| View previous topic :: View next topic |
| Author |
Message |
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
 Posted: Wed Dec 17, 2008 8:40 am Post subject: Get original call addr? |
 |
|
| I have hooked both send and recv APIs and I'm wondering how I can get the original address caller. Thanks.
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Wed Dec 17, 2008 9:06 am Post subject: |
|
|
| move the return address into a variable. when a function is called, the return address (address of instruction directly after the call) is pushed onto the stack. then the stack frame is set up (push ebp). therefore at the new ebp, there will be the old ebp and at ebp+4 will be the return address. so at your hook function, after setting up stack frame yourself, just do something like mov eax, dword ptr ss:[ebp+4].
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Wed Dec 17, 2008 9:32 pm Post subject: |
|
|
| Slugsnack wrote: | | move the return address into a variable. when a function is called, the return address (address of instruction directly after the call) is pushed onto the stack. then the stack frame is set up (push ebp). therefore at the new ebp, there will be the old ebp and at ebp+4 will be the return address. so at your hook function, after setting up stack frame yourself, just do something like mov eax, dword ptr ss:[ebp+4]. |
That will be the return address. For the address of the call, subtract 4(or 5, not sure).
|
|
| Back to top |
|
|
Bizarro
I post too much
 Reputation: 0
Joined: 01 May 2007
Posts: 2648
|
| Posted: Wed Dec 17, 2008 9:39 pm Post subject: |
|
|
original call = esp - 4
_________________
w8 baby.com Banner contest, Come join NOW!!
Check us out for Prize deatils |
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Dec 17, 2008 10:47 pm Post subject: |
|
|
| Bizarro wrote: | | original call = esp - 4 |
so..
DWORD addr;
mov eax, dword ptr ss:[esp-4]
mov [addr], eax
To get the address right?
|
|
| Back to top |
|
|
Bizarro
I post too much
Reputation: 0
Joined: 01 May 2007
Posts: 2648
|
| Posted: Wed Dec 17, 2008 10:52 pm Post subject: |
|
|
mov calladdr, esp
calladdr= calladdr -4;
_________________
w8 baby.com Banner contest, Come join NOW!!
Check us out for Prize deatils |
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Dec 17, 2008 10:54 pm Post subject: |
|
|
| Bizarro wrote: | mov calladdr, esp
calladdr= calladdr -4; |
Thanks 
Can't I do
| Code: |
mov calladdr, [ebp-4]
|
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Thu Dec 18, 2008 12:35 am Post subject: |
|
|
no. ebp != esp. this is assuming you hook before stack preserving header.
| Code: | push ebp
mov ebp, esp |
_________________
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Thu Dec 18, 2008 1:55 am Post subject: |
|
|
If you do it before the function prologue, then it is [esp].
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
Trucido
Moderator
![]() Reputation: 6
Joined: 08 Sep 2007
Posts: 2792
|
| Posted: Thu Dec 18, 2008 2:17 am Post subject: |
|
|
You can't explicitly get the caller address due to you not knowing exactly what kind of call is made (SHORT/FAR/PTR/etc), you're better off just using the _ReturnAddress() intrinsic function to get the return address, then work your way from there.
_________________
I'm out. |
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Thu Dec 18, 2008 3:27 am Post subject: |
|
|
If the function get far calls it will have to use RETF, otherwise it will ignore the segment selector on the stack. [esp] is perfectly reliable - if you are actually dealing with a function designed for far calls, you can get the segment selector too if you want, [esp-4].
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Dec 18, 2008 4:29 am Post subject: |
|
|
| just use the method i suggested.. it will get the return address which is pretty much just as good. subtract the size of the call instruction from that address and you have the caller address.
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Thu Dec 18, 2008 5:18 am Post subject: |
|
|
| Slugsnack wrote: | | just use the method i suggested.. it will get the return address which is pretty much just as good. subtract the size of the call instruction from that address and you have the caller address. |
Well yeah if only you could know for certain the size of the call instruction.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Dec 18, 2008 5:25 am Post subject: |
|
|
| Quote: | E8 cw CALL rel16 Call near, relative, displacement relative to next instruction
E8 cd CALL rel32 Call near, relative, displacement relative to next instruction
FF /2 CALL r/m16 Call near, absolute indirect, address given in r/m16
FF /2 CALL r/m32 Call near, absolute indirect, address given in r/m32
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand
FF /3 CALL m16:16 Call far, absolute indirect, address given in m16:16
FF /3 CALL m16:32 Call far, absolute indirect, address given in m16:32 |
a scan function could be used to find the type of call to determine size of it. you'd have to be a bit careful about how you go about doing it though. i guess the alternative is to write a bit of debugging code to do that.
|
|
| Back to top |
|
|
Trucido
Moderator
![]() Reputation: 6
Joined: 08 Sep 2007
Posts: 2792
|
| Posted: Thu Dec 18, 2008 7:47 am Post subject: |
|
|
| nog_lorp wrote: | | If the function get far calls it will have to use RETF, otherwise it will ignore the segment selector on the stack. [esp] is perfectly reliable - if you are actually dealing with a function designed for far calls, you can get the segment selector too if you want, [esp-4]. |
Now you're fucking annoying me, directly accessing ESP in this case is not only volatile but it is not supported and is now technically a hack due to Microsoft's new inline assembler policy (assumption that he is coding this in C because everything else he has posted has been in C). Furthermore, in the context specified, there are many manners in which those APIs could be called (e.g. a direct 'CALL EAX/RAX' after a GetProcAddress call) in the 'wild'. There is simply no sure or safe way to assume how the call has been made.
| Slugsnack wrote: | | Code: | E8 cw CALL rel16 Call near, relative, displacement relative to next instruction
E8 cd CALL rel32 Call near, relative, displacement relative to next instruction
FF /2 CALL r/m16 Call near, absolute indirect, address given in r/m16
FF /2 CALL r/m32 Call near, absolute indirect, address given in r/m32
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand
FF /3 CALL m16:16 Call far, absolute indirect, address given in m16:16
FF /3 CALL m16:32 Call far, absolute indirect, address given in m16:32 |
a scan function could be used to find the type of call to determine size of it. you'd have to be a bit careful about how you go about doing it though. i guess the alternative is to write a bit of debugging code to do that. |
A scan function could easily fail and get a false trigger, let me show you a few examples:
| Code: | ; checking for a call to a relative address would return true
00400000 | 81F1 00E80000 | xor eax, 0x0E800
00400006 | FFD1 | call ecx
00400008 | C3 | retn
; checking for a call call to an immediate register would return true
00400000 | E8 0000FFD1 | call 0xD32F0005
00400005 | C3 | retn |
Mind you, you could decrease the chance of getting a false trigger but the amount of code required for such a frivolous function would only indicate that the programmer is probably brain-dead.
_________________
I'm out. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
