| View previous topic :: View next topic |
| Author |
Message |
661089799107
Expert Cheater
![]() Reputation: 3
Joined: 25 Jan 2009
Posts: 186
|
 Posted: Thu Sep 22, 2011 3:43 am Post subject: [C++] 64 bit winapi hooking |
 |
|
I'm trying to hook connect in WS2_32.dll.
I can't really try much, because I don't have x64.
On x64 the function looks like this:
| Code: |
connect - FF F3 - push ebx
connect+2 - 56 - push rsi
connect+3 - 41 54 - push r12
connect+5 - 41 55 - push r13
connect+7 - 48 83 EC 58 - sub rsp,58
|
I'm trying to replace the first 5 bytes of function. As I do on x86 which works fine.
Here is my hook function: (JMP to my function is wrong for some reason)
| Code: |
// src = 7FEFDA64F60 (WS2_32.connect)
// dst = 7FEEC164D00 (My function)
// len = 5
// dst-src-5 = -0x11900265
void* set64Hook(BYTE *src, const BYTE *dst, int len) {
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD oldProtect;
VirtualProtect(src, len, PAGE_READWRITE, &oldProtect);
memcpy(jmp, src, len);
jmp += len;
jmp[0] = 0xE9;
*(DWORD64*)(jmp+1) = (DWORD64)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD64*)(src+1) = (DWORD64)(dst - src) - 5;
VirtualProtect(src, len, oldProtect, &oldProtect);
return (jmp-len);
}
|
After the opcodes are replaced it looks like:
| Code: |
connect - E9 95FD6FEE - jmp 7FEEC164D00
connect+5 - FF - db FF
connect+6 - FF - db FF
connect+7 - FF - db FF
connect+8 - FF EC - jmp far esp
connect+A - 58 - pop rax
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25802
Location: The netherlands
|
| Posted: Thu Sep 22, 2011 6:40 am Post subject: |
|
|
A E9 jmp can only jump 32-bits
use a FF 25 jmp (relative to eip) and point it to a address to jump to (the address might even be directly after the jmp, just remember to store at least 14 bytes of the original function
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Thu Sep 22, 2011 8:43 am; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25802
Location: The netherlands
|
| Posted: Thu Sep 22, 2011 8:43 am Post subject: |
|
|
if the jump isn't bigger than 32-bit (signed) then yes.
allocate the jump target using virtualallocex(with the preferred base address), but if you do generic dll injection, you can't be sure. You can of course write a jump table using virtualallocex which in turn jumps to your dll
Just make sure you use DWORD instead of DWORD64
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
