040 is the address of the 'patch'..the code above should look like this after hooking
Code:
wtf:
00401080 E9 BB1FC103 jmp 04013040
00401085 6A FF push 0FFFFFFFFh
00401087 FF 15 F8 60 40 00 call dword ptr [__imp__SleepEx@8 (4060F8h)]
0040108D 5D pop ebp
0040108E C3 ret
--- No source file -------------------------------------------------------------
0040108F CC int 3
regards BanMe