No end-to-end API connection

Question

No end-to-end API connection

Intro Info: Windows 7 64-bit. C ++. 64-bit applications and DLLs. Connection without MS Detours.

Question: I was struggling with the problem of getting a working example that demonstrates a connection in Windows. Most of them seem to have been written in a time when 32-bit Windows XP was the only operating system ... I have since overcome the 64-bit obstacles to understanding and successfully put in the DLL. My next step in this journey of knowledge is a clue. In accordance with the nostalgia for this topic, MS Detours does not support 64-bit (free), and of course I do not pay for $ 10,000. Therefore, I used traditional methods in this tutorial .

This track is awesome, but I am a little at a loss to understand this segment:

void BeginRedirect(LPVOID newFunction) { BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3}; memcpy(JMP, tempJMP, SIZE); DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5); VirtualProtect((LPVOID)pOrigMBAddress, SIZE, PAGE_EXECUTE_READWRITE, &oldProtect); memcpy(oldBytes, pOrigMBAddress, SIZE); memcpy(&JMP[1], &JMPSize, 4); memcpy(pOrigMBAddress, JMP, SIZE); VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL); }

In particular, I am struggling with the tempJMP byte, and all memcpy continues. I have an address for the Notepad InsertDate () function that I want to capture, but I'm not sure where to direct it ... Will this be the address of the new function? Or is it not relative? Idk, I'm just looking for some pointers.

+6

c ++ 64bit dll hook

user850275 Jan 24 '12 at 20:52

source share

2 answers

Julien · Answer 1 · 2012-05-11T08:59:00+0000

The hotpatchable functions begin with the following mov edi, edi command and are preceded by 5 NOP instructions (code cave, if I remember correctly).

When hotpatching, mov edi, edi is overwritten with a short jump into the cave of code. The cave of code also overwrites with the transition to your hook handler (a function in which you intercept an API call and then redirect it to a real API function).

Greko2009 · Answer 2 · 2012-02-21T13:48:59+0000

The whole idea is to “overwrite” the source code that Messagebox runs on:

 JuMP <CustomMessageBoxFunction> RETurn (back to program execution)

So,

First, he copies his shellcode into the JMP array:

  memcpy(JMP, tempJMP, SIZE);

He then copies the source code of the assembly source code from the source address to his "oldBytes" temporary storage so that he can copy it after executing his custom function:

 memcpy(oldBytes, pOrigMBAddress, SIZE);

Then it copies the address size that it previously calculated for the JMP array immediately after the jmp command:

 memcpy(&JMP[1], &JMPSize, 4);

Finally, its JMP [] array contains the shellcode needed to call its function, for example.

 JMP 1234 RET

so now he should copy this over the original bytes, where the program expects to find the original MessageBox function:

 memcpy(pOrigMBAddress, JMP, SIZE);

Now, going to your question, if you want to connect InsertDate (), instead of using pOrigMBAddress you can use the address of InsertDate.

But I'm not sure if this will work with 64-bit windows.

No end-to-end API connection

More articles: