Plugin Hooks: fix original bytes on %rip accesses

This commit is contained in:
vaxerski 2023-02-27 19:17:58 +00:00
parent c5d741fb39
commit 03d7651916
2 changed files with 9 additions and 1 deletions

View file

@ -99,6 +99,9 @@ bool CFunctionHook::hook() {
const auto TRAMPOLINE_SIZE = sizeof(ABSOLUTE_JMP_ADDRESS) + HOOKSIZE + sizeof(PUSH_RAX) + m_vTrampolineRIPUses.size() * (sizeof(CALL_WITH_RAX) - 6); const auto TRAMPOLINE_SIZE = sizeof(ABSOLUTE_JMP_ADDRESS) + HOOKSIZE + sizeof(PUSH_RAX) + m_vTrampolineRIPUses.size() * (sizeof(CALL_WITH_RAX) - 6);
m_pTrampolineAddr = mmap(NULL, TRAMPOLINE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); m_pTrampolineAddr = mmap(NULL, TRAMPOLINE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
m_pOriginalBytes = malloc(HOOKSIZE);
memcpy(m_pOriginalBytes, m_pSource, HOOKSIZE);
// populate trampoline // populate trampoline
memcpy(m_pTrampolineAddr, m_pSource, HOOKSIZE); // first, original func bytes memcpy(m_pTrampolineAddr, m_pSource, HOOKSIZE); // first, original func bytes
memcpy(m_pTrampolineAddr + HOOKSIZE, PUSH_RAX, sizeof(PUSH_RAX)); // then, pushq %rax memcpy(m_pTrampolineAddr + HOOKSIZE, PUSH_RAX, sizeof(PUSH_RAX)); // then, pushq %rax
@ -156,7 +159,7 @@ bool CFunctionHook::unhook() {
mprotect(m_pSource - ((uint64_t)m_pSource) % sysconf(_SC_PAGE_SIZE), sysconf(_SC_PAGE_SIZE), PROT_READ | PROT_WRITE | PROT_EXEC); mprotect(m_pSource - ((uint64_t)m_pSource) % sysconf(_SC_PAGE_SIZE), sysconf(_SC_PAGE_SIZE), PROT_READ | PROT_WRITE | PROT_EXEC);
// write back original bytes // write back original bytes
memcpy(m_pSource, m_pTrampolineAddr, m_iHookLen); memcpy(m_pSource, m_pOriginalBytes, m_iHookLen);
// revert mprot // revert mprot
mprotect(m_pSource - ((uint64_t)m_pSource) % sysconf(_SC_PAGE_SIZE), sysconf(_SC_PAGE_SIZE), PROT_READ | PROT_EXEC); mprotect(m_pSource - ((uint64_t)m_pSource) % sysconf(_SC_PAGE_SIZE), sysconf(_SC_PAGE_SIZE), PROT_READ | PROT_EXEC);
@ -169,6 +172,9 @@ bool CFunctionHook::unhook() {
m_iHookLen = 0; m_iHookLen = 0;
m_iTrampoLen = 0; m_iTrampoLen = 0;
m_pTrampolineAddr = nullptr; m_pTrampolineAddr = nullptr;
m_pOriginalBytes = nullptr;
free(m_pOriginalBytes);
return true; return true;
} }

View file

@ -33,6 +33,8 @@ class CFunctionHook {
std::vector<std::pair<size_t, std::string>> m_vTrampolineRIPUses; std::vector<std::pair<size_t, std::string>> m_vTrampolineRIPUses;
void* m_pOriginalBytes = nullptr;
size_t probeMinimumJumpSize(void* start, size_t min); size_t probeMinimumJumpSize(void* start, size_t min);
size_t getInstructionLenAt(void* start); size_t getInstructionLenAt(void* start);