Commonly encountered in memory code
Mov eax, 0 xabcdef (1)
Call addr
Like this can get a 5 bytes of instruction to JMP myfunc to address their function, and then read relevant data JMP back,
Question is 3 bytes JMP code + memory are 5 bytes of 6 bytes, mov are generally 5 bytes
To their function is good, but can restore the scene automatically to generate?
Such as functions of their own is
VOID __declspec (naked) myfunc ()
{
PUSH_DATA;///backup each register values
ProcessData ((void *) dwESI);//the contents of the esi, oneself handle relevant data
RESTORE_DATA;//restore register
The __asm {
Mov eax, 0 xabcdef;//(2)
JMP dword PTR [lpBackAddr];//(3)
}
}
Call JMP length in order to solve the "five questions, you can find a 5 instruction in front, change, jump myfunc then myfunc finally (3) place to jump back line
Of course before (3) to write (1) content in (2) here, for the simple one call directly the disassembly and put the written instructions,
If there are a number of such functions and address to intercept want to do automatically, it should be:
Another function meaning sethook
A. (2) reserve first 5 bytes
B. the (1) save 5 bytes of data, ReadProcessMemory or direct memory access
C. find 2 offset, the corresponding memory written in the content of the b to get into,
D. or where (2) set the cs: IP to b read out the content (this should be a data segment, can set execute?) Behind the read out the contents of the add a jump instruction, which put the (3) is also in the above, so that after the execution is automatically jump back,
Question:
1. How can I get c + + (2) the migration? If no such offset computational memory migration, can automatically calculate a line of code to compile the starting address of the relative function after migration,
2. (2) where the content can be dynamic? How to implement? How that is to say, in a function to modify another function to specify the content of, or in this function how to dynamically adjust the content of the code
3. If we can have a similar to the following function in myfunc myfunc2 jump in the initialization can put the instructions get here? Such myfunc2 address is know, don't need to know that address the specific lines of code
VOID __declspec (naked) myfunc2 ()
{
The __asm {
NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP,
}
}
Say a bit messy, hope someone can see to give directions, thank you very much,
CodePudding user response:
1. Ms compiler can't use this feature, GCC,2.3. The idea of you is a hook
CodePudding user response:
https://github.com/Jasey/hookCodePudding user response:
WinAPIOverride http://jacquelin.potier.free.fr/winapioverride32/CodePudding user response: