I got a simple code and it gives me a compiler error for no reason
inline assembler syntax error in 'opcode'; found 'constant'
DWORD connectFunctionAddressReturn = 0x775368F7;
int __cdecl ws2_32_connect_hook_output(SOCKET s, const struct sockaddr *name, int namelen) {
struct sockaddr_in *in = (struct sockaddr_in *)connect_name;
printf("Attempting connect %d.%d.%d.%d : %d\n", in->sin_addr.S_un.S_un_b.s_b1, in->sin_addr.S_un.S_un_b.s_b2, in->sin_addr.S_un.S_un_b.s_b3, in->sin_addr.S_un.S_un_b.s_b4, htons(in->sin_port));
}
void __declspec(naked) ws2_32_connect_hook(void) { //ws2_32.connect = 775368F5
__asm {
PUSHAD //To be in safe environment
PUSHFD //To be safe environment
PUSH 0x10
PUSH DWORD PTR SS:[EBP+0x8]
PUSH DWORD PTR DS:[ESI+0x14]
CALL DWORD PTR ws2_32_connect_hook_output //<-- ERROR HERE
ADD ESP, 0xC //clean __cdecl,4,8,C
POPFD //Finish being in safe environment
POPAD //Finish being in safe environment
JMP connectFunctionAddressReturn // <-- ERROR HERE
}
}
solved it, I had CALL AND JMP defined so it errored in ASM code.
#define CALL 0xE8
#define JMP 0xE9
Related
I have the following code:
#include <windows.h>
#include <minidumpapiset.h>
#include <strsafe.h>
#include <fileapi.h>
#include <iostream>
#include <signal.h>
#include <minwinbase.h>
#include <new.h>
#include "StackWalker.h"
int minidumpId = 0;
#ifndef _AddressOfReturnAddress
// Taken from: http://msdn.microsoft.com/en-us/library/s975zw7k(VS.71).aspx
#ifdef __cplusplus
#define EXTERNC extern "C"
#else
#define EXTERNC
#endif
// _ReturnAddress and _AddressOfReturnAddress should be prototyped before use
EXTERNC void* _AddressOfReturnAddress(void);
EXTERNC void* _ReturnAddress(void);
EXTERNC int __cdecl _purecall();
#endif
EXCEPTION_POINTERS ExceptionPointers;
EXCEPTION_RECORD ExceptionRecord;
CONTEXT ContextRecord;
void GetExceptionPointers(DWORD exceptionCode, EXCEPTION_POINTERS** exceptionPointers)
{
// The following code was taken from VC++ 8.0 CRT (invarg.c: line 104)
ZeroMemory(&ExceptionPointers, sizeof(EXCEPTION_POINTERS));
ZeroMemory(&ExceptionRecord, sizeof(EXCEPTION_RECORD));
ZeroMemory(&ContextRecord, sizeof(CONTEXT));
// Looks like a workaround for some bug in RtlCaptureContext. But no description.
#ifdef _X86_
__asm {
mov dword ptr[ContextRecord.Eax], eax
mov dword ptr[ContextRecord.Ecx], ecx
mov dword ptr[ContextRecord.Edx], edx
mov dword ptr[ContextRecord.Ebx], ebx
mov dword ptr[ContextRecord.Esi], esi
mov dword ptr[ContextRecord.Edi], edi
mov word ptr[ContextRecord.SegSs], ss
mov word ptr[ContextRecord.SegCs], cs
mov word ptr[ContextRecord.SegDs], ds
mov word ptr[ContextRecord.SegEs], es
mov word ptr[ContextRecord.SegFs], fs
mov word ptr[ContextRecord.SegGs], gs
pushfd
pop[ContextRecord.EFlags]
}
ContextRecord.ContextFlags = CONTEXT_CONTROL;
#pragma warning(push)
#pragma warning(disable : 4311)
ContextRecord.Eip = (ULONG)_ReturnAddress();
ContextRecord.Esp = (ULONG)_AddressOfReturnAddress();
#pragma warning(pop)
ContextRecord.Ebp = *(static_cast<ULONG*>(_AddressOfReturnAddress()) - 1);
#elif defined(_IA64_) || defined(_AMD64_) || defined(_ARM_) || defined(_ARM64_)
CaptureContext(&ContextRecord);
#else /* defined (_IA64_) || defined (_AMD64_) || defined(_ARM_) || defined(_ARM64_) */
ZeroMemory(&ContextRecord, sizeof(ContextRecord));
#endif /* defined (_IA64_) || defined (_AMD64_) || defined(_ARM_) || defined(_ARM64_) */
ExceptionRecord.ExceptionCode = exceptionCode;
ExceptionRecord.ExceptionAddress = _ReturnAddress();
ExceptionRecord.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
*exceptionPointers = &ExceptionPointers;
(*exceptionPointers)->ExceptionRecord = &ExceptionRecord;
(*exceptionPointers)->ContextRecord = &ContextRecord;
}
class DbgLibrary final
{
public:
DbgLibrary()
{
dbgLibrary = LoadLibraryW(L"dbghelp.dll");
}
~DbgLibrary()
{
FreeLibrary(dbgLibrary);
}
explicit operator bool() const
{
return dbgLibrary != NULL;
}
bool WriteMinidump(HANDLE file, EXCEPTION_POINTERS* exceptionPointers) const
{
MINIDUMP_EXCEPTION_INFORMATION exceptionInformation;
exceptionInformation.ThreadId = GetCurrentThreadId();
exceptionInformation.ExceptionPointers = exceptionPointers;
exceptionInformation.ClientPointers = FALSE;
MINIDUMP_CALLBACK_INFORMATION callbackInformation;
callbackInformation.CallbackRoutine = NULL;
callbackInformation.CallbackParam = NULL;
typedef BOOL(WINAPI* LPMINIDUMPWRITEDUMP)(HANDLE processHandle, DWORD ProcessId, HANDLE fileHandle,
MINIDUMP_TYPE DumpType, CONST PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
CONST PMINIDUMP_USER_STREAM_INFORMATION UserEncoderParam,
CONST PMINIDUMP_CALLBACK_INFORMATION CallbackParam);
LPMINIDUMPWRITEDUMP pfnMiniDumpWriteDump =
(LPMINIDUMPWRITEDUMP)GetProcAddress(dbgLibrary, "MiniDumpWriteDump");
if (NULL == pfnMiniDumpWriteDump)
{
return false;
}
BOOL isWriteSucceed = pfnMiniDumpWriteDump(GetCurrentProcess(), GetCurrentProcessId(), file, MiniDumpNormal,
&exceptionInformation, NULL, &callbackInformation);
return isWriteSucceed;
}
private:
HMODULE dbgLibrary;
};
inline HANDLE CreateNativeFile(const wchar_t* filePath)
{
HANDLE file = NULL;
file = CreateFileW(filePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
return file;
}
void CreateMiniDump(PEXCEPTION_POINTERS exceptionPointers)
{
const DbgLibrary dbgLibrary;
if (dbgLibrary)
{
wchar_t FILE_PATH[4096];
// Write `exceptionPointers` to the minidump file
StringCbPrintfW(FILE_PATH, sizeof(FILE_PATH), L"%ls\\%ls_%ld.dmp", ".",
L"minidump", minidumpId++);
HANDLE hMinidump = CreateNativeFile(FILE_PATH);
if (hMinidump != INVALID_HANDLE_VALUE)
{
dbgLibrary.WriteMinidump(hMinidump, exceptionPointers);
CloseHandle(hMinidump);
}
}
}
LONG WINAPI SehHandler(PEXCEPTION_POINTERS exceptionPointers)
{
std::cerr << "SehHandler\n";
CreateMiniDump(exceptionPointers);
return EXCEPTION_EXECUTE_HANDLER;
}
void SigsegvHandler(int)
{
std::cerr << "SigsegvHandler\n";
PEXCEPTION_POINTERS exceptionPointers = static_cast<PEXCEPTION_POINTERS>(_pxcptinfoptrs);
// Write minidump file
CreateMiniDump(exceptionPointers);
}
int __cdecl NewHandler(size_t size)
{
std::cerr << "NewHandler\n";
// 'new' operator memory allocation exception
PEXCEPTION_POINTERS exceptionPointers;
GetExceptionPointers(STATUS_NO_MEMORY, &exceptionPointers);
CreateMiniDump(exceptionPointers);
return 0;
}
struct A5 {
void F()
{
while (true)
{
int* a = new int[50000000];
}
}
};
struct A4 {
A5 a;
void F()
{
a.F();
}
};
struct A3 {
A4 a;
void F()
{
a.F();
}
};
struct A2 {
A3 a;
void F()
{
a.F();
}
};
struct A1 {
A2 a;
void F()
{
a.F();
}
};
int main()
{
SetUnhandledExceptionFilter(SehHandler);
signal(SIGSEGV, SigsegvHandler);
_set_new_handler(NewHandler);
A1().F();
return 0;
}
Here two handlers would be invoked: NewHandler and SehHandler. The first one because of bad_alloc in operator new[], the second one because of unhandled exception. In both handlers I create minidump with information about crash.
NewHandler:
Thread 0 (crashed)
0 StackWalker_VC2017.exe!_callnewh [new_handler.cpp : 79 + 0x2]
eip = 0x0040a636 esp = 0x0019fefc ebp = 0x0019ff08 ebx = 0x00311000
esi = 0x00401d10 edi = 0x00655368 eax = 0x0042eed0 ecx = 0x00000000
edx = 0x00655368 efl = 0x00000202
Found by: given as instruction pointer in context
1 StackWalker_VC2017.exe!operator new(unsigned int) [new_scalar.cpp : 40 + 0x8]
eip = 0x00404a05 esp = 0x0019ff10 ebp = 0x0019ff14
Found by: call frame info
2 StackWalker_VC2017.exe!A5::F() [main.cpp : 197 + 0xa]
eip = 0x00401d0a esp = 0x0019ff1c ebp = 0x0019ff28
Found by: call frame info
3 StackWalker_VC2017.exe!main [main.cpp : 239 + 0x8]
eip = 0x00402500 esp = 0x0019ff24 ebp = 0x0019ff28
Found by: call frame info
4 StackWalker_VC2017.exe!static int __scrt_common_main_seh() [exe_common.inl : 288 + 0x1c]
eip = 0x00404c5d esp = 0x0019ff30 ebp = 0x0019ff70
Found by: call frame info
5 kernel32.dll + 0x1fa29
eip = 0x7712fa29 esp = 0x0019ff78 ebp = 0x0019ff80
Found by: call frame info
6 ntdll.dll + 0x67a9e
eip = 0x77c97a9e esp = 0x0019ff88 ebp = 0x0019ffdc
Found by: previous frame's frame pointer
7 ntdll.dll + 0x67a6e
eip = 0x77c97a6e esp = 0x0019ffe4 ebp = 0x0019ffec
Found by: previous frame's frame pointer
SehHandler:
Thread 0 (crashed)
0 KERNELBASE.dll + 0x12b812
eip = 0x76ddb812 esp = 0x0019fe68 ebp = 0x0019fec4 ebx = 0x19930520
esi = 0x00645a90 edi = 0x0042c754 eax = 0x0019fe68 ecx = 0x00000003
edx = 0x00000000 efl = 0x00000212
Found by: given as instruction pointer in context
1 StackWalker_VC2017.exe!_CxxThrowException [throw.cpp : 74 + 0x19]
eip = 0x00405a98 esp = 0x0019fecc ebp = 0x0019fef4
Found by: previous frame's frame pointer
2 StackWalker_VC2017.exe!__scrt_throw_std_bad_alloc() [throw_bad_alloc.cpp : 35 + 0x16]
eip = 0x0040509c esp = 0x0019fefc ebp = 0x0019ff10
Found by: call frame info
3 StackWalker_VC2017.exe!main [main.cpp : 239 + 0x8]
eip = 0x00402500 esp = 0x0019ff24 ebp = 0x0019ff14
Found by: call frame info with scanning
Extracted stacks using breakpad minidump_stackwalk:
The question is why SehHandler stacktrace does not have all function calls?
The main problem is that in project I use crash handlers for logging information in dumps. But creating minidump on each NewHandler call is not inappropriate solution, because sometimes bad_alloc could be fixed and exception thrown in try/catch block, that means that it is expected behaviour. So I want to handle bad_alloc in unhandled exception handler, so that it would definitely be crash. Also problem occurs only in release builds.
As mentioned in https://developercommunity.visualstudio.com/t/stdbad-alloc-failures-are-undebuggable/542559?viewtype=solutions it is bug in msvc. Unfortunately there is no good solution for release builds.
I'm trying to use MS detours, and I don't know if I am doing something wrong; I cannot seem to find an answer to my issue.
I have tried detouring several functions in a process using my injected DLL, but each attempt causes the process to crash.
One of the functions I try to hook is winapi DirectDrawCreate:
DetourTransactionBegin();
DetourUpdateThread( GetCurrentThread() );
DetourAttach( (PVOID *)DirectDrawCreate, hkDirectDrawCreate );
DetourTransactionCommit();
hkDirectDrawCreate is defined as:
HRESULT __stdcall hkDirectDrawCreate( GUID *p1, LPDIRECTDRAW *p2, IUnknown *p3 )
{
if( !pDDC )
return 0x00;
printf( "A call to hkDirectDrawCreate was made\n" );
return DirectDrawCreate( p1, p2, p3 );
}
On the call to DetourAttach the process crashes; the stack trace is:
myProj.dll!detour_skip_jmp(unsigned char * pbCode, void * * ppGlobals) Line 135 C++
myProj.dll!DetourCodeFromPointer(void * pPointer, void * * ppGlobals) Line 984 C++
myProj.dll!DetourAttachEx(void * * ppPointer, void * pDetour, _DETOUR_TRAMPOLINE * * ppRealTrampoline, void * * ppRealTarget, void * * ppRealDetour) Line 1456 C++
myProj.dll!DetourAttach(void * * ppPointer, void * pDetour) Line 1395 C++
The code breaks in 'detour_skip_jmp' at '0x68B028BD':
// First, skip over the import vector if there is one.
if (pbCode[0] == 0xff && pbCode[1] == 0x25) { // jmp [imm32]
68B028B2 mov ecx,1
68B028B7 imul edx,ecx,0
68B028BA mov eax,dword ptr [pbCode]
68B028BD movzx ecx,byte ptr [eax+edx]
68B028C1 cmp ecx,0FFh
68B028C7 jne detour_skip_jmp+82h (68B02912h)
68B028C9 mov edx,1
68B028CE shl edx,0
68B028D1 mov eax,dword ptr [pbCode]
68B028D4 movzx ecx,byte ptr [eax+edx]
68B028D8 cmp ecx,25h
68B028DB jne detour_skip_jmp+82h (68B02912h)
Edit: ppGlobals is NULL, and pbCode gives the error 'Error reading characters of string'
Going back to DetourCodeFromPointer ppGlobals is also NULL there, but I guess it is supposed to be; here is the call:
pDetour = DetourCodeFromPointer(pDetour, NULL);
No doubt the import table has been moved or scrubbed as an anti-hooking technique. Just add a jump at the start of DirectDrawCreate to your hkDirectDrawCreate, then when calling the original jump back to DirectDrawCreate, but be sure it is after your jump to your hook otherwise you're stuck in an endless recursive loop.
I found this call sub_10636F0 in 5 different places trying to figure out how to call it from C++ DLL which is injected into the target application so It has full access to all the calls in that application.
I had a chart of all the places where it's called most of these call's are cut right after another call above it, to ensure it's completeness.
I read tons of questions on stackoverflow about this subject found a few good answers from Necrolis, saying if its a EDX then you could use __fastcall.
I googled to find out about ECX and it seems to also be used to __fastcall so either ECX or EDX mean __fastcall.
But the function it calls uses the wrapper
sub esp, 5F4h
add esp, 5F4h
retn 8
I have no idea what this is about again doing tons of research I think SUB ESP, XXX at beginning and ADD ESP, XXX at end are used only for _cdecl conversions
My current code looks like this
typedef void(__fastcall *TThreeParamter)(int, int, int);
typedef void(__fastcall *TTwoParamter)(int, int);
typedef void(__fastcall *TOneParamter)(int);
typedef void(__fastcall *TZeroParamter)();
TTwoParamter sub_10636F0 = (TTwoParamter)(DWORD)GetModuleHandle(NULL) + 0xC636EF;
//the call
sub_10636F0(0x11223344, 0x55667788);
Don't ask me why the 0xC636EF is different from 10636F0 in the sub, I can tell you it's going into the correct sub upon inspection in a debugger, the sub's keep moving around everytime the program is re-launched it seems to be either a protection method, or possibly because this program loads over 50 dll's and the addresses need to move around.
I tried all different configurations, 2 int's, 3 int's nothing works..
IDA detects this method as being 3 parameters, but the last parameter isn't used anywhere in the decompiled pesudo-code, which I cannot figure out,
Pseudo-code looks like this ( I did heavy modifications to it, like change it to _fastcall from __thiscall )
Pseudo-code from IDA
//probably wrong.. packet is a variable not a parameter which will crash
void __fastcall sub_10636F0(int var1)
{
__int128 v1; // xmm0#0
int v2; // esi#1
int v3; // ebx#1
SOCKET v4; // ebp#1
int v5; // eax#2
int v6; // ecx#3
int v7; // [sp+8h] [bp-5FCh]#7
char a2a[1492]; // [sp+10h] [bp-5F4h]#2
int v9; // [sp+5E4h] [bp-20h]#2
int v10; // [sp+5E8h] [bp-1Ch]#2
struct _FILETIME SystemTimeAsFileTime; // [sp+5F0h] [bp-14h]#2
__int16 v12; // [sp+5F8h] [bp-Ch]#2
int packet; // [sp+608h] [bp+4h]#0
int to; // [sp+60Ch] [bp+8h]#0
v2 = to;
v3 = var1;
v4 = *(_DWORD *)(packet + 220);
if ( v4 != -1 )
{
//snipped lots of code
}
}
//probably wrong.. packet is a variable not a paramter which will crash
void __fastcall sub_10636F0(int var1, int var2)
{
__int128 v2; // xmm0#0
int v3; // esi#1
int v4; // ebx#1
SOCKET v5; // ebp#1
int v6; // eax#2
int v7; // ecx#3
int v8; // [sp+8h] [bp-5FCh]#7
char a2a[1492]; // [sp+10h] [bp-5F4h]#2
int v10; // [sp+5E4h] [bp-20h]#2
int v11; // [sp+5E8h] [bp-1Ch]#2
struct _FILETIME SystemTimeAsFileTime; // [sp+5F0h] [bp-14h]#2
__int16 v13; // [sp+5F8h] [bp-Ch]#2
int packet; // [sp+608h] [bp+4h]#0
int to; // [sp+60Ch] [bp+8h]#0
v3 = to;
v4 = var1;
v5 = *(_DWORD *)(packet + 220);
if ( v5 != -1 )
{
//snipped lots of code
}
}
//this looks the best, but still `to` isn't detected as paramter
void __fastcall sub_10636F0(int var1, int var2, int var3)
{
__int128 v3; // xmm0#0
int v4; // esi#1
int v5; // ebx#1
SOCKET v6; // ebp#1
int v7; // eax#2
int v8; // ecx#3
int v9; // [sp+8h] [bp-5FCh]#7
char a2a[1492]; // [sp+10h] [bp-5F4h]#2
int v11; // [sp+5E4h] [bp-20h]#2
int v12; // [sp+5E8h] [bp-1Ch]#2
struct _FILETIME SystemTimeAsFileTime; // [sp+5F0h] [bp-14h]#2
__int16 v14; // [sp+5F8h] [bp-Ch]#2
int to; // [sp+60Ch] [bp+8h]#0
v4 = to; //still doesn't detect this..
