Posted: Sun Jun 21, 2020 6:17 pm Post subject: Dynamic function argument counting
Hey everyone,
I'm working on a project at the moment and I'm trying to figure out the best way to dynamically learn the amount of arguments that a particular function takes with respect to x86 32 bit processes.
This project attaches to a process and hooks a particular set of functions so it can run some code before jumping back to the original function. As a note these functions are all thiscalls.
I've had a few ideas so far, but none of these are particularly reliable without a slew of hard-coded conditions. My ideas so far:
-Read the stack for pointers to executable code. Doesn't really help to guess the argument count though because of local variables on the stack in the calling function.
-Scan the original function for ret instructions (c2 / c3).
---If C2, check the following byte to grab the argument count and ensure the following byte is 00 (no functions I've seen should have more than 63 arguments so that 2nd following byte should be 00).
---If C3, check for a preceding pop ebp, or an 0xCC after the instruction so that the scan doesn't return incorrect results if C3 constitutes an operand of some unrelated instruction. Wouldn't catch inline functions though or functions who don't have unused memory between itself and the next.
Does anyone know of any nice tricks to get the argument count of a function?
Thanks for your reply. I didn't consider that option. It does look like it's going to be a matter of trial and error and would never be 100% reliable if I were to try and implement it.
I think what I'll do instead is use a 3rd party disassembler to display the function, so it's argument count can be determined with a human set of eyes, rather than trying to code it for automatic discovery.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum