Currently, we do not disassemble the original function. We hard code a "safe" length of code to save ("safe" as in we do not copy half an instruction) and then we copy that code elsewhere and execute it before jumping to the original implementation when attempting to call back into the original function.
This will fail if, in the future, the function changes and the hard coded length is no longer safe. Additionally, if a relative jmp is added to the first couple of bytes in the future, it will also fail.
The likelihood for either case is slim but still a possibility. Ideally we use something like libsubstitute and disassemble the instruction and optionally rewrite relative jumps into absolute jumps.
osy
commented
4 years ago
Currently, we do not disassemble the original function. We hard code a "safe" length of code to save ("safe" as in we do not copy half an instruction) and then we copy that code elsewhere and execute it before jumping to the original implementation when attempting to call back into the original function.
This will fail if, in the future, the function changes and the hard coded length is no longer safe. Additionally, if a relative jmp is added to the first couple of bytes in the future, it will also fail.
The likelihood for either case is slim but still a possibility. Ideally we use something like libsubstitute and disassemble the instruction and optionally rewrite relative jumps into absolute jumps.