Raised This Month: $ Target: $400
 0% 

Dynamic detouring library


  
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
recon0
Veteran Member
Join Date: Sep 2007
Location: US
Old 05-25-2010 , 22:53   Re: Dynamic detouring library
Reply With Quote #22

Quote:
Originally Posted by pRED* View Post
Recon: When copy_bytes is passed 0 as the second parameter it will return a count of how many bytes need to be copied.

The third parameter (6) is how many bytes of space we are going to be overwriting, and copy_bytes will find the next instruction boundary at or beyond 6, so that we only copy whole instructions. (Leaving half an instruction at the source wouldn't be pretty).

You are absolutely correct with the fixing jump/call code!

Keeper: Yes, he's using the 6 byte version of jump.
That's what I read in the function.

That makes sense.

Cool.

That's what threw me off. I thought the most a jump could be was 1 (op) + 4 (address). In case anyone's looking for it, I found a page of Intel's on jumps (also, Intel's 64 and IA-32 manual has a page on the jump instruction's variations).

How could a jump be six bytes though? Sun's IA-32 manual has some interesting information on the subject:
Quote:
Description

The jmp instruction transfers execution control to a different point in the instruction stream; records no return information.
Jumps with destinations of disp[8|16|32] or r/m[16|32] are near jumps and do not require changes to the segment register value.
jmp rel{16|32} adds a signed offset to the address of the instruction following the jmp instruction to determine the destination; that is, the displacement is relative to the next instruction. The displacement value is stored in the EIP register. For rel16, the upper 16 bits of EIP are cleared to zero resulting in an offset value not to exceed 16 bits.
ljmp ImmPtr or *mem48 use a four- or six-byte operand as a long pointer to the destination. In Real Address Mode or Virtual 8086 mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP register. In Protected mode, both long pointer forms consult the AR (Access Rights) byte of the descriptor indexed by the selector part of the long pointer. The jmp performs one of the following control transfers depending on the value of the AR byte:
  • A jump to a code segment at the same privilege level
  • A task switch
Shouldn't the instruction use seven bytes (1 op code + 6 operand)?

EDIT: After some time with the disassembler, I think I figured it out.
Code:
    
jmp dword ptr [cs:11BB22EEh]
00B71010 2E FF 25 EE 22 BB 11    jmp         dword ptr cs:[11BB22EEh] 
     

jmp dword ptr [ds:11BB22EEh]
00B71017 FF 25 EE 22 BB 11       jmp         dword ptr ds:[11BB22EEh]
A jump that loads cs has a three byte op code, 2E FF 25, and a jump that loads ds has a two byte op code, FF 25. The length of the operand doesn't change (4 bytes), so the sizes for the jumps are 7 and 6 bytes respectively.


Thanks for the clarification everyone.
__________________

Last edited by recon0; 05-26-2010 at 16:37.
recon0 is offline
 



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 07:09.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode