hellolittlepan 2017-08-17 02:24 采纳率: 0%
浏览 2082
已结题

x64 平台下怎么使用汇编修改函数地址 替换为自己的函数地址

      之前做了在32位平台下的hook,替换dll中的函数为自己的函数,现在因为要对
    64位的软件做hook,所以现在需要将 “使用汇编替换函数地址代码 ”改为 64位平台下的代码,请大神指点指点
  • 写回答

2条回答 默认 最新

  • hellolittlepan 2017-08-17 09:49
    关注

    if( IsBadReadPtr( TargetAddr, sizeof( KJmpToStub ) ) ){//Code not readable
    ErrCode = ERR_PAGE_ACCESS;
    return FALSE;
    }

    if( IsShortFunc( TargetAddr ) ){
    ErrCode = ERR_SMALL_FUNC;
    return FALSE;
}


DWORD dwOldProt = 0;
if( ! ::VirtualProtectEx( (HANDLE)(-1), (LPVOID)TargetAddr, 32, PAGE_EXECUTE_READWRITE, &dwOldProt ) )
{
    g_pLog->Write(L"\n\n VirtualProtectEx  失败\n\n");
    ErrCode = ERR_VIRT_PROT;
    return FALSE;
}


this->TargetAddr      = TargetAddr;
this->PrologueHandler = PrologueHandler;
this->FuncId          = FuncId_;
this->MainHandler     = MainHandler;

code_len = 0;
DWORD ReassembledCodeLen = 0;

BYTE* pDst  = (BYTE*)pDstStub->ReassembledInstr;// 
BYTE *pcode = (BYTE*)TargetAddr;                // 

while( code_len < 5 ){
    hde64s hdestr = {0};
    DWORD instr_len = hde_disasm(pcode, &hdestr);

    //reassemble instruction and copy
    DWORD NewInstrLen = ReAssembleInstr( (BYTE*)TargetAddr, pcode, pDst, instr_len );

    code_len += instr_len;
    ReassembledCodeLen += NewInstrLen;
    pcode += instr_len;
    pDst  += NewInstrLen;
}

//Save original bytes for restore hook
memcpy( orig_bytes, TargetAddr, code_len);


//Prepare stub code
//push id   0x68 xx xx xx xx
//jmp Stub  0xE9 yy yy yy yy
pDstStub->PushIdOpcode = 0x68;    //PUSH opcode
pDstStub->FuncId = FuncId;

pDstStub->JmpOpcode = 0xE9;    //JMP opcode
pDstStub->JmpOperand = (DWORD)( (BYTE*)PrologueHandler - ( (BYTE*)&pDstStub->JmpOpcode + 5 ) );

Unhooked = pDstStub->ReassembledInstr;

 //Add JMP to continue code in Reassembled instructions end
BYTE *dst = pDstStub->ReassembledInstr + ReassembledCodeLen;
*(BYTE*)dst = 0xE9;//JMP opcode
*(DWORD*)(dst+1) = (DWORD) ( (DWORD)((BYTE*)TargetAddr + code_len) - ( (DWORD)dst + 5 ) );


//!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//Set hook
//Write jmp stub to function start address

    JmpTo.Opcode = 0xE9;
    if( FuncId == 0xFFFFFFFF ){//jump to PrologueAddr
    JmpTo.Operand=(DWORD)((BYTE*)MainHandler - ( (BYTE*)TargetAddr + 5) );
    }
    else{// jump to push id
    JmpTo.Operand=(DWORD)( &pDstStub->PushIdOpcode - ( (BYTE*)TargetAddr + 5 ) );
    }

    //Patch function
memcpy( TargetAddr, &JmpTo, sizeof( JmpTo ) );
ErrCode = ERR_NO_ERR;
    评论

报告相同问题?

悬赏问题

  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3
  • ¥15 牛顿斯科特系数表表示
  • ¥15 arduino 步进电机
  • ¥20 程序进入HardFault_Handler