detouring

RedGhost · April 21, 2005, 12:45:58 PM

would anyone here happen to have any function detouring (hijacking, redirecting, patching, whatever you wanna call it) code in masm? i searched the forums and came up with nothing! in c++ i use matt pietreks code with getprocaddress, or i use microsoft detours.lib/.h or i use one of the many other detouring sources i have, but i have none for masm and am not at a stage where i could convert anything from c++ to masm! (one day hopefully :eek)

my intent is not at all malicious, if anyone is thinking this :naughty:

and i would not release any projects be in source or bin without the original code authors consent so you dont have to worry about that
(well i cant say i had consent from matt pietek but its pretty free/shared code)

naturally if you have a tutorial on this matter i would appreciate it even more :clap:

pbrennick · April 21, 2005, 01:37:02 PM

RedGhost,
I think you better explain to me what your intent is because 'hijacking' is not something that is supported on this forum. If I am not satisfied, this thread will be removed.

Paul

RedGhost · April 21, 2005, 02:27:40 PM

sure np, i want to take the function glEnable from a game, to enable drawing of custom text
and infact i will need glviewport aswell to draw on the 5th viewport, and to do some Key stuff (GetAsyncKeyState)

i think the hardest part is going to be sending messages to winamp to control it from in game, because the sdk is only a c++ header

pbrennick · April 21, 2005, 03:30:10 PM

Okay, if you have the SDK, anyhow, I guess this type of activity is allowed by that software. Just be careful of your terms, please. There are a lot of smart people here and if you generate some interest, you will get a lot of help.

Paul

RedGhost · April 21, 2005, 03:57:34 PM

Quote from: pbrennick on April 21, 2005, 03:30:10 PM
Okay, if you have the SDK, anyhow, I guess this type of activity is allowed by that software. Just be careful of your terms, please. There are a lot of smart people here and if you generate some interest, you will get a lot of help.

Paul

thanks alot paul i appreciate it

Ghirai · April 21, 2005, 04:23:17 PM

If you want to "patch" some function, just inject a dll into that app's process space.

If you need to hook an API, IAT patching is fairly easy.

RedGhost · April 21, 2005, 04:41:29 PM

Quote from: Ghirai on April 21, 2005, 04:23:17 PM
If you want to "patch" some function, just inject a dll into that app's process space.

If you need to hook an API, IAT patching is fairly easy.

injecting into the process is already taken care of
i just writeprocessmemory/createremotethread with loadlibrary

but im no advanced programmer so detouring from scratch is a bit beyond me

thomasantony · April 22, 2005, 01:36:11 AM

hi,
Find some emptyspace or add anew section into the file. Note the first 5 bytes of the API (or the first 3 or 4 instructions) and use VirtualProtect on that function address with PAGE_READWRITE. use MOVs to put a jmp in place at the beginning of the function to your code. At the end of your code put in the first 5 bytes or upto the next instruction boundry and jump to the remaining part of the API

Thomas :U

sluggy · April 22, 2005, 10:38:28 AM

Quote from: thomasantony on April 22, 2005, 01:36:11 AMAt the end of your code put in the first 5 bytes or upto the next instruction boundry and jump to the remaining part of the API

And how do you tell reliably where the instruction boundaries are?

I am going to admit to a little ignorance here.... i downloaded Detours just after it got released, but have never taken the time to look it over thoroughly or have a play with it. My guess is that all the Win APIs start with the same sequence of instructions (maybe saving registers?), and that would be why Detours works so well. Can anyone confirm or correct this?

thomasantony · April 22, 2005, 11:35:49 AM

Hi,
Open up your program in ollydebug or something. go to the address of the API function you want to change. You need to modify at least 5 bytes as a jump to your code will be 5 bytes. If the first 2 or three instructions doesn't end in 5 bytes, add a few NOPs after the JMP till the start of the next instruction. So that the rest of the code remains the same. So jump to your code. Do whatever you want. In the end put in the instructions you replaced and jmp to the rest of the API. You will have to use hex opcodes to code in this JMPs and NOPs programmatically. Use virtual protect with the no. of bytes you modified and modify the bytes with MOV. I don't know if you have to do this but try to replace the original code of the API at the end of your code instead of imitating the replcaed instructions. HOpe I have made myself clear!

Thomas :U

sluggy · April 22, 2005, 01:40:54 PM

I don't know if you were replying to me then or just giving a general "how to"; in any case i already knew *how* to do it, i just had questions on some of the finer details.
For instance, to determine where instruction boundaries are, do you pack a table into your data section that has a list of opcodes and their length? Or is there some clever way of doing it that i am not aware of?
And i could organise my lazy ass (:clap:) to answer the other question, which was do all/most of the Win Apis start with the same sequence of instructions.

P1 · April 22, 2005, 02:02:17 PM

Quote from: RedGhost on April 21, 2005, 12:45:58 PMmy intent is not at all malicious, if anyone is thinking this :naughty:

Then name the game. Because I detest when you say it OK, and we find out later, by reading the EULA ourselves, that you took some liberties, that were not permitted by DMCA ( Canada did sign that treaty!! ).

I am going to lock the thread, if I don't get an appropiate answer.

Some EULA do not permit modifications of any kind. BTW, you may have meant detour=hooking.

Regards, P1 :8)

RedGhost · April 22, 2005, 03:16:58 PM

Quote from: P1 on April 22, 2005, 02:02:17 PM
Quote from: RedGhost on April 21, 2005, 12:45:58 PMmy intent is not at all malicious, if anyone is thinking this :naughty:
Then name the game. Because I detest when you say it OK, and we find out later, by reading the EULA ourselves, that you took some liberties, that were not permitted by DMCA ( Canada did sign that treaty!! ).

I am going to lock the thread, if I don't get an appropiate answer.

Some EULA do not permit modifications of any kind. BTW, you may have meant detour=hooking.

Regards, P1 :8)

it's not really game specific, for the many opengl games i play, cs, cod, dod, etc
primarily the quake3 and half-life engines (im scarred of change ><)

and i am sorry but i do not know what the DMCA is

also if you want i can take an ingame screenshot, as stated before i have done this in c++

you take glEnable and glViewport

draw your text in glEnable, a simple menu, or just the winamp track title
then you use GetAsyncKeyState in glViewport and have certain key presses send certain commands to winamp, for play, pause, next track, etc

thomasantony · April 23, 2005, 04:49:46 AM

Hi,
I think almost all API calls start with:

Code Select


push ebp       ; 1 btye
mov ebp,esp  ; 2 bytes
add esp,XXXXXXXX ; some 6 bytes?

The last one can also be a sub instruction but no change in size.

Thomas :U

P1 · April 25, 2005, 07:27:52 PM

Quote from: RedGhost on April 22, 2005, 03:16:58 PM
and i am sorry but i do not know what the DMCA is

It is your responsiblity to know as a responsible programmer what the legal limits of what you can and can not do. Seeing this message board is based in North America and Canada did sign the DMCA treaty, I am locking this topic until you can come back with an answer other than "I don't know."

Regards, P1 :8)

News:

detouring

RedGhost

pbrennick

RedGhost

pbrennick

RedGhost

RedGhost

RedGhost