v5 = var1; //okay this isn't bad another parameter
v6 = *(_DWORD *)(var3 + 220); //like this detects this as parameter class atleast
if ( v6 != -1 )
{
//snipped lots of code
}
}
This is the code IDA recommends by default
char __userpurge sub_10636F0#<al>(int a1#<ecx>, __int128 a2#<xmm0>, int a3, int a4)
{
int v4; // esi#1
int v5; // ebx#1
SOCKET v6; // ebp#1
int v7; // eax#2
int v8; // ecx#3
int v9; // eax#8
char v11; // [sp+8h] [bp-5FCh]#7
int v12; // [sp+10h] [bp-5F4h]#4
int v13; // [sp+24h] [bp-5E0h]#2
int v14; // [sp+28h] [bp-5DCh]#2
int v15; // [sp+2Ch] [bp-5D8h]#2
int v16; // [sp+30h] [bp-5D4h]#2
char v17; // [sp+34h] [bp-5D0h]#2
signed int v18; // [sp+5E4h] [bp-20h]#2
int v19; // [sp+5E8h] [bp-1Ch]#2
int v20; // [sp+5F0h] [bp-14h]#2
__int16 v21; // [sp+5F8h] [bp-Ch]#2
v4 = a4;
v5 = a1;
v6 = *(_DWORD *)(a3 + 220);
if ( v6 == -1 )
return 0;
//Snipped code
if ( v9 >= 0 && v9 == *(_DWORD *)(v4 + 1492) )
return 1;
return 0;
}
Function in ASM
.text:010636F0 ; void __fastcall sub_10636F0(int var1, int var2, int var3)
.text:010636F0 sub_10636F0 proc near ; CODE XREF: sub_1062960+E0p
.text:010636F0 ; sub_10637E0+D4p ...
.text:010636F0
.text:010636F0 a2 = byte ptr -5F4h
.text:010636F0 var_20 = dword ptr -20h
.text:010636F0 var_1C = dword ptr -1Ch
.text:010636F0 SystemTimeAsFileTime= _FILETIME ptr -14h
.text:010636F0 var_C = word ptr -0Ch
.text:010636F0 var_4 = dword ptr -4
.text:010636F0 packet = dword ptr 4
.text:010636F0 to = dword ptr 8
.text:010636F0 test = dword ptr 0Ch
.text:010636F0
.text:010636F0 sub esp, 5F4h
.text:010636F6 mov eax, ___security_cookie
.text:010636FB xor eax, esp
.text:010636FD mov [esp+5F4h+var_4], eax
.text:01063704 push ebx
.text:01063705 push ebp ; a5
.text:01063706 push esi ; a4
.text:01063707 mov esi, [esp+600h+to]
.text:0106370E push edi ; a3
.text:0106370F mov edi, [esp+604h+packet]
.text:01063716 mov ebx, ecx
.text:01063718 mov ebp, [edi+0DCh]
.text:0106371E cmp ebp, 0FFFFFFFFh
.text:01063721 jz loc_10637BB
SNIP TONS OF CODE HERE
.text:010637BB
.text:010637BB loc_10637BB: ; CODE XREF: sub_10636F0+31j
.text:010637BB ; sub_10636F0+BDj ...
