News:

How did you even find this place?

Main Menu

[ASM/C++] Function redirection

Started by Windowlicker, September 26, 2005, 04:51:29 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Windowlicker

(gcc, nasm, Linux 2.6)

I'm in need of hijacking a non-virtual function in the Half Life 2 SDK. It is non-virtual, because obviously valve doesn't want to give developers access to it.
I've written a server plugin for the hl2 daemon, and this library contains the function which I want to use as a replacement for a standard function in one of the hl2 daemon shared libraries.

This is what I'm doing so far:
My plugin is loaded into the daemon's address space. The plugin finds the address of the function I want to replace using dlopen and dlsym.
The plugin creates a function pointer to the function which I want to use as a replacement.

How would I proceed in redirecting all calls to my function instead of the standard one? I'm not too keen on editing the .GOT or .PLT. I need the stack frame from the original function to stay in tact, because I will be using the parameters.

Any suggestions, with maybe some sample code?

Thanks in advance.

iago

How low are you willing to go? The easeist thing is to overwrite the first 5 bytes of the function with "jmp yourfunction".  In assembly, I think (not 100% positive) that a jmp is E8 xx xx xx xx, where xx is the offset.  That is, xx is the distance from the code you're patching to the code you want to run, in bytes.  Once it's replaced, a call to that function will immediately jump to yours, and when you return your function will return to the normal spot, since the stack is intact. 

(The opcode might also be EB xx xx xx xx, I haven't used machine code for awhile)

If you need more help with this, let me know. 

Newby

E8, EB, or E9 (not sure about the last one) depending on how far you're jumping.
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

iago


MyndFyre

That's okay as long as you don't need to call the SDK function.  If you do, or you need to keep it to be called some other time, you'll need to 1.) allocate memory for the function's duplicate (at the very least 10 bytes for the 5 you're overwriting and another 5 for a long jump back into the regular code), 2.) duplicate the code back out, 3.) determine the location of your function in memory (if this is C, that's easy enough -- a void* to your function can be cast), 4.) overwrite the original code, 5.) create a way to jump to the copied function.

By the way, the 5 bytes thing is risky if you need to call it -- you might overwrite an operand, which would make the rest of your bits nonsense (unless you got REALLY lucky).
Quote from: Joe on January 23, 2011, 11:47:54 PM
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Quote from: Rule on May 26, 2009, 02:02:12 PMOur species really annoys me.

iago

Quote from: MyndFyrex86] link=topic=3083.msg30013#msg30013 date=1127774927]
That's okay as long as you don't need to call the SDK function.  If you do, or you need to keep it to be called some other time, you'll need to 1.) allocate memory for the function's duplicate (at the very least 10 bytes for the 5 you're overwriting and another 5 for a long jump back into the regular code), 2.) duplicate the code back out, 3.) determine the location of your function in memory (if this is C, that's easy enough -- a void* to your function can be cast), 4.) overwrite the original code, 5.) create a way to jump to the copied function.

By the way, the 5 bytes thing is risky if you need to call it -- you might overwrite an operand, which would make the rest of your bits nonsense (unless you got REALLY lucky).

You're right.  i'm gonig on the assumption that he wants his function called 100% of the time. 

If you're planning on calling the real function ever, it'll be a little more work. 

Windowlicker

I don't plan on reverting to the original function.

Now to write to memory, would ptrace be the way to go?

MyndFyre

Depending on your permissions and how you're loading the process, you might be able to write to the process memory directly.
Quote from: Joe on January 23, 2011, 11:47:54 PM
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Quote from: Rule on May 26, 2009, 02:02:12 PMOur species really annoys me.

iago

Are you doing this as a one-shot deal, or are you writing a program to do it? 

If you're writing a program, you can probably use WriteProcessMemory(). 

Windowlicker

Quote from: iago on September 26, 2005, 08:36:19 PM
Are you doing this as a one-shot deal, or are you writing a program to do it? 

If you're writing a program, you can probably use WriteProcessMemory(). 


Program.... WriteProcessMemory isn't available on linux.

iago

Ah, I didn't know you were doing this on Linux.  I don't know how I missed that. 

I'm actually not sure how to overwrite the code segment in Linux from a program.  Sorry! :/

Windowlicker

man ptrace

Looks like what I'll have to be using... bummer.

rabbit