I'm trying to use MS detours, and I don't know if I am doing something wrong; I cannot seem to find an answer to my issue.
I have tried detouring several functions in a process using my injected DLL, but each attempt causes the process to crash.
One of the functions I try to hook is winapi DirectDrawCreate:
DetourTransactionBegin();
DetourUpdateThread( GetCurrentThread() );
DetourAttach( (PVOID *)DirectDrawCreate, hkDirectDrawCreate );
DetourTransactionCommit();
hkDirectDrawCreate is defined as:
HRESULT __stdcall hkDirectDrawCreate( GUID *p1, LPDIRECTDRAW *p2, IUnknown *p3 )
{
if( !pDDC )
return 0x00;
printf( "A call to hkDirectDrawCreate was made\n" );
return DirectDrawCreate( p1, p2, p3 );
}
On the call to DetourAttach the process crashes; the stack trace is:
myProj.dll!detour_skip_jmp(unsigned char * pbCode, void * * ppGlobals) Line 135 C++
myProj.dll!DetourCodeFromPointer(void * pPointer, void * * ppGlobals) Line 984 C++
myProj.dll!DetourAttachEx(void * * ppPointer, void * pDetour, _DETOUR_TRAMPOLINE * * ppRealTrampoline, void * * ppRealTarget, void * * ppRealDetour) Line 1456 C++
myProj.dll!DetourAttach(void * * ppPointer, void * pDetour) Line 1395 C++
The code breaks in 'detour_skip_jmp' at '0x68B028BD':
// First, skip over the import vector if there is one.
if (pbCode[0] == 0xff && pbCode[1] == 0x25) { // jmp [imm32]
68B028B2 mov ecx,1
68B028B7 imul edx,ecx,0
68B028BA mov eax,dword ptr [pbCode]
68B028BD movzx ecx,byte ptr [eax+edx]
68B028C1 cmp ecx,0FFh
68B028C7 jne detour_skip_jmp+82h (68B02912h)
68B028C9 mov edx,1
68B028CE shl edx,0
68B028D1 mov eax,dword ptr [pbCode]
68B028D4 movzx ecx,byte ptr [eax+edx]
68B028D8 cmp ecx,25h
68B028DB jne detour_skip_jmp+82h (68B02912h)
Edit: ppGlobals is NULL, and pbCode gives the error 'Error reading characters of string'
Going back to DetourCodeFromPointer ppGlobals is also NULL there, but I guess it is supposed to be; here is the call:
pDetour = DetourCodeFromPointer(pDetour, NULL);
No doubt the import table has been moved or scrubbed as an anti-hooking technique. Just add a jump at the start of DirectDrawCreate to your hkDirectDrawCreate, then when calling the original jump back to DirectDrawCreate, but be sure it is after your jump to your hook otherwise you're stuck in an endless recursive loop.
Related
I have a simple class with one private member that is accessible via get() and set() in a multithreaded environment (multi readers/multi writers). how do I lock a Get() as it only has a return statement?
class MyValue
{
private:
System::CriticalSection lock;
int val { 0 };
public:
int SetValue(int arg)
{
lock.Enter();
val = arg;
lock.Leave();
}
int GetValue()
{
lock.Enter();
return val;
//Where should I do lock.Leave()?
}
}
Don't lock anything. In your example, it is enough if you make your member an std::atomic integer.
You do not need anything else here. As a matter of fact, due to Intel architecture (strong memory ordering model), this std::atomic is not even likely to cause any performance issues.
I'm not a multithreading expert, but I think following should work.
int GetValue()
{
lock.Enter();
int ret = val;
lock.Leave();
return ret;
}
This is a demonstration of the synchronization object from hauron's answer -- I wanted to show that object construction and destruction overhead simply does not exist with an optomized build.