.text:010637BB xor al, al
.text:010637BD
.text:010637BD loc_10637BD: ; CODE XREF: sub_10636F0+C9j
.text:010637BD mov ecx, [esp+604h+var_4]
.text:010637C4 pop edi
.text:010637C5 pop esi
.text:010637C6 pop ebp
.text:010637C7 pop ebx
.text:010637C8 xor ecx, esp
.text:010637CA call #__security_check_cookie#4 ; __security_check_cookie(x)
.text:010637CF add esp, 5F4h
.text:010637D5 retn 8
.text:010637D5 sub_10636F0 endp ; sp-analysis failed
Calls to this function in ASM
.text:010638B0 push esi ; packet
.text:010638B1 push ebx ; this
.text:010638B2 mov ecx, ebp ; this
.text:010638B4 call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01062A2E mov byte ptr [esi+5E9h], 1
.text:01062A35
.text:01062A35 loc_1062A35: ; CODE XREF: sub_1062960+C1j
.text:01062A35 add dword ptr [esi+5D4h], 2
.text:01062A3C push esi ; packet
.text:01062A3D push edi ; this
.text:01062A3E mov ecx, ebx ; this
.text:01062A40 call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01063AF4 mov eax, [ebx+1128h]
.text:01063AFA mov [esp+1A4h+var_AC], eax
.text:01063B01 push esi ; packet
.text:01063B02 lea eax, [esp+1A8h+to]
.text:01063B06 push eax ; this
.text:01063B07 mov ecx, ebx ; this
.text:01063B09 mov [esp+1ACh+var_4], 1
.text:01063B14 call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01089145 loc_1089145: ; CODE XREF: sub_10890B0+4Fj
.text:01089145 ; sub_10890B0+67j
.text:01089145 mov ecx, [edi+110h] ; this
.text:0108914B push esi ; packet
.text:0108914C push edi ; this
.text:0108914D call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01089CBA mov ecx, [esi+110h] ; this
.text:01089CC0 push edi ; packet
.text:01089CC1 push esi ; this
.text:01089CC2 call sub_10636F0
I have no idea what this is about again doing tons of research I think
SUB ESP, XXX at beginning and ADD ESP, XXX at end are used only for
_cdecl conversions
No, it's used for ALL functions that use local variables (with minor variations as to exactly how it's done, but stack space needs to be allocated by subtracting from ESP, and "freed" by adding the same amount to the stack pointer.
However, the RET 8 does indeed indicate that the calling convention is NOT _cdecl, but one where the stack is cleaned up by the callee. There are a few different calling conventions that match this, but I have a feeling it's C++ code and a member function, which would make it thiscall - that does make it a little hard to simulate, since you want this in ECX.
The ret 8 says that the function has 8 bytes worth of arguments, so two int or void * variables.
I'm far from convinced there is a simple way to do this. You may be able to do something like this. Create a class X with a virtual function that takes two arguments:
class X
{
virtual void Func(int x, int y) { }
};
Then figure out where the compiler put the vtable, and modify the vtable for func to point at your target function, rather than the empty implementation of the class.
Now you can use X to create an instance:
X* p = new X;
and then call func.
p->func(1, 2);
However, if you are unlucky, the compiler doesn't realize that you have messed with the vtable, and end up calling the function directly. So you may need to do some trickery with separate compilation and other stuff.
In other words, you have your work cut out. But then reverse engineering wouldn't be any fun at all if you didn't have to trick around a bit.
Of course, the cheaters method is to just write a few lines of inline assembler, like such:
void CallMyFunc(void *func, int a, int b, int c)
{
__asm(mov ecx, a
push b
push c
call *func);
}
[It's about 10 years since I last wrote Windows inline assembly code, so apologies if the syntax isn't quite right - consider it a "rough sketch" and do modify it until it actually compiles...]
I am trying to rebuild the import table of a windows pe now i have successfully enumerated through all the modules but as soon as i use loadlibrary api the application crashes could anyone point me where i am wrong??
