Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inline hook handling of relative jumps not proper? #86

Closed
gibbed opened this issue Dec 29, 2024 · 3 comments · Fixed by #87
Closed

Inline hook handling of relative jumps not proper? #86

gibbed opened this issue Dec 29, 2024 · 3 comments · Fixed by #87

Comments

@gibbed
Copy link

gibbed commented Dec 29, 2024
edited
Loading

safetyhook/src/inline_hook.cpp

Lines 260 to 284 in de83823

} else if (ix.meta.category == ZYDIS_CATEGORY_COND_BR && ix.meta.branch_type == ZYDIS_BRANCH_TYPE_SHORT) {
const auto target_address = ip + ix.length + ix.raw.imm[0].value.s;
auto new_disp = target_address - (tramp_ip + 6);
// Handle the case where the target is now in the trampoline.
if (target_address < m_target + m_original_bytes.size()) {
new_disp = static_cast<ptrdiff_t>(ix.raw.imm[0].value.s);
}
*tramp_ip = 0x0F;
*(tramp_ip + 1) = 0x10 + ix.opcode;
store(tramp_ip + 2, static_cast<int32_t>(new_disp));
tramp_ip += 6;
} else if (ix.meta.category == ZYDIS_CATEGORY_UNCOND_BR && ix.meta.branch_type == ZYDIS_BRANCH_TYPE_SHORT) {
const auto target_address = ip + ix.length + ix.raw.imm[0].value.s;
auto new_disp = target_address - (tramp_ip + 5);
// Handle the case where the target is now in the trampoline.
if (target_address < m_target + m_original_bytes.size()) {
new_disp = static_cast<ptrdiff_t>(ix.raw.imm[0].value.s);
}
*tramp_ip = 0xE9;
store(tramp_ip + 1, static_cast<int32_t>(new_disp));
tramp_ip += 5;

I'm creating a MidHook at the address 00000001004751AC, which has the following instructions:

00000001004751AC  72 AE              jb  short 10047515C
00000001004751AE  48 8D BD E0F8FFFF  lea rdi, [rbp-720h]

this ends up emitting the trampoline:

00000000FFFF0327  0F82 AEFFFFFF      jb  FFFF02DB
00000000FFFF032D  48 8D BD E0F8FFFF  lea rdi, [rbp-720h]
00000000FFFF0334  E9 7C4E4800        jmp 1004751B5

The jb here did not get resolved properly (it should be a relative jmp to 000000010047515C).

target_address < m_target + m_original_bytes.size()

ends up being

000000010047515C < 00000001004751B5

So I'm guessing that check should actually be:

target_address >= m_target && target_address < m_target + m_original_bytes.size()
@gibbed gibbed changed the title Inline jumps handling of relative jumps not working properly? Inline hook handling of relative jumps not proper? Dec 29, 2024
@praydog
Copy link
Collaborator

praydog commented Dec 29, 2024

Sounds like a reasonable fix to me.

@cursey cursey mentioned this issue Jan 1, 2025
Merged
@cursey
Copy link
Owner

cursey commented Jan 1, 2025

@gibbed can you try #87 and let me know if it actually fixes the issue you've described?

@gibbed
Copy link
Author

gibbed commented Jan 1, 2025

Yeah, it does. Though you've missed the check for unconditional jumps.

https://github.com/cursey/safetyhook/pull/87/files#diff-b109456f39b67560bebff92603a5d7152ce3a5188182bc84c231e6c3e7019f7cL278

@cursey cursey closed this as completed in #87 Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix/Trampoline rel jmp check cursey/safetyhook
3 participants
@gibbed @praydog @cursey