• Welcome to Valhalla Legends Archive.
 
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Meeks

#1
Advanced Programming / Re: Hooking Winsock
September 15, 2008, 06:59 PM
Wow, how'd I over look that one, lol.  Oops.
#2
Advanced Programming / Re: Hooking Winsock
February 13, 2008, 05:14 PM
Yea IMO, the most appropriate solution here is called several things, one of which is Extended Code Overwriting another is Detouring, there's a few more but it's all the same thing.  This is by no means exact, it is just a brief synapsis:

* This is a 32 bit implementation.

* Always pay respect to memory.  Use VirtualProtect to obtain the correct access rights before writing to memory.

* A trampoline function is a function that you allocate space for and it matches the parameters of your target function you want to hook.  It's intention is to preserve the bytes you will have to overwrite in order to perform the hook.

1. Copy the first 5 bytes to the trampoline function.
2. Write an unconditional JMP instruction to the trampoline function.
3. Write the 32 bit address of the 6th byte of the target function to the trampoline function.

* Pay very careful attention not to cut an assembly instruction off.  If you do, you will cause uncontrolled behavior.  The number of bytes you will copy from the target function to the trampoline function depends upon the assembly instructions, so open up OllyDbg.

* A Detour function is one that is called in place of the target function.

* Be sure the target function and your Detour function have identical parameters and are of the same calling convention.

4. Overwrite the first byte of the target function with an unconditional JMP instruction.
5. Overwrite the next 4 bytes with the 32 bit address of your Detour function.

Now when the target function is called, it is rerouted to your Detour function, add the changes needed or simply log the activity, now you may call the trampoline function to execute the original target functions contents.  It really is as simple as that.  There are several examples including source code.  Hope this helps.