micro hook


Author: David Zimmer
Date: 09.11.12 - 9:41pm



Had one more idea for a new hook type to experiment with that would give a "2 byte" hook.

The trick lays in scanning back from the APIs start address to figure out how many alignment bytes are present. (0x90 and 0xCC)

For the 25 apis i tested in sclog, this was usually 5 bytes, which is enough for a relative E9 jump. Which means you only have to overwrite 2 bytes of the actual API opcodes.

here:
  E9 xxxxxxxx   jmp 0x11111111 <--in func preamble (5 bytes)
  EB F9         jmp short here <--api entry point  (2 bytes)


I will run this test on x64 and see how many pre align bytes they usually have, maybe it will help there. If not I will just remove it and revert to the previous commit. Supporting this idea made the hooking code more complex than its probably worth unless the preamble trick really makes a difference on the x64 side.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 53 + 3 = ? followed by the letter: A 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 ( 6 )
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )