浏览代码

mhook can't hook _loop ;)

master
aaaaaa aaaaaaa 6 年前
父节点
当前提交
bce85be82e
共有 2 个文件被更改,包括 33 次插入2 次删除
  1. +31
    -0
      mhook.txt
  2. +2
    -2
      tester/mhook.cpp

+ 31
- 0
mhook.txt 查看文件

@@ -0,0 +1,31 @@
_loop original:
00007FFF7CAE978C | 48 89 C8 | mov rax,rcx |
00007FFF7CAE978F | 48 F7 E1 | mul rcx |
00007FFF7CAE9792 | 90 | nop |
00007FFF7CAE9793 | 90 | nop |
00007FFF7CAE9794 | 90 | nop |
00007FFF7CAE9795 | E2 F8 | loop test_cases.7FFF7CAE978F |
00007FFF7CAE9797 | C3 | ret |

_loop hooked:
00007FFF7CAE978C | E9 0F 69 23 00 | jmp <MHook_Hooks::hookLoop> |
00007FFF7CAE9791 | E1 90 | loope test_cases.7FFF7CAE9723 |
00007FFF7CAE9793 | 90 | nop |
00007FFF7CAE9794 | 90 | nop |
00007FFF7CAE9795 | E2 F8 | loop test_cases.7FFF7CAE978F |
00007FFF7CAE9797 | C3 | ret |

trampoline:
00007FFF7CD200C0 | 48 89 C8 | mov rax,rcx |
00007FFF7CD200C3 | 48 F7 E1 | mul rcx |
00007FFF7CD200C6 | E9 C7 96 DC FF | jmp test_cases.7FFF7CAE9792 |

then executes:
00007FFF7CAE9792 | 90 | nop |
00007FFF7CAE9793 | 90 | nop |
00007FFF7CAE9794 | 90 | nop |
00007FFF7CAE9795 | E2 F8 | loop test_cases.7FFF7CAE978F |

But that jumps back into the middle of the jump and thus executes:
00007FFF7CAE978F | 23 00 | and eax,dword ptr ds:[rax] |
00007FFF7CAE9791 | E1 90 | loope test_cases.7FFF7CAE9723 |

+ 2
- 2
tester/mhook.cpp 查看文件

@@ -69,7 +69,7 @@ bool MHook::hook_all(void) {
ret |= Mhook_SetHook((PVOID*)&trueAVX, &MHook_Hooks::hookAVX);
ret |= Mhook_SetHook((PVOID*)&trueRDRAND, &MHook_Hooks::hookRDRAND);

ret |= Mhook_SetHook((PVOID*)&trueLoop, &MHook_Hooks::hookLoop);
//ret |= Mhook_SetHook((PVOID*)&trueLoop, &MHook_Hooks::hookLoop);
ret |= Mhook_SetHook((PVOID*)&trueTailRecursion, &MHook_Hooks::hookTail_recursion);

return ret;
@@ -80,6 +80,6 @@ bool MHook::unhook_all() {
Mhook_Unhook((PVOID*)&trueBranch) &&
Mhook_Unhook((PVOID*)&trueAVX) &&
Mhook_Unhook((PVOID*)&trueRDRAND) &&
Mhook_Unhook((PVOID*)&trueLoop) &&
//Mhook_Unhook((PVOID*)&trueLoop) &&
Mhook_Unhook((PVOID*)&trueTailRecursion);
}

正在加载...
取消
保存