Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add x86HotpatchDetour #204

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Conversation

wongsyrone
Copy link
Contributor

This implements #202

This is two level of trampoline, the first level is short jump to the align area between functions, then the next level
put 5-byte jump to user provided callback.

This method requires we recognize consecutive no-op instructions and the end point of the previous function correctly.

It is especially useful to hook empty functions with just 'rep ret'.
You cannot hook them using x86Detour and EATHook doesn't work well on direct call from the lib itself.

- use normal variable for non-options
- apply force param to cache entry
- separate zydis and zycore options
- disable doxygen by default
This is two level of trampoline, the first level is short jump to the align area between functions, then the next level
put 5-byte jump to user provided callback.

This method requires we recognize consecutive no-op instructions and the end point of the previous function correctly.

It is especially useful to hook empty functions with just 'rep ret'.
You cannot hook them using x86Detour and EATHook doesn't work well on direct call from the lib itself.

Signed-off-by: Syrone Wong <[email protected]>
@stevemk14ebr
Copy link
Owner

stevemk14ebr commented Jul 11, 2024

I like adding support for hot patch, and this implementation would be compatible with Microsofts official hot patch https://devblogs.microsoft.com/oldnewthing/20110921-00/?p=9583 for both when there is a mov edi, edi or just a two byte instruction used like for x64. Your original issue is a good example motivator.

Having hot patch as a third type of class is not ideal. Ideally this would be a hooking scheme implemented by both x86 detour and x64 detour. You can see how x64 detour already constrains trampoline allocation and rewriting schemes as an example.

Can you consider taking what you have and implementing it like that so that there is no third class. Additional unused class fields are acceptable if the class supports multiple hooking schemes, but should be kept as minimal as possible of course.

@wongsyrone
Copy link
Contributor Author

Sorry but my intention to implement the new method is to hook empty functions like I stated in #202 , I'm not very interested in implementing the microsoft way.

@stevemk14ebr
Copy link
Owner

Your implementation already is compatible with Microsofts way. What I mean is putting the logic of x86detourhotpstch into the x86detour class directly. If a small/empty function is detected your logic would execute otherwise it would hook as normal with the existing logic.

@wongsyrone
Copy link
Contributor Author

Will try to merge these two classes when having free time.

@greenozon
Copy link

any updates here, guys...?

@wongsyrone
Copy link
Contributor Author

Sorry. I'm pretty busy on projects...

@stevemk14ebr
Copy link
Owner

@greenozon would love help if you can contribute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants