[In development] Interceptor functions with unknown arguments
It just so happens that from time to time I am entertained by analyzing clients of MMO games about various kinds of utilities or getting information about the effects of certain gaming aspects. The main amount of information brings analysis of the client in IDA Pro or OllyDbg.
Since I don’t have much experience with this action, I usually take a trite function, write a dll interceptor and analyze the function arguments obtained during the interception.
Unfortunately, even IDA is not perfect - getting function arguments that correspond to the truth is often problematic (the simplest example is lua-functions, lua_state is defined by Ida as an int). Yes, and as far as the analysis of the client, dll sometimes becomes cluttered with an indecent amount of functions, their declarations and descriptions, as well as other good. As a result, we get kilometers of code.
But the desire for beauty lives in most of us - because of this, a desire arises to somehow “tamp” this code, make it more readable. For example, when I write dll I like to use macros, regions, if possible, reduce the number of functions of the same type, etc.
')
And not so long ago, I got an idea to squeeze the code even more by compressing the declaration and description of the function, variables and other good into 1 macro. Ideally, dump the argument list of the intercepted function to a file. At the moment I have written a relatively universal interceptor for __ cdecl functions (since I have not got a high level of knowledge in this area, I can assume that it will work adequately only for Windows x86, perhaps there are some other restrictions). For interception, I usually use Detours x86, sometimes a simple analogue.
Actually, the code:
Well and, actually, an example of the announcement of all this good:
So with 1 line, we declare the interceptor function, indicate which function and address we want to intercept, and when intercepting we get a list of arguments (in this example all arguments will be written to the file as int, you can add the format to the macro).
Then everything is simple - if we use Detours, then the attachment will look something like this:
The rest, in principle, does not need explanation.
Example output arguments:
So, with the help of a couple of small macros, we were able to squeeze the code well.
Disadvantages:
1) Currently not working with __stdcall, __thiscall and other calling conventions. I will not refuse help or advice on this matter.
2) As I have already mentioned, there is little experience in this matter, so there may well be shoals that I did not take into account, so please don’t take too much trouble.
3) I did not find any analogues, however this does not mean that there are no more adequate ways / it is impossible to optimize the current one. Comments on this would also be in order.
Thank you for attention!
Since I don’t have much experience with this action, I usually take a trite function, write a dll interceptor and analyze the function arguments obtained during the interception.
Unfortunately, even IDA is not perfect - getting function arguments that correspond to the truth is often problematic (the simplest example is lua-functions, lua_state is defined by Ida as an int). Yes, and as far as the analysis of the client, dll sometimes becomes cluttered with an indecent amount of functions, their declarations and descriptions, as well as other good. As a result, we get kilometers of code.
But the desire for beauty lives in most of us - because of this, a desire arises to somehow “tamp” this code, make it more readable. For example, when I write dll I like to use macros, regions, if possible, reduce the number of functions of the same type, etc.
')
And not so long ago, I got an idea to squeeze the code even more by compressing the declaration and description of the function, variables and other good into 1 macro. Ideally, dump the argument list of the intercepted function to a file. At the moment I have written a relatively universal interceptor for __ cdecl functions (since I have not got a high level of knowledge in this area, I can assume that it will work adequately only for Windows x86, perhaps there are some other restrictions). For interception, I usually use Detours x86, sometimes a simple analogue.
Actually, the code:
#define cdecl_hook(name1)\ /*Macro definition*/ void name1##_hook(int a1, ...)\ /*Declare hooker*/ {\ int check_s = 0;\ __asm{mov check_s, esp}\ /*Save esp state*/ int *ptr = &a1;\ /*Get pointer to 1st arg, equialent of va_list*/ debug_msg("Advanced",true,"--%s arg list started--", __FUNCTION__);\ /*debug_msg() - vfprintf wrapper*/ for(int i=0; i*4<name1##_arg_amount; i++)\ {\ debug_msg("Advanced",true," |---Element %d: %d", i, ptr[i]);\ }\ /*Arg list -> file(Advanced.txt)*/ debug_msg("Advanced",true,"--arg list finished--\n");\ __asm{lea ecx, a1}\ /*Move addr of a1 to ecx*/ __asm{mov eax, name1##_arg_amount}\ /*move size of args in stack(can get from IDA, for ex.) to eax*/ __asm{label_loop: }\ /*Start loop*/ __asm{mov ebx, dword ptr[ecx+eax-4]}\ /*Move args from stack to ebx in loop and push ebx*/ __asm{push ebx}\ __asm{sub eax,4}\ __asm{cmp eax,0}\ __asm{jg label_loop}\ __asm{call dword ptr[name1##_Detour]}\ /*Call original function*/ __asm{mov esp, check_s}\ /*Restore stack, same as __asm{add esp, name1##_arg_amount}*/ }\ #define RF_O_UP_FUNC(name1, address, args)\ /*Define needed functions and variables*/ typedef void (* t##name1 ) ();\ /*__declspec(dllexport) */t##name1 name1##_Detour = ( t##name1 ) ( address );\ /*Define original function and bind to addr*/ void name1##_hook(int a1, ...);\ /*Define hooker*/ int name1##_arg_amount = args;\ /*Summary size of args in stack, can get from IDA*/ cdecl_hook(name1); /*Call hooker definition*/ Well and, actually, an example of the announcement of all this good:
RF_O_UP_FUNC(resources, 0x687054, 0x4C); RF_O_UP_FUNC(hooker, 0x17E4D18, 7); RF_O_UP_FUNC(begin, 0x689BA0, 5); So with 1 line, we declare the interceptor function, indicate which function and address we want to intercept, and when intercepting we get a list of arguments (in this example all arguments will be written to the file as int, you can add the format to the macro).
Then everything is simple - if we use Detours, then the attachment will look something like this:
DetourAttach(&(PVOID&)resources_Detour, resources_hook).The rest, in principle, does not need explanation.
Example output arguments:
--resources_hook arg list started-- |---Element 0: 204181 |---Element 1: 204181 |---Element 2: 1277574 |---Element 3: 1363294854 |---Element 4: 1 |---Element 5: 0 |---Element 6: 0 |---Element 7: 0 |---Element 8: 0 |---Element 9: 0 |---Element 10: 0 |---Element 11: 0 |---Element 12: 0 |---Element 13: 0 |---Element 14: 0 |---Element 15: 0 |---Element 16: 1 |---Element 17: 100 |---Element 18: 1 --arg list finished-- So, with the help of a couple of small macros, we were able to squeeze the code well.
Disadvantages:
1) Currently not working with __stdcall, __thiscall and other calling conventions. I will not refuse help or advice on this matter.
2) As I have already mentioned, there is little experience in this matter, so there may well be shoals that I did not take into account, so please don’t take too much trouble.
3) I did not find any analogues, however this does not mean that there are no more adequate ways / it is impossible to optimize the current one. Comments on this would also be in order.
Thank you for attention!
Source: https://habr.com/ru/post/172879/
All Articles