In the code below, CCsGrabber is an RAII-like class which enters a critical section (wrapped by a CCritical object) when constructed, then leaves it when destroyed:
class CCsGrabber {
class CCritical& m_Cs;
CCsGrabber();
public:
CCsGrabber(CCritical& cs);
~CCsGrabber();
};
class CCritical {
CRITICAL_SECTION cs;
public:
CCritical() {
InitializeCriticalSection(&cs);
}
~CCritical() { DeleteCriticalSection(&cs); }
void Enter() { EnterCriticalSection(&cs); }
void Leave() { LeaveCriticalSection(&cs); }
void Lock() { Enter(); }
void Unlock() { Leave(); }
};
inline CCsGrabber::CCsGrabber(CCritical& cs) : m_Cs(cs) { m_Cs.Enter(); }
inline CCsGrabber::CCsGrabber(CCritical *pcs) : m_Cs(*pcs) { m_Cs.Enter(); }
inline CCsGrabber::~CCsGrabber() { m_Cs.Leave(); }
Now, a global CCritical object is created (cs), which is used in SerialFunc(), along with a local CCsGrabber instance (csg) to take care of locking and unlocking:
CCritical cs;
DWORD last_tick = 0;
void SerialFunc() {
CCsGrabber csg(cs);
last_tick = GetTickCount();
}
int main() {
SerialFunc();
std::cout << last_tick << std::endl;
}
And below is the dissasembly of main() from an optimized 32-bit build. (I apologize for pasting in the whole thing -- I wanted to show that I wasn't hiding anything:
int main() {
00401C80 push ebp
00401C81 mov ebp,esp
00401C83 and esp,0FFFFFFF8h
00401C86 push 0FFFFFFFFh
00401C88 push 41B038h
00401C8D mov eax,dword ptr fs:[00000000h]
00401C93 push eax
00401C94 mov dword ptr fs:[0],esp
00401C9B sub esp,0Ch
00401C9E push esi
00401C9F push edi
SerialFunc();
00401CA0 push 427B78h ; pointer to CS object
00401CA5 call dword ptr ds:[41C00Ch] ; _RtlEnterCriticalSection#4:
00401CAB call dword ptr ds:[41C000h] ; _GetTickCountStub#0:
00401CB1 push 427B78h ; pointer to CS object
00401CB6 mov dword ptr ds:[00427B74h],eax ; return value => last_tick
00401CBB call dword ptr ds:[41C008h] ; _RtlLeaveCriticalSection#4:
std::cout << last_tick << std::endl;
00401CC1 push ecx
00401CC2 call std::basic_ostream<char,std::char_traits<char> >::operator<< (0401D90h)
00401CC7 mov esi,eax
00401CC9 lea eax,[esp+0Ch]
00401CCD push eax
00401CCE mov ecx,dword ptr [esi]
00401CD0 mov ecx,dword ptr [ecx+4]
00401CD3 add ecx,esi
00401CD5 call std::ios_base::getloc (0401BD0h)
00401CDA push eax
00401CDB mov dword ptr [esp+20h],0
00401CE3 call std::use_facet<std::ctype<char> > (0403E40h)
00401CE8 mov dword ptr [esp+20h],0FFFFFFFFh
00401CF0 add esp,4
00401CF3 mov ecx,dword ptr [esp+0Ch]
00401CF7 mov edi,eax
00401CF9 test ecx,ecx
00401CFB je main+8Eh (0401D0Eh)
00401CFD mov edx,dword ptr [ecx]
00401CFF call dword ptr [edx+8]
00401D02 test eax,eax
00401D04 je main+8Eh (0401D0Eh)
00401D06 mov edx,dword ptr [eax]
00401D08 mov ecx,eax
00401D0A push 1
00401D0C call dword ptr [edx]
00401D0E mov eax,dword ptr [edi]
00401D10 mov ecx,edi
00401D12 push 0Ah
00401D14 mov eax,dword ptr [eax+20h]
00401D17 call eax
00401D19 movzx eax,al
00401D1C mov ecx,esi
00401D1E push eax
00401D1F call std::basic_ostream<char,std::char_traits<char> >::put (0404220h)
00401D24 mov ecx,esi
00401D26 call std::basic_ostream<char,std::char_traits<char> >::flush (0402EB0h)
}
00401D2B mov ecx,dword ptr [esp+14h]
00401D2F xor eax,eax
00401D31 pop edi
00401D32 mov dword ptr fs:[0],ecx
00401D39 pop esi
00401D3A mov esp,ebp
00401D3C pop ebp
00401D3D ret
So we can see that SerialFunc() was inlined directly into main, after prologue at the beginning and before the cout code -- and nowhere to be found is any superflouous object creation, memory allocation or anything -- it just looks like the minimum amount of assembly code required to enter the critical section, get the tick count in a variable, and then leave the critical section.
Then I changed SerialFunc() to:
void SerialFunc() {
cs.Enter();
last_tick = GetTickCount();
cs.Leave();
}
With explicitly-placed cs.Enter() and cs.Leave(), just to compare with the RAII version. The generated code turned out to be identical:
int main() {
00401C80 push ebp
00401C81 mov ebp,esp
00401C83 and esp,0FFFFFFF8h
00401C86 push 0FFFFFFFFh
00401C88 push 41B038h
00401C8D mov eax,dword ptr fs:[00000000h]
00401C93 push eax
00401C94 mov dword ptr fs:[0],esp
00401C9B sub esp,0Ch
00401C9E push esi
00401C9F push edi
SerialFunc();
00401CA0 push 427B78h
00401CA5 call dword ptr ds:[41C00Ch]
00401CAB call dword ptr ds:[41C000h]
00401CB1 push 427B78h
00401CB6 mov dword ptr ds:[00427B74h],eax
00401CBB call dword ptr ds:[41C008h]
std::cout << last_tick << std::endl;
00401CC1 push ecx
00401CC2 call std::basic_ostream<char,std::char_traits<char> >::operator<< (0401D90h)
...
In my opinion, SergeyA's answer is best for the given situation -- a critical section for synchronizing reads and writes from/to 32-bit variables is excessive. However, if something comes up which calls for a critical section or mutex, using an RAII-like object to simplify your code is probably not going to incur significant (or even any) object creation overhead.
(I used Visual C++ 2013 to compile the code above)
Consider using a class wrapper locking in ctor, and unlocking in dtor. See standard implementation: http://en.cppreference.com/w/cpp/thread/unique_lock
This way you don't need to remember about unlocking in case of complex code or exceptions thrown within your code, altering the normal execution.
I found this call sub_10636F0 in 5 different places trying to figure out how to call it from C++ DLL which is injected into the target application so It has full access to all the calls in that application.
I had a chart of all the places where it's called most of these call's are cut right after another call above it, to ensure it's completeness.
I read tons of questions on stackoverflow about this subject found a few good answers from Necrolis, saying if its a EDX then you could use __fastcall.
I googled to find out about ECX and it seems to also be used to __fastcall so either ECX or EDX mean __fastcall.
But the function it calls uses the wrapper
sub esp, 5F4h
add esp, 5F4h
retn 8
I have no idea what this is about again doing tons of research I think SUB ESP, XXX at beginning and ADD ESP, XXX at end are used only for _cdecl conversions
My current code looks like this
typedef void(__fastcall *TThreeParamter)(int, int, int);
typedef void(__fastcall *TTwoParamter)(int, int);
typedef void(__fastcall *TOneParamter)(int);
typedef void(__fastcall *TZeroParamter)();
TTwoParamter sub_10636F0 = (TTwoParamter)(DWORD)GetModuleHandle(NULL) + 0xC636EF;
//the call
sub_10636F0(0x11223344, 0x55667788);
Don't ask me why the 0xC636EF is different from 10636F0 in the sub, I can tell you it's going into the correct sub upon inspection in a debugger, the sub's keep moving around everytime the program is re-launched it seems to be either a protection method, or possibly because this program loads over 50 dll's and the addresses need to move around.
I tried all different configurations, 2 int's, 3 int's nothing works..
IDA detects this method as being 3 parameters, but the last parameter isn't used anywhere in the decompiled pesudo-code, which I cannot figure out,
Pseudo-code looks like this ( I did heavy modifications to it, like change it to _fastcall from __thiscall )
Pseudo-code from IDA
//probably wrong.. packet is a variable not a parameter which will crash
void __fastcall sub_10636F0(int var1)
{
__int128 v1; // xmm0#0
int v2; // esi#1
int v3; // ebx#1
SOCKET v4; // ebp#1
int v5; // eax#2
int v6; // ecx#3
int v7; // [sp+8h] [bp-5FCh]#7
char a2a[1492]; // [sp+10h] [bp-5F4h]#2
int v9; // [sp+5E4h] [bp-20h]#2
int v10; // [sp+5E8h] [bp-1Ch]#2
struct _FILETIME SystemTimeAsFileTime; // [sp+5F0h] [bp-14h]#2
__int16 v12; // [sp+5F8h] [bp-Ch]#2
int packet; // [sp+608h] [bp+4h]#0
int to; // [sp+60Ch] [bp+8h]#0
v2 = to;
v3 = var1;
v4 = *(_DWORD *)(packet + 220);
if ( v4 != -1 )
{
//snipped lots of code
}
}
//probably wrong.. packet is a variable not a paramter which will crash
void __fastcall sub_10636F0(int var1, int var2)
{
__int128 v2; // xmm0#0
int v3; // esi#1
int v4; // ebx#1
SOCKET v5; // ebp#1
int v6; // eax#2
int v7; // ecx#3
int v8; // [sp+8h] [bp-5FCh]#7
char a2a[1492]; // [sp+10h] [bp-5F4h]#2
int v10; // [sp+5E4h] [bp-20h]#2
int v11; // [sp+5E8h] [bp-1Ch]#2
struct _FILETIME SystemTimeAsFileTime; // [sp+5F0h] [bp-14h]#2
__int16 v13; // [sp+5F8h] [bp-Ch]#2
int packet; // [sp+608h] [bp+4h]#0
int to; // [sp+60Ch] [bp+8h]#0
v3 = to;
v4 = var1;
v5 = *(_DWORD *)(packet + 220);
if ( v5 != -1 )
{
//snipped lots of code
}
}
//this looks the best, but still `to` isn't detected as paramter
void __fastcall sub_10636F0(int var1, int var2, int var3)
{
__int128 v3; // xmm0#0
int v4; // esi#1
int v5; // ebx#1
SOCKET v6; // ebp#1
int v7; // eax#2
int v8; // ecx#3
int v9; // [sp+8h] [bp-5FCh]#7
char a2a[1492]; // [sp+10h] [bp-5F4h]#2
int v11; // [sp+5E4h] [bp-20h]#2
int v12; // [sp+5E8h] [bp-1Ch]#2
struct _FILETIME SystemTimeAsFileTime; // [sp+5F0h] [bp-14h]#2
__int16 v14; // [sp+5F8h] [bp-Ch]#2
int to; // [sp+60Ch] [bp+8h]#0
v4 = to; //still doesn't detect this..
v5 = var1; //okay this isn't bad another parameter
v6 = *(_DWORD *)(var3 + 220); //like this detects this as parameter class atleast
if ( v6 != -1 )
{
//snipped lots of code
}
}
This is the code IDA recommends by default
char __userpurge sub_10636F0#<al>(int a1#<ecx>, __int128 a2#<xmm0>, int a3, int a4)
{
int v4; // esi#1
int v5; // ebx#1
SOCKET v6; // ebp#1
int v7; // eax#2
int v8; // ecx#3
int v9; // eax#8
char v11; // [sp+8h] [bp-5FCh]#7
int v12; // [sp+10h] [bp-5F4h]#4
int v13; // [sp+24h] [bp-5E0h]#2
int v14; // [sp+28h] [bp-5DCh]#2
int v15; // [sp+2Ch] [bp-5D8h]#2
int v16; // [sp+30h] [bp-5D4h]#2
char v17; // [sp+34h] [bp-5D0h]#2
signed int v18; // [sp+5E4h] [bp-20h]#2
int v19; // [sp+5E8h] [bp-1Ch]#2
int v20; // [sp+5F0h] [bp-14h]#2
__int16 v21; // [sp+5F8h] [bp-Ch]#2
v4 = a4;
v5 = a1;
v6 = *(_DWORD *)(a3 + 220);
if ( v6 == -1 )
return 0;
//Snipped code
if ( v9 >= 0 && v9 == *(_DWORD *)(v4 + 1492) )
return 1;
return 0;
}
Function in ASM
.text:010636F0 ; void __fastcall sub_10636F0(int var1, int var2, int var3)
.text:010636F0 sub_10636F0 proc near ; CODE XREF: sub_1062960+E0p
.text:010636F0 ; sub_10637E0+D4p ...
.text:010636F0
.text:010636F0 a2 = byte ptr -5F4h
.text:010636F0 var_20 = dword ptr -20h
.text:010636F0 var_1C = dword ptr -1Ch
.text:010636F0 SystemTimeAsFileTime= _FILETIME ptr -14h
.text:010636F0 var_C = word ptr -0Ch
.text:010636F0 var_4 = dword ptr -4
.text:010636F0 packet = dword ptr 4
.text:010636F0 to = dword ptr 8
.text:010636F0 test = dword ptr 0Ch
.text:010636F0
.text:010636F0 sub esp, 5F4h
.text:010636F6 mov eax, ___security_cookie
.text:010636FB xor eax, esp
.text:010636FD mov [esp+5F4h+var_4], eax
.text:01063704 push ebx
.text:01063705 push ebp ; a5
.text:01063706 push esi ; a4
.text:01063707 mov esi, [esp+600h+to]
.text:0106370E push edi ; a3
.text:0106370F mov edi, [esp+604h+packet]
.text:01063716 mov ebx, ecx
.text:01063718 mov ebp, [edi+0DCh]
.text:0106371E cmp ebp, 0FFFFFFFFh
.text:01063721 jz loc_10637BB
SNIP TONS OF CODE HERE
.text:010637BB
.text:010637BB loc_10637BB: ; CODE XREF: sub_10636F0+31j
.text:010637BB ; sub_10636F0+BDj ...
.text:010637BB xor al, al
.text:010637BD
.text:010637BD loc_10637BD: ; CODE XREF: sub_10636F0+C9j
.text:010637BD mov ecx, [esp+604h+var_4]
.text:010637C4 pop edi
.text:010637C5 pop esi
.text:010637C6 pop ebp
.text:010637C7 pop ebx
.text:010637C8 xor ecx, esp
.text:010637CA call #__security_check_cookie#4 ; __security_check_cookie(x)
.text:010637CF add esp, 5F4h
.text:010637D5 retn 8
.text:010637D5 sub_10636F0 endp ; sp-analysis failed
Calls to this function in ASM
.text:010638B0 push esi ; packet
.text:010638B1 push ebx ; this
.text:010638B2 mov ecx, ebp ; this
.text:010638B4 call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01062A2E mov byte ptr [esi+5E9h], 1
.text:01062A35
.text:01062A35 loc_1062A35: ; CODE XREF: sub_1062960+C1j
.text:01062A35 add dword ptr [esi+5D4h], 2
.text:01062A3C push esi ; packet
.text:01062A3D push edi ; this
.text:01062A3E mov ecx, ebx ; this
.text:01062A40 call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01063AF4 mov eax, [ebx+1128h]
.text:01063AFA mov [esp+1A4h+var_AC], eax
.text:01063B01 push esi ; packet
.text:01063B02 lea eax, [esp+1A8h+to]
.text:01063B06 push eax ; this
.text:01063B07 mov ecx, ebx ; this
.text:01063B09 mov [esp+1ACh+var_4], 1
.text:01063B14 call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01089145 loc_1089145: ; CODE XREF: sub_10890B0+4Fj
.text:01089145 ; sub_10890B0+67j
.text:01089145 mov ecx, [edi+110h] ; this
.text:0108914B push esi ; packet
.text:0108914C push edi ; this
.text:0108914D call sub_10636F0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:01089CBA mov ecx, [esi+110h] ; this
.text:01089CC0 push edi ; packet
.text:01089CC1 push esi ; this
.text:01089CC2 call sub_10636F0
I have no idea what this is about again doing tons of research I think
SUB ESP, XXX at beginning and ADD ESP, XXX at end are used only for
_cdecl conversions
No, it's used for ALL functions that use local variables (with minor variations as to exactly how it's done, but stack space needs to be allocated by subtracting from ESP, and "freed" by adding the same amount to the stack pointer.
However, the RET 8 does indeed indicate that the calling convention is NOT _cdecl, but one where the stack is cleaned up by the callee. There are a few different calling conventions that match this, but I have a feeling it's C++ code and a member function, which would make it thiscall - that does make it a little hard to simulate, since you want this in ECX.
The ret 8 says that the function has 8 bytes worth of arguments, so two int or void * variables.
I'm far from convinced there is a simple way to do this. You may be able to do something like this. Create a class X with a virtual function that takes two arguments:
class X
{
virtual void Func(int x, int y) { }
};
Then figure out where the compiler put the vtable, and modify the vtable for func to point at your target function, rather than the empty implementation of the class.
Now you can use X to create an instance:
X* p = new X;
and then call func.
p->func(1, 2);
However, if you are unlucky, the compiler doesn't realize that you have messed with the vtable, and end up calling the function directly. So you may need to do some trickery with separate compilation and other stuff.
In other words, you have your work cut out. But then reverse engineering wouldn't be any fun at all if you didn't have to trick around a bit.
Of course, the cheaters method is to just write a few lines of inline assembler, like such:
void CallMyFunc(void *func, int a, int b, int c)
{
__asm(mov ecx, a
push b
push c
call *func);
}
[It's about 10 years since I last wrote Windows inline assembly code, so apologies if the syntax isn't quite right - consider it a "rough sketch" and do modify it until it actually compiles...]
Say, I can use Wow64DisableWow64FsRedirection API to disable file system redirection, but is there a way to know if the thread is currently being redirected? In other words, is there an API like GetWow64FsRedirection?
There is no API function that reports this state. You are expected to remember that you disabled redirection.
Sorry, forgot to post a follow-up. As the accepted answer suggests, there's no API to detect that. Too bad, because the information is stored right there in the undocumented section of the thread's TEB struct. (See my comments in the code.)
The code below will retrieve it.
I have to preface it though by saying that it was obtained by reversing the aforementioned API. So it's a highly undocumented stuff that will probably break in the future versions of the OS. So make sure to put version safeguards before using it. It should be OK for all released versions of Windows though, including Windows 10 build 17134:
enum YESNOERR{
ERR = -1,
NO = 0,
YES = 1,
};
struct PROC_STATS{
BOOL b32BitProcessOn64BitOS;
DWORD dwOS_Major;
DWORD dwOS_Minor;
DWORD dwOS_Build;
PROC_STATS()
{
BOOL (WINAPI *pfnIsWow64Process)(HANDLE, PBOOL);
(FARPROC&)pfnIsWow64Process = ::GetProcAddress(::GetModuleHandle(_T("kernel32.dll")), "IsWow64Process");
BOOL bWow64 = FALSE;
