[ASM/C++] Function redirection

Windowlicker · September 26, 2005, 04:51:29 PM

(gcc, nasm, Linux 2.6)

I'm in need of hijacking a non-virtual function in the Half Life 2 SDK. It is non-virtual, because obviously valve doesn't want to give developers access to it.
I've written a server plugin for the hl2 daemon, and this library contains the function which I want to use as a replacement for a standard function in one of the hl2 daemon shared libraries.

This is what I'm doing so far:
My plugin is loaded into the daemon's address space. The plugin finds the address of the function I want to replace using dlopen and dlsym.
The plugin creates a function pointer to the function which I want to use as a replacement.

How would I proceed in redirecting all calls to my function instead of the standard one? I'm not too keen on editing the .GOT or .PLT. I need the stack frame from the original function to stay in tact, because I will be using the parameters.

Any suggestions, with maybe some sample code?

Thanks in advance.

iago · September 26, 2005, 05:36:35 PM

How low are you willing to go? The easeist thing is to overwrite the first 5 bytes of the function with "jmp yourfunction". In assembly, I think (not 100% positive) that a jmp is E8 xx xx xx xx, where xx is the offset. That is, xx is the distance from the code you're patching to the code you want to run, in bytes. Once it's replaced, a call to that function will immediately jump to yours, and when you return your function will return to the normal spot, since the stack is intact.

(The opcode might also be EB xx xx xx xx, I haven't used machine code for awhile)

If you need more help with this, let me know.

Newby · September 26, 2005, 05:39:43 PM

E8, EB, or E9 (not sure about the last one) depending on how far you're jumping.

iago · September 26, 2005, 06:16:16 PM

It would be a long jmp.

MyndFyre · September 26, 2005, 06:48:47 PM

That's okay as long as you don't need to call the SDK function. If you do, or you need to keep it to be called some other time, you'll need to 1.) allocate memory for the function's duplicate (at the very least 10 bytes for the 5 you're overwriting and another 5 for a long jump back into the regular code), 2.) duplicate the code back out, 3.) determine the location of your function in memory (if this is C, that's easy enough -- a void* to your function can be cast), 4.) overwrite the original code, 5.) create a way to jump to the copied function.

By the way, the 5 bytes thing is risky if you need to call it -- you might overwrite an operand, which would make the rest of your bits nonsense (unless you got REALLY lucky).

iago · September 26, 2005, 06:55:33 PM

Quote from: MyndFyrex86] link=topic=3083.msg30013#msg30013 date=1127774927]
That's okay as long as you don't need to call the SDK function. If you do, or you need to keep it to be called some other time, you'll need to 1.) allocate memory for the function's duplicate (at the very least 10 bytes for the 5 you're overwriting and another 5 for a long jump back into the regular code), 2.) duplicate the code back out, 3.) determine the location of your function in memory (if this is C, that's easy enough -- a void* to your function can be cast), 4.) overwrite the original code, 5.) create a way to jump to the copied function.

By the way, the 5 bytes thing is risky if you need to call it -- you might overwrite an operand, which would make the rest of your bits nonsense (unless you got REALLY lucky).

You're right. i'm gonig on the assumption that he wants his function called 100% of the time.

If you're planning on calling the real function ever, it'll be a little more work.

Windowlicker · September 26, 2005, 07:27:12 PM

I don't plan on reverting to the original function.

Now to write to memory, would ptrace be the way to go?

MyndFyre · September 26, 2005, 08:08:17 PM

Depending on your permissions and how you're loading the process, you might be able to write to the process memory directly.

iago · September 26, 2005, 08:36:19 PM

Are you doing this as a one-shot deal, or are you writing a program to do it?

If you're writing a program, you can probably use WriteProcessMemory().

Windowlicker · September 26, 2005, 08:49:24 PM

Quote from: iago on September 26, 2005, 08:36:19 PM
Are you doing this as a one-shot deal, or are you writing a program to do it?

If you're writing a program, you can probably use WriteProcessMemory().

Program.... WriteProcessMemory isn't available on linux.

iago · September 26, 2005, 09:15:42 PM

Ah, I didn't know you were doing this on Linux. I don't know how I missed that.

I'm actually not sure how to overwrite the code segment in Linux from a program. Sorry! :/

Windowlicker · September 26, 2005, 10:03:11 PM

man ptrace

Looks like what I'll have to be using... bummer.

rabbit · September 29, 2005, 06:55:41 PM

Quote from: iago on September 26, 2005, 09:15:42 PMI'm actually not sure how to ... code ... in Linux

AWwwwwww...Lago...

Clan x86

News:

[ASM/C++] Function redirection

Windowlicker

iago

Newby

iago

MyndFyre

iago

Windowlicker

MyndFyre

iago

Windowlicker

iago

Windowlicker

rabbit