| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Tue Jan 06, 2009 6:40 pm Post subject: [Help] How do you get the ret address from a function? |
 |
|
WHen you call a function you would use "call address" and it would push eip to the stack or something so when you use ret it would do pop that outa the stack and jmp back there.
Am I right...? |
|
| Back to top |
|
 |
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Jan 06, 2009 7:36 pm Post subject: |
|
|
Yes.
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Jan 06, 2009 7:39 pm Post subject: |
|
|
| what part of the stack is that EIP? I because I see a push ebp and mov ebp,esp I think that the EIP is stored in ebp but when I try it, it doesn't return to the call func that called it. |
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Jan 06, 2009 7:40 pm Post subject: |
|
|
It's in [ESP] before the stack preservation header.
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Jan 06, 2009 7:44 pm Post subject: |
|
|
| _void_ wrote: | | http://msdn.microsoft.com/en-us/library/64ez38eh(VS.71).aspx |
... Im using delphi... |
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Wed Jan 07, 2009 7:44 pm Post subject: |
|
|
the EIP is not pushed onto stack when CALL is done. it is the address of the next instruction. so assuming the function has a epilogue/preamble that means [ebp] will have the old ebp because of the 'push ebp' and so the return address is at [ebp+4]. just hook the function and do the preamble in your hook function then read off [ebp+4] into eax for example and move that into a buffer. inline asm for that.
it is possible to do it in a higher level language as well but it's a bit trickier. |
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Jan 07, 2009 8:20 pm Post subject: |
|
|
| dnsi0 wrote: | | _void_ wrote: | | http://msdn.microsoft.com/en-us/library/64ez38eh(VS.71).aspx |
... Im using delphi... |
Lol how am I suppose to know? |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Thu Jan 08, 2009 5:25 pm Post subject: |
|
|
| Slugsnack wrote: | the EIP is not pushed onto stack when CALL is done. it is the address of the next instruction. so assuming the function has a epilogue/preamble that means [ebp] will have the old ebp because of the 'push ebp' and so the return address is at [ebp+4]. just hook the function and do the preamble in your hook function then read off [ebp+4] into eax for example and move that into a buffer. inline asm for that.
it is possible to do it in a higher level language as well but it's a bit trickier. |
I thought that all push did was push the value into the stack not destroy the value after the stack.
So do I really have to get the adr before the push ebp mov ebp,esp?
woulden't right after where ebp is still intack work too? |
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Thu Jan 08, 2009 6:02 pm Post subject: |
|
|
| dnsi0 wrote: | | Slugsnack wrote: | the EIP is not pushed onto stack when CALL is done. it is the address of the next instruction. so assuming the function has a epilogue/preamble that means [ebp] will have the old ebp because of the 'push ebp' and so the return address is at [ebp+4]. just hook the function and do the preamble in your hook function then read off [ebp+4] into eax for example and move that into a buffer. inline asm for that.
it is possible to do it in a higher level language as well but it's a bit trickier. |
I thought that all push did was push the value into the stack not destroy the value after the stack.
So do I really have to get the adr before the push ebp mov ebp,esp?
woulden't right after where ebp is still intack work too? |
You can get it anywhere. The retrieval offset will be different however.
_________________
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Thu Jan 08, 2009 6:22 pm Post subject: |
|
|
| It depends where you are hooking. If it's before the prologue, then it's [esp]. If it's after the prologue, then it's [ebp+4]. After that, it's function specific. |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Thu Jan 08, 2009 6:47 pm Post subject: |
|
|
| rapion124 wrote: | | It depends where you are hooking. If it's before the prologue, then it's [esp]. If it's after the prologue, then it's [ebp+4]. After that, it's function specific. |
Thanks.
And yea its right after the function.
So its:
push ebp
mov ebp,esp
*code here* |
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Fri Jan 09, 2009 9:53 am Post subject: |
|
|
| And if you hook at the return (so if you replaced the RETN with a JMP) then it's also [esp]. |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Fri Jan 09, 2009 2:41 pm Post subject: |
|
|
| tombana wrote: | | And if you hook at the return (so if you replaced the RETN with a JMP) then it's also [esp]. |
I don't think that works... You still have to pop all those values from the stack. |
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Fri Jan 09, 2009 8:59 pm Post subject: |
|
|
in a sense tombana is actually correct for most usual function flow goes like this
| Code: |
mov edi,edi \
push ebp |-=Enter
mov ebp,esp/
here comes the pushs to save certain regs
xyzrealcode
here is the pops that restore registers
mov esp,ebp\
|-=Leave
pop ebp /
ret/retn | by placing a hook in this classical style function the ret address should be [esp]
|
also hooking the preamble(designated by Enter up top) one code formulate code similiar to hook hopping take OpenThreadToken as a some what conformant example...
| Code: |
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH DWORD PTR SS:[EBP+14]
PUSH DWORD PTR SS:[EBP+10]
PUSH DWORD PTR SS:[EBP+0C]
PUSH DWORD PTR SS:[EBP+8]
CALL DWORD PTR DS:[<&ntdll.NtOpenThreadToken>]
TEST EAX,EAX
JGE SHORT ADVAPI32.77DD7B9F
PUSH EAX
CALL ADVAPI32.77DD6D24
XOR EAX,EAX
POP EBP
RETN 10
|
by writeing a jmp hook to the first 5 bytes
one could have hook Code that looks like this
| Code: |
__declspec(naked)void Hk_OpenThreadToken()
{
DWORD RetAddress;
__asm
{
mov RetAddress,[esp]
mov edi,edi
push ebp
mov ebp,esp
jmp OpenThreadToken+5
}
}
|
now to get this working in all cases, shouldnt be to hard.. if anyone sees any mistakes in my code I emplore you to point them out..
as always regards BanMe |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