b32BitProcessOn64BitOS = pfnIsWow64Process && pfnIsWow64Process(::GetCurrentProcess(), &bWow64) && bWow64;
LONG (WINAPI *pfnRtlGetVersion)(RTL_OSVERSIONINFOEXW*);
(FARPROC&)pfnRtlGetVersion = ::GetProcAddress(::GetModuleHandle(_T("ntdll.dll")), "RtlGetVersion");
OSVERSIONINFOEX osvi = {0};
osvi.dwOSVersionInfoSize = sizeof(osvi);
pfnRtlGetVersion(&osvi);
dwOS_Major = osvi.dwMajorVersion;
dwOS_Minor = osvi.dwMinorVersion;
dwOS_Build = osvi.dwBuildNumber;
}
};
PROC_STATS procStats;
YESNOERR __cdecl GetWow64FsRedirection()
{
//Checks if Wow64 file system redirection is on for the current thread
YESNOERR res = ERR;
__try
{
if(procStats.b32BitProcessOn64BitOS)
{
//Really easy pre-Win10 v.10.0.10041.0
if(procStats.dwOS_Major < 10 ||
(procStats.dwOS_Major == 10 && procStats.dwOS_Build <= 10041))
{
//Win XP, 7, 8.1 & earlier builds of Win10
__asm
{
mov eax, fs:18h ; TEB
mov eax, [eax + 0F70h]
mov eax, [eax + 14C0h]
xor ecx, ecx
test eax, eax ; 0=Wow64FsRedir is on, 1=Off
setz cl
mov [res], ecx
}
}
else
{
//Latest builds of Win10 have a separate WoW TEB block
__asm
{
mov eax, fs:18h ; TEB
mov ecx, [eax + 0FDCh] ; WowTebOffset
test ecx, ecx
jns lbl_no_offset ; it must precede TEB
add eax, ecx
lbl_no_offset:
cmp eax, [eax + 18h] ; pick version of the struct
jz lbl_alt
mov eax, [eax + 14C0h]
jmp lbl_check
lbl_alt:
mov eax, [eax + 0E30h]
lbl_check:
xor ecx, ecx
test eax, eax ; 0=Wow64FsRedir is on, 1=Off
setz cl
mov [res], ecx
}
}
}
else
{
//It's off by default
res = NO;
}
}
__except(1)
{
//Oops, too far in the future -- this no longer works
res = ERR;
}
return res;
}
This is how you can test it:
resWow64FsOn = GetWow64FsRedirection();
_tprintf(L"Wow64FsRedirection=%d\n", resWow64FsOn);
void* pOldV;
if(::Wow64DisableWow64FsRedirection(&pOldV))
{
resWow64FsOn = GetWow64FsRedirection();
_tprintf(L"Wow64FsRedirection=%d\n", resWow64FsOn);
::Wow64RevertWow64FsRedirection(pOldV);
resWow64FsOn = GetWow64FsRedirection();
_tprintf(L"Wow64FsRedirection=%d\n", resWow64FsOn);
}
else
{
_tprintf(L"ERROR: (%d) API Failed\n", ::GetLastError());
}
Another approach is to check for the existence of the wow32.dll in the Windows System32 directory (typically C:\Windows\System32).
On 64-bit systems, this file should reside in the SysWOW64 directory, thus if file redirection is enabled, it will be found.
Similarly, one can check for the nonexistence of wow64.dll, that resides in the System32 directory on 64-bit systems, and if it's not to be found the redirection is enabled.
The pseudo-code for that would be:
bool IsWow64FileSystemRedirectionEnabled()
{
if (!Is64BitOS()) return false;
if (FileExists(GetSystem32Directory() + "\\wow32.dll")) return true;
return false;
}
Where:
Is64BitOS can be implemented as shown here
FileExists can be implemented as shown here
GetSystem32Directory - can be implemented as shown here
I am trying to rebuild the import table of a windows pe now i have successfully enumerated through all the modules but as soon as i use loadlibrary api the application crashes could anyone point me where i am wrong??
