View previous topic :: View next topic |
Author |
Message |
DaviFN Cheater Reputation: 0
Joined: 23 Oct 2016 Posts: 32
|
Posted: Fri Jun 08, 2018 7:18 pm Post subject: Find all assembly "call" instructions in memory |
|
|
Hello!
I'm going to develop a dll that, once injected in a process, exhibits all the assembly "call" instructions (E9XXXXXX, if I'm not wrong) of the executable memory of that process, and also allow (via a window created by a thread) the removal of such instructions (noping). It will be written in C.
I know how to scan the memory already, but I can't just assume every E9 byte is referring to a "call" instruction, because that's simply not right. So I had the idea of asking here if any of you guys know a way of tell E9's apart. I presume I'd have to find the entry point and, from there, verify every opcode of the memory, listing the calls. Is that the way? And, if so, any tips of how that could be accomplished?
TL;DR: How to differentiate between E9 bytes that refer to the opcode "call" and E9 bytes that are in the middle of an opcode, or refer to data (or anything else)?
Thanks!
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Fri Jun 08, 2018 7:40 pm Post subject: |
|
|
Code: | E8 cw CALL rel16 Call near, relative, displacement relative to next instruction
E8 cd CALL rel32 Call near, relative, displacement relative to next instruction
FF /2 CALL r/m16 Call near, absolute indirect, address given in r/m16
FF /2 CALL r/m32 Call near, absolute indirect, address given in r/m32
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand
FF /3 CALL m16:16 Call far, absolute indirect, address given in m16:16
FF /3 CALL m16:32 Call far, absolute indirect, address given in m16:32 |
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Fri Jun 08, 2018 7:48 pm Post subject: |
|
|
E9 is the operand of a jmp instruction. You're looking for E8 and/or FF.
Starting at the entry point and analyzing everything might be a little overkill. Use heuristics to make a good guess as to whether or not a byte is actually the start of an instruction. Try disassembling them and see if the operand makes sense (e.g. valid register or address). The callee shouldn't modify the return address, so continue disassembling instructions after the call to see if they make sense. You could also look at instructions before the call (could be useful for dynamic calls or >2GB displacements in x64), but that could give false negatives.
I would highly recommend you read documentation about x86 / x86-64 (e.g. Intel documentation).
Look at CE's source for examples.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
DaviFN Cheater Reputation: 0
Joined: 23 Oct 2016 Posts: 32
|
Posted: Fri Jun 08, 2018 7:57 pm Post subject: |
|
|
I don't mind thar kind of overkill... It'll perform the search only once.
Would it work if I did it that way? Start from the entry point and then verify every opcode until a memory region that is not executable anymore?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Fri Jun 08, 2018 9:43 pm Post subject: |
|
|
No. If you did it correctly, you should never reach a memory region that isn't executable. You start disassembling at the entry point, recursively disassemble every call and branch destination you can, and stop when you get to certain instructions or API calls (e.g. ExitProcess). I think you're severely underestimating how much work that entails. You won't even get everything in many circumstances, as there are plenty of paradigms that will screw this up (e.g. dynamic binding; JIT compilation).
If you want to get every call, searching for the opcode would be the most straightforward option.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
DaviFN Cheater Reputation: 0
Joined: 23 Oct 2016 Posts: 32
|
Posted: Sat Jun 09, 2018 10:03 am Post subject: |
|
|
Would it be enough verifying if the address to which the (possible) "call" instruction jumps is valid, and then verifying the starting bytes of that region (i.e. the starting bytes of the function) correspond to "push ebp , mov ebp,esp"?
If not, what would be enough? In what Cheat Engine source file can I find heuristic examples (could be another program, too)?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sat Jun 09, 2018 4:47 pm Post subject: |
|
|
No. Callees don't have to establish a stack frame. If it does start with those instructions, it's almost certainly a valid call instruction, but the inverse isn't necessarily true.
The file disassembler.pas has some examples. There are plenty of other open source disassemblers you can find.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Sun Jun 10, 2018 1:46 pm Post subject: |
|
|
There are a lot of various disassembler engines available for C/C++ that you can use to walk the assembly of the program and find the call instructions as you go.
There are things such as:
- ADE32/64
- HDE32/64
- OllyDbg's engine is open source : http://www.ollydbg.de/disasm.zip
- x64dbg is open source, you can see what they use (I think it was Capstone last I looked.)
and so on. These will help you walk the instructions to properly find the 'call' opcodes.
Is there a reason you are trying to kill every call though? That seems a bit strange.
Also keep in mind, nop'ing a call does not account for what it pushes on the stack as arguments. You will need to properly clean those as well.
_________________
- Retired. |
|
Back to top |
|
|
|