x64 Hooks

Author: David Zimmer
Date: 09.19.12 - 1:22pm

Still playing around with hook engine implementations.

on x64 Its a little messy.

jmp data deref - 14 bytes
ff 25 00 00 00 00        jmp [rip+addr0]  
80 70 8e 77 00 00 00 00  data: 00000000778E7080

jmp eax - 12 bytes
48 b8 80 70 8e 77 00 00 00 00   mov rax, 0x00000000778E7080  
ff e0                           jmp rax
A safe 14 bytes at a function start without any jxx or calls feels like a a lot to ask. I had some failures just in my small hooking needs. 12 bytes is better, but really i want to get it down more.

I had my code spit out the prealignment bytes count i used in the x86 "micro" hooks, seems like 8-10 is average for x64 functions. This is enough for an 8 byte address. to utilize the prealignment bytes we could do a "6 byte" jmp[rip-14] style hook such as:
0000000011000000 8 data bytes in function prealignment paddding...
0000000011000008 FF 25 F2 FF FF FF jmp qword ptr [11000000h]  <-- 6 byte hook in API prolog 
You can actually also pull off a 6 byte push ret hook IF the address you are transferring execution to can be represented by a 32bit number.
C3               RETN    

bool is32BitSafe(ULONG_PTR value){
	ULONG_PTR b = value & 0x00000000FFFFFFFF;
	return value == b ? true : false;
On x64 push can only hold a 32bit constant, however when it is pushed to teh stack, a 64bit number is written with the high 8 bytes set to 0. TO make this work, you can use the following pragma directive to force your applications base address to be 32 bit addressable so this hook type could work.
#pragma comment( linker, "/BASE:0x8000000")
Thats a pretty easy thing to forget though, and might not always work out for dlls, so I guess I need to keep looking for smaller x64 hooks still. Trying to utilize the prealignment bytes comes next I guess.

Actually generating some statistics on common dlls should come next...

btw you can test these with a stub such as:
 unsigned char data[15] = {
	0x0E, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x25, 0xF2, 0xFF, 0xFF, 0xFF, 0xCC
 char* buf = (char*)VirtualAlloc((void*)0x11000000 , 10, MEM_RESERVE | MEM_COMMIT , 0x40);
 int (*sc)();
 sc = (int (*)())&buf[8]; 
Experimentation is messy stuff...

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 60 + 18 = ? followed by the letter: F 

About Me
More Blogs
Main Site
Yara WorkBench
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation