64 under InlineHook

Others 2019-08-11 16:42:46 views: null

table of Contents

X64 The manual method HOOK

About 64 programs. HOOK-line method a lot. There are also record it. Learn the truth and the nature of cross-platform HOOK.

Dian several methods of a far jump HOOK

1 does not affect the far-jump register + 15 bytes Method

There are 64-bit HOOK several methods. One is the influence of the value of the register. The other is not to affect the value of the register. Advantages and disadvantages.

The first: does not affect the value of the register is hard-coded size occupy 15 bytes.

Principle: using the principle of push + ret let us jump HOOK location address.

push 函数低地址(8个字节)
mov qword ptr ss:[rsp + 4],函数高地址(8个字节,不过高4个字节一般都是0所以可以不用给)
ret

hardcode:

68 XX XX XX XX                          push LowAddress
48 C7 44 24 04 XX XX XX XX              mov qword ptr ss:[rsp + 4],HighAddress
C3                                      ret

The place where XX can be replaced with our address.

2. Effect of the far-jump register + 12 bytes Method

A method for this will affect the value of the register.

Principle: use jump rax + jmp way.

mov rax,Address
Jmp rax

hardcode

48 B8 XX XX XX XX XX XX XX XX FF E0

Screenshot:

It should be noted that the size of the tail mode addresses. Fill must not be wrong.

3. Impact registers, restore registers jump.

In fact, this approach is the evolution of the second approach. The second we will modify rax directly to our address. In fact, we can use the stack to save.

Principle: rax + jmp + push to recover restore


push reg
mov reg,address
jmp reg
pop reg

Reg is represented by any register. If this method can effectively save register HOOK. Jumps back when to restore.

Hardcoded uncertainty here because the pop reg push reg register with your use related.

4. The common mode jump jmp + rip size of 6 bytes

May be used in a 64-bit program register in the rip. Eip wish to change the value of the lower 32 bits may not be .32. Jmp + call is nothing more than 3.64 bits can be used to change the

Principle: jmp + rip addressed jump.

jmp qword ptr ds:[rip]
数据地址

This method is to rip + (the instruction length) to take the contents of this register as the data inside the jump address, so when using this embodiment of our eight bytes of data to follow below. This data is what you want Jump address.

as follows:

It will next eight bytes of data as a jump address.

This time it was to say. You're not 6-byte jump it. To follow the following 8 bytes. So here.
Using this approach. In the following rip do not have to follow that data. We can modify the offset jump.
What does that mean now we are jmp qword ptr ds:. [rip ], we have to take on behalf of 8 bytes as the address of the jump below the current rip so we can write jmp qword ptr ds:. [rip X +];
X is any number in this eight-byte offset to jump to the address as the content.

About the offset is calculated but it is still the same destination address - Source Address - instruction length.

as follows:

For example, we offset from the first jump instruction. The contents of the red line in FIG. 8 data bytes as jump.

It can be written as follows:

Destination address (red box address, 0x7FFF12A51228) - Source Address (7FFF12A511Dd) - the instruction length (6)

6. Why instruction length is because we are the first line of instruction jmp qword ptr ds: [rip] but we still have not come to write us offset the offset into the first row ...

Now drawn offset 0x45 we can fill in the 45 to offset.

Now 0x7FFF12A51228 red box address our data just written here eight bytes of address.

As shown below:

As can be seen in FIG., The first red line FF 25 45 00 00 00 45 This is what we count offset.
Means that the position of the rip + 45, 8 data bytes as read address jump. Then address 228 we write eight bytes of data. the data for the address suffix 1EC address so fancy map, we have to jump past the RIP.

Note that, because the rip offset addressing only the upper and lower 2GB is, your offset should not exceed 2G location.

Dian Call of two ways.

1. CALL PUSH + RET mode

In this way similar with the push + ret principle above.

call Next
Next:
push lowAddress;
mov [rsp + 4],highAddress
ret

This way is to get the following instruction, the next instruction onto the stack and then continue to push + ret jump.

2.正常call

这种call 没有试过. 原理跟上面一样. 硬编码 E8 偏移 的方式调用


call youAddress

硬编码为: E8 XX XX XX XX xx代表偏移. 偏移计算公式还是 目的 - 源 - 5(指令长度)

但是是上下2GB

其他待整理

Guess you like

Origin www.cnblogs.com/iBinary/p/11334793.html
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com