wacked
/
x64hook
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commit
1 Ramo (Branch)
Albero (Tree): 37db06f918
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '37db06f918'
${ noResults }
x64hook/readme.md

readme.md 2.2KB
Originale Normal View Cronologia

readme & issues
5 anni fa
 123456789101112131415161718192021222324252627282930313233343536 
  1. x64hook is a hooking library for x64 code that aims to be able to patch everything!

  2. 

  3. The general problems with hooking general functions are:

  4. 1) The code to be overwritten with the jump to your code has relative jumps (forward) or calls.

  5.    Those need to be fixed in the trampoline. As the trampoline is probably out of reach for 32bit

  6.    jumps all the fixed jumps need to be x64 RIP relative jumps.

  7. 

  8.    Conditional jumps are also handled - there are no jcc rel64 instructions though.

  9.    That means that the condition is inverted as to jump, over the fixup code, further

  10.    in the trampoline. The fixup code then is a unconditional 64bit jump.

  11. 

  12. 2) The functions loops back into the code that has to be overwritten - that happens for functions

  13.    with a loop (duh!) but also in case of tail-recursion optimization.

  14. 

  15.    Currently hooking such functions is not supported and in fact this is not even detected.

  16.    Detection: Search for the end of the function (which has its own problems), keep track of all jumps into the

  17.    first few bytes.

  18. 

  19. 3) Other threads might try to execute the code as it is overwritten - if that happens shit hits the fan

  20.    and the normal working of the application *will* be disrupted.

  21.    There are two methods of overcoming that problem:

  22.    a) "The stop-the-world approach" stops all threads to hinder them from executing.

  23.       That makes the hooking time intensive and easily detectable.

  24.    b) Writing all the problematic modifications atomically. That's not doable for > 8bytes.

  25.       How is that write reflected in the instruction cache?

  26.       Instruction fetches follow a different memory model (no lock/unlock & µOp Caches)

  27.    c) The approach described in "Living on the edge: Rapid-toggline probes with cross modification on x86"

  28.       Firstly writing a INT3 to the code which lets all other threads who execute that code jump into an newly

  29.       installed execution handler with a spin loop until the hooking is done - i.e. execution can be safely

  30.       resumed.

  31.       Then the code is overwritten atomically with respect to cache lines.

  32.       Lastly the exception handler is deactived.

  33. 

  34. 

  35. As this is a x64 hooking library running on x64 the overwritten code is fairly long, making the occurence of

  36. the problems detailed above very likely.