DWORD OEP, IAT, ImageBase, LoadLib;
char *module;
// Fetch Placeholders
__asm {
mov[OEP], 0xCCCCCCCC // Orignal Entry Point
mov[IAT], 0xCCCCCCCC // Import Table Address
mov[ImageBase], 0xCCCCCCCC // Image Base
mov[LoadLib], 0xCCCCCCCC // kernel32.LoadLibraryA
}
// Fix IAT
__asm {
_it_fixup:
mov ebx, [IAT]
mov esi, [ImageBase]
add ebx, esi // image_import_descriptor
_it_loadlibrary_loop :
mov eax, [ebx + 0x0C] // eax = image_import_descriptor.Name
test eax, eax
jz _it_fixup_end
add eax, esi // ecx = module = image_import_descriptor.Name + dwImageBase
push eax
call [LoadLib] // Here when i check with ollydbg eax has advapi32.dll and says error_insufficient_buffer
inc ebx // image_import_descriptor++
test eax, eax
jnz _it_loadlibrary_loop
_it_fixup_end :
}
// Jump back
__asm {
jmp[OEP]
}
but when i use
push eax
mov ecx, [LoadLib]
call ecx
instead of
push eax
call[LoadLib]
the debugger says ecx hold dvapi32.dll i am kinda confused please tell me what is wrong here
and yes this 0xCCCCCCCC is first replace with proper information like kernel32.LoadLibraryA and all
-------------------- EDIT -------------------
updated the codes into c/c++
DWORD OEP, IAT, ImageBase, GetProc;
DWORD dwThunk, dwHintName;
typedef HMODULE(WINAPI *_LoadLibrary)(LPCSTR lpFileName);
_LoadLibrary __LoadLibrary;
// Fetch Placeholders
__asm {
mov[OEP], 0xCCCCCCCC
mov[IAT], 0xCCCCCCCC
mov[ImageBase], 0xCCCCCCCC
mov[__LoadLibrary], 0xCCCCCCCC
mov[GetProc], 0xCCCCCCCC
}
// Fix IAT
PIMAGE_DOS_HEADER pDos;
PIMAGE_IMPORT_DESCRIPTOR pDesc;
pDos = (PIMAGE_DOS_HEADER)ImageBase;
pDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageBase + IAT);
char *module;
while (pDesc->Name) {
module = (char *)((DWORD)ImageBase + pDesc->Name);
__LoadLibrary(module);
pDesc++;
}
// Jump back
__asm {
jmp[OEP]
}
I'm trying to call a function in my dll.
the DLL is injected into ANOTHER PROCESS so i need to be able to call the exported function after it's been injected into a target process.
my exported function looks like this:
#define EXTERN_DLL_EXPORT extern "C" __declspec(dllexport)
EXTERN_DLL_EXPORT void InjectPacketToServer(unsigned char *packet, int length)
{
int value;
int senderoffset = 0x0075F8D8;
__asm
{
mov eax, senderoffset
mov value, eax
}
memcpy((void*)SEND_CODE_CAVE, (void*)packet, length);
int SenderID = *(int*)value;
int PacketLength = length;
int Send = 0x00577A90;
__asm
{
mov edx, PacketLength
push edx
mov eax, SEND_CODE_CAVE
push eax
mov ecx, [SenderID]
call Send
}
}
I am trying to call it like this:
#include <Windows.h>
typedef int (*InjectPacketToServer)(unsigned char *packet, int length);
InjectPacketToServer Inject;
BYTE packet[3] = { 0x13, 0x01, 0x01};
int length = 3;
int main()
{
HRESULT ret;
HMODULE pModule;
pModule = LoadLibrary("baram.dll");
ret = GetLastError();
Inject = (InjectPacketToServer)GetProcAddress(pModule, "InjectPacketToServer");
ret = GetLastError();
Inject(packet, length);
return ret;
}
I'm getting errors:
ret 0x000003e6 : Invalid access to memory location. HRESULT
on this line:
pModule = LoadLibrary("baram.dll");
can somebody Please tell me what I'm doing wrong here?
help appreciated!
Did you google?
MS support says the cause is:
The Windows NT status code STATUS_ACCESS_VIOLATION is mapped to the Win32 error code ERROR_NOACCESS. As a result, if the operating system loader encounters an access violation (exception C0000005) while mapping the specified DLL file image or executing the startup code, the loader will set the last error to 998 (ERROR_NOACCESS) and the LoadLibrary() function will fail with a return value of NULL.
and you should
To troubleshoot the LoadLibrary() failure, run the application under a debugger and enable first chance exception handling for the C0000005 Access Violation exception. If an access violation occurs when the LoadLibrary() function is called, the application will break into the debugger. The debugger's call stack can then be used to trace where the exception occurred. The stack trace should help you narrow down the actual problem related to the exception being encountered.