DWORD OEP, IAT, ImageBase, LoadLib;
char *module;
// Fetch Placeholders
__asm {
mov[OEP], 0xCCCCCCCC // Orignal Entry Point
mov[IAT], 0xCCCCCCCC // Import Table Address
mov[ImageBase], 0xCCCCCCCC // Image Base
mov[LoadLib], 0xCCCCCCCC // kernel32.LoadLibraryA
}
// Fix IAT
__asm {
_it_fixup:
mov ebx, [IAT]
mov esi, [ImageBase]
add ebx, esi // image_import_descriptor
_it_loadlibrary_loop :
mov eax, [ebx + 0x0C] // eax = image_import_descriptor.Name
test eax, eax
jz _it_fixup_end
add eax, esi // ecx = module = image_import_descriptor.Name + dwImageBase
push eax
call [LoadLib] // Here when i check with ollydbg eax has advapi32.dll and says error_insufficient_buffer
inc ebx // image_import_descriptor++
test eax, eax
jnz _it_loadlibrary_loop
_it_fixup_end :
}
// Jump back
__asm {
jmp[OEP]
}
but when i use
push eax
mov ecx, [LoadLib]
call ecx
instead of
push eax
call[LoadLib]
the debugger says ecx hold dvapi32.dll i am kinda confused please tell me what is wrong here
and yes this 0xCCCCCCCC is first replace with proper information like kernel32.LoadLibraryA and all
-------------------- EDIT -------------------
updated the codes into c/c++
DWORD OEP, IAT, ImageBase, GetProc;
DWORD dwThunk, dwHintName;
typedef HMODULE(WINAPI *_LoadLibrary)(LPCSTR lpFileName);
_LoadLibrary __LoadLibrary;
// Fetch Placeholders
__asm {
mov[OEP], 0xCCCCCCCC
mov[IAT], 0xCCCCCCCC
mov[ImageBase], 0xCCCCCCCC
mov[__LoadLibrary], 0xCCCCCCCC
mov[GetProc], 0xCCCCCCCC
}
// Fix IAT
PIMAGE_DOS_HEADER pDos;
PIMAGE_IMPORT_DESCRIPTOR pDesc;
pDos = (PIMAGE_DOS_HEADER)ImageBase;
pDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ImageBase + IAT);
char *module;
while (pDesc->Name) {
module = (char *)((DWORD)ImageBase + pDesc->Name);
__LoadLibrary(module);
pDesc++;
}
// Jump back
__asm {
jmp[OEP]
}
Im trying to get the starting address of buf. So I compile the following program and load it up in gdb.
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buf[128];
if(argc < 2) return 1;
strcpy(buf, argv[1]);
printf("%s\n", buf);
return 0;
}
On disassembling main we get:-
(gdb) disassemble main
Dump of assembler code for function main:
0x080483b4 <main+0>: push ebp
0x080483b5 <main+1>: mov ebp,esp
0x080483b7 <main+3>: sub esp,0xa8
0x080483bd <main+9>: and esp,0xfffffff0
0x080483c0 <main+12>: mov eax,0x0
0x080483c5 <main+17>: sub esp,eax
0x080483c7 <main+19>: cmp DWORD PTR [ebp+0x8],0x1
0x080483cb <main+23>: jg 0x80483d9 <main+37>
0x080483cd <main+25>: mov DWORD PTR [ebp-0x8c],0x1
0x080483d7 <main+35>: jmp 0x8048413 <main+95>
0x080483d9 <main+37>: mov eax,DWORD PTR [ebp+0xc]
0x080483dc <main+40>: add eax,0x4
0x080483df <main+43>: mov eax,DWORD PTR [eax]
0x080483e1 <main+45>: mov DWORD PTR [esp+0x4],eax
0x080483e5 <main+49>: lea eax,[ebp-0x88]
0x080483eb <main+55>: mov DWORD PTR [esp],eax
0x080483ee <main+58>: call 0x80482d4 <strcpy#plt>
0x080483f3 <main+63>: lea eax,[ebp-0x88]
0x080483f9 <main+69>: mov DWORD PTR [esp+0x4],eax
0x080483fd <main+73>: mov DWORD PTR [esp],0x8048524
0x08048404 <main+80>: call 0x80482b4 <printf#plt>
0x08048409 <main+85>: mov DWORD PTR [ebp-0x8c],0x0
0x08048413 <main+95>: mov eax,DWORD PTR [ebp-0x8c]
0x08048419 <main+101>: leave
0x0804841a <main+102>: ret
End of assembler dump.
In order to find the starting address of buf, I need to see the address which is being loaded into eax. When I set a breakpoint at 0x080483e5 or 0x080483ee I get the following.
(gdb) b 0x080483eb
Function "0x080483eb" not defined.
Make breakpoint pending on future shared library load? (y or [n])
(gdb) run test
Starting program: /levels/level05 test
test
Program exited normally.
What am I doing wrong? Why doesn't the program execution pause at that address?
If you want to set a break point at an address, you have to say b *0x080483eb
See here for more info.
You should also compile your program with -g , and without optimization. You can just break main to stop when you get to main, step a few lines with n and print buf with p buf