Raised This Month: $131 Target: $400
 32% 

[EXTENSION] Midhooks


Post New Thread Reply   
 
Thread Tools Display Modes
Dragokas
Veteran Member
Join Date: Nov 2017
Location: Ukraine on fire
Old 11-23-2024 , 09:33   Re: [EXTENSION] Midhooks
Reply With Quote #11

Scag, cool!
I did same midHook without extension, uses SM Memory Extended, example.
However, I didn't put effort to provide use example with new opcode length disassembler to make it as convenient as your API. Technically it is doing the same.
Nice work!

Quote:
Originally Posted by blueblur View Post
Hi, just one more question I've been wondering these days, can I detour and midhook a same function at the same time? (I guess probably not?)
Unless you (for some reason?) try detour/midhook same range of addresses (detour uses E9, - first 5 bytes from function EP) and then unhooking them NOT in vice versa order, everything will be ok.
__________________
Expert of CMD/VBS/VB6. Malware analyst. L4D fun (Bloody Witch & FreeZone)
[My plugins] [My tools] [GitHub] [Articles] [HiJackThis+] [Donate]

Last edited by Dragokas; 11-23-2024 at 09:34.
Dragokas is offline
Vit_amin
Senior Member
Join Date: Dec 2015
Location: Russian Federation
Old 12-01-2024 , 17:38   Re: [EXTENSION] Midhooks
Reply With Quote #12

Doesn't work MidHookRegisters.Store have this code:

Code:
				mprotect(pBase, iSize);
				fill_nop(pBase, iSize);
				new MidHook(pBase, MidHookCB_IsVisible);
...
static stock void MidHookCB_IsVisible(MidHookRegisters hRegs)
{
	hRegs.Store(DHookRegister_ESP, MASK_VISIBLE_AND_NPCS, 0x08);
}
Noping this part of code:
Code:
C7 44 24 08 81 60 00 02                       mov     dword ptr [esp+8], 2006081h
So, detour now:
Code:
   0xf26013c6 <+694>:   e9 09 48 8f fb          jmp    0xedef5bd4
   0xf26013cb <+699>:   90                      nop
   0xf26013cc <+700>:   90                      nop
   0xf26013cd <+701>:   90                      nop
But when i try check esp+0x08 (used GDB)
Code:
x/wx $esp + 0x08
0xffff9198:     0x00000000
Via push ****
And set register value is good working order, example:
Code:
...
				mprotect(pBase, iSize);
				fill_nop(pBase, iSize);
				StoreToAddress(pBase, 0x57, NumberType_Int8);	// push edi

				new MidHook(pBase, MidHookCB_IsVisible);
			}
		}
	}
}

static stock void MidHookCB_IsVisible(MidHookRegisters hRegs)
{
	hRegs.Set(DHookRegister_EDI, MASK_VISIBLE_AND_NPCS);
}

Last edited by Vit_amin; 12-01-2024 at 17:40.
Vit_amin is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:09.


Powered by vBulletin®
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Theme made by Freecode