search

Menooker / PFishHook

An x64 inline hook library
Apache License 2.0
30 stars 10 forks source link

PFishHook is unable to patch this instruction with RIP: lea rax, [0x00007FFFF7BD08F8] #3

Closed ghost closed 5 years ago

ghost commented 5 years ago

PFishHook is unable to patch this instruction with RIP: lea rax, [0x00007FFFF7BD08F8] Please report an issue at github.com/Menooker/PFishHook. addr 0x7ffff78f0070

0x00007ffff78f0070 <+0>: lea rax,[rip+0x2e0881] # 0x7ffff7bd08f8 <__libc_multiple_threads> 0x00007ffff78f0077 <+7>: mov eax,DWORD PTR [rax]

Menooker commented 5 years ago

rip relative的指令都需要patch,这个指令没实现,我明天实现一下…

ghost commented 5 years ago

谢谢

ghost commented 5 years ago

国庆快乐

ghost commented 5 years ago

请问下 如果一个在14字节后的指令jmp到前面,但是前面的内容已经被替换了,这种情况如何处理

Menooker commented 5 years ago

请问下 如果一个在14字节后的指令jmp到前面,但是前面的内容已经被替换了,这种情况如何处理

国庆快乐~

这个问题似乎没有考虑过。其他hook框架如何解决这个问题的呢?

Menooker commented 5 years ago

commit修复此问题

ghost commented 5 years ago

似乎callq也是一个rip相关的指令,但是并没有patch?

ghost commented 5 years ago

(gdb) disas testfunc3, Dump of assembler code for function _Z9testfunc3v: 0x000000000000b942 <+0>: push %rbp 0x000000000000b943 <+1>: mov %rsp,%rbp 0x000000000000b946 <+4>: callq 0xb740 rand@plt 0x000000000000b94b <+9>: mov %eax,%edi 0x000000000000b94d <+11>: callq 0xb620 putchar@plt 0x000000000000b952 <+16>: jmp 0xb946 <_Z9testfunc3v+4> End of assembler dump.

after patch (gdb) disas testfunc3 Dump of assembler code for function _Z9testfunc3v: 0x000055555555f942 <+0>: jmpq 0x55555555f964 <_Z13test_replace3v> 0x000055555555f947 <+5>: int3
0x000055555555f948 <+6>: int3
0x000055555555f949 <+7>: int3
0x000055555555f94a <+8>: int3
0x000055555555f94b <+9>: mov %eax,%edi 0x000055555555f94d <+11>: callq 0x55555555f620 putchar@plt 0x000055555555f952 <+16>: jmp 0x55555555f946 <_Z9testfunc3v+4> End of assembler dump. (gdb) disas /r 0x7fffd79e4063,0x7fffd79e4063+24 Dump of assembler code from 0x7fffd79e4063 to 0x7fffd79e407b: 0x00007fffd79e4063: 55 push %rbp 0x00007fffd79e4064: 48 89 e5 mov %rsp,%rbp 0x00007fffd79e4067: e8 f5 fd ff ff callq 0x7fffd79e3e61 0x00007fffd79e406c: 68 4b f9 55 55 pushq $0x5555f94b 0x00007fffd79e4071: c7 44 24 04 55 55 00 00 movl $0x5555,0x4(%rsp) (poldfunc)

Menooker commented 5 years ago

callq我再搞一下

ghost commented 5 years ago

我打算直接把里面所有相对地址callq都换掉,然后把虚函数表魔改了

Menooker commented 5 years ago

callq我再写个patch就行啦

在 2018年10月1日,19:16,CreeperGo notifications@github.com<mailto:notifications@github.com> 写道:

我打算直接把里面所有相对地址callq都换掉,然后把虚函数表魔改了

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/Menooker/PFishHook/issues/3#issuecomment-425871657, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJqxE0iVsjYRojAtyVUgXBrQQzdW5EzAks5ugfmQgaJpZM4XBAsr.

Menooker commented 5 years ago

commit 修复了callq,抱歉当时没有精力对着指令手册一个个patch所有的RIP relative指令,现在只能发现一个改一个

ghost commented 5 years ago

谢谢!