Raised This Month: $12 Target: $400
 3% 

Idea to find functions in memory


Post New Thread Reply   
 
Thread Tools Display Modes
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 03-05-2010 , 19:35   Re: Idea to find functions in memory
Reply With Quote #11

Quote:
Originally Posted by Fyren View Post
As pred said, there may not be a call at all in the binary for one OS while it may be there in the other, likely due to inlining.
Yes, I know. I considered that in the example I gave.

Quote:
Originally Posted by Fyren View Post
This is an interesting idea, and I've pondered it myself, but I'm way too lazy.
I hope that you or someone implement it. I would like to see it in action and see its pros and cons in practice.

Edit:

Another thing: I just thought that by having this tree one could do another kind of hooking. Hooking calls to functions instead of functions being called. Like, instead of hooking everytime X is called, just hooking when Y calls X. This can be nice for some kind of functions. It would only take the effort of patching the calls so they call instead a hook function and then calling forwards and call the original back. (Not an original idea but, this tree would make it easier)
__________________

Last edited by joaquimandrade; 03-05-2010 at 22:20.
joaquimandrade is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 03-24-2010 , 21:39   Re: Idea to find functions in memory
Reply With Quote #12

Hello again. I'm interested in see the "CFG parser" that Pred talked about. If you, Pred, or someone that works with him can give me a link to it i will appreciate it. Thanks.
__________________
joaquimandrade is offline
pRED*
Join Date: Dec 2006
Old 03-25-2010 , 01:27   Re: Idea to find functions in memory
Reply With Quote #13

http://pred.ampaste.net/m751dedc4
pRED* is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 04-20-2010 , 13:31   Re: Idea to find functions in memory
Reply With Quote #14

Hello again. I'm kind of experimenting on this with libdisasm and there is something I would like to ask you.

In the linux libraries many functions call first some unnamed function that seems to me like a helper function or something like that. Like:

PHP Code:
push    ebp
mov     ebp
esp
sub     esp
3Ch
push    edi
push    esi
push    ebx
call    sub_111638 
PHP Code:
sub_111638 proc near
mov     ebx
, [esp+0]
retn
sub_111638 endp 
And there is one different per function despite doing the same.

I guess I just have to discard them but what is the explanation for this?
__________________
joaquimandrade is offline
atom0s
Senior Member
Join Date: Jul 2009
Old 04-20-2010 , 18:11   Re: Idea to find functions in memory
Reply With Quote #15

The function they are using could be compiled as an inline function and is forced to be reused anywhere it's called.
atom0s is offline
pRED*
Join Date: Dec 2006
Old 04-20-2010 , 19:11   Re: Idea to find functions in memory
Reply With Quote #16

joaquimandrade: This is part of the -fPIC compile flag valve uses on it's linux builds.

Don't get me started on this.

Anyway, that function uses a sneaky assembly hack to retrieve the current program counter value and stores it into the EBX register (calls the dummy function and reads the return address off the stack).

The code then adds a fixed offset to EBP (the distance from the current location to the global offset table) and then uses this register for all global value lookups.

It's an alternative to using load time relocation. Why you'd want to occupy a general purpose register and impose a runtime overhead is beyond me.
pRED* is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 02:26.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode