如何挂钩 C++带有asm的函数
我想挂钩一个 C++ 函数。但我不想使用ms detours的蹦床机制,而是想完全修补它。我可以获得 DLL 的句柄,函数所在的位置,并且我有正确的偏移量(imageBase stuff ...)。那么如何挂钩呢?我不知道参数的数据类型(var_4 和 arg_0),或者不需要它们?一般来说,我想用我自己的函数替换以下函数(我的函数几乎相同,只更改了一行):
sub_39001A40 proc near
var_4 = dword ptr -4
arg_0 = dword ptr 4
push ecx
cmp dword_392ADAB4, 0
jnz short loc_39001A4F
call loc_39024840
loc_39001A4F:
push esi
mov esi, [esp+8+arg_0]
lea eax, [esp+8+var_4]
push eax
push esi
call dword_392ADA98
mov ecx, [esp+10h+var_4]
add esp, 8
add dword_392ADA80, ecx
adc dword_392ADA84, 0
add dword_392ADA90, esi
pop esi
adc dword_392ADA94, 0
add dword_392ADA7C, 1
pop ecx
retn
sub_39001A40 endp
很糟糕,我只能挂钩函数,这些函数的名称我通过 ms detours 知道。我无法绕道挂钩这些 asm 函数,因为我需要创建函数结构时传递的参数的数据类型!
编辑::::
“走弯路到底有什么问题?”
我写道:“我不想使用 ms detours 的蹦床机制,而是想完全修补它。”和“这很糟糕,我只能挂钩函数,这些函数的名称是我通过 ms detours 知道的。我无法通过 detours 挂钩那些 asm 函数,因为我需要用于创建函数结构的参数的数据类型!”而且我没有 C++ 文件的源代码。我只有十六进制转储。
“蹦床是一个实际的技术术语:)我只是想知道为什么@lua不能使用它。”
我写:再读一遍我的句子,如果你还是不明白为什么,我的英语不好。
“仅覆盖指定的函数应该可行,当然,您可能需要重新实现整个 DLL(取决于它是否对您有任何进一步的用处)。鉴于您对汇编程序的掌握,您可能会使用十六进制编辑器来逃脱编辑您想要破坏的原始 DLL(副本)。”
我想挂钩该函数,因为我不想编辑该文件。我无法覆盖我的函数,因为我不知道参数的数据类型和函数的名称。
@asveikau:感谢您的真正帮助,但我不想使用蹦床机制,我想覆盖该函数。
I want to hook a C++ function. But I don't want to use the trampoline mechanism of ms detours, instead of it I want to fully patch it. I can get the handle to the DLL, where the function is located and I have the right offset(imageBase stuff ...). So how to hook it? And I don't know the data types of the arguments(var_4 and arg_0), or aren't they needed? In general I want to replace following function with my own one(my function is nearly the same, there's only a line changed):
sub_39001A40 proc near
var_4 = dword ptr -4
arg_0 = dword ptr 4
push ecx
cmp dword_392ADAB4, 0
jnz short loc_39001A4F
call loc_39024840
loc_39001A4F:
push esi
mov esi, [esp+8+arg_0]
lea eax, [esp+8+var_4]
push eax
push esi
call dword_392ADA98
mov ecx, [esp+10h+var_4]
add esp, 8
add dword_392ADA80, ecx
adc dword_392ADA84, 0
add dword_392ADA90, esi
pop esi
adc dword_392ADA94, 0
add dword_392ADA7C, 1
pop ecx
retn
sub_39001A40 endp
It's bad, that I only can hook functions, which names I know with ms detours. I cannot hook those asm functions with detours, cause I need the data types of the arguments passed for creating the function structures!
EDIT::::
"What's wrong with detours, exactly?"
I wrote: "I don't want to use the trampoline mechanism of ms detours, instead of it I want to fully patch it." and "It's bad, that I only can hook functions, which names I know with ms detours. I cannot hook those asm functions with detours, cause I need the data types of the arguments passed for creating the function structures!" and I don't have the source code of the C++ files. I only have the hex-dump.
"Trampoline is an actual technical term :) I'm just wondering why @lua can't use it."
I write: Read my sentences again, if you still don't understand why, my english is bad.
"Overriding just the named function should work, of course you may need to re-implement the whole DLL (depending on if it is of any further use to you). Given your grasp of assembler you might get away with using a hex editor to edit (a copy of) the original DLL you are seeking to subvert."
I want to hook the function, because I don't want to edit the file. I can't overwrite my function, because I don't know the datatypes of the arguments and the function's name.
@asveikau: Thanks for your real help, but I don't want to use a trampoline mechanism, I want to overwrite the function.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
一个好技巧是用以下指令替换前几条指令:
这有点像混淆的
jmp。我这样写是因为它的汇编版本很容易在运行时用指针替换push操作数。它组装成:其中“XX XX XX XX”是您的小端地址。
然后,您可以创建一个“调用旧版本函数”代码位置,其中前几条指令是您用上面的序列替换的指令,然后跳转到原始代码中的下一个有效指令。
A good trick is to replace the first few instructions with this:
This is sort of like an obfuscated
jmp. I write it this way because the assembled version of this is very easy to replace thepushoperand with your pointer at runtime. It assembles to:Where "XX XX XX XX" is your address in little-endian.
Then you can make a "call the old version of the function" code location, where the first few instructions are the ones you replaced with the sequence above, followed by a jump to the next valid instruction in the original code.
仅覆盖指定的函数应该可行,当然您可能需要重新实现整个 DLL(取决于它是否对您有任何进一步的用途)。如果您掌握了汇编程序,您可能会使用十六进制编辑器来编辑您要破坏的原始 DLL(副本)。
Overriding just the named function should work, of course you may need to re-implement the whole DLL (depending on if it is of any further use to you). Given your grasp of assembler you might get away with using a hex editor to edit (a copy of) the original DLL you are seeking to subvert.