various fixes

[wongsyrone]

The most important one is fix overwritten prolog size calculation when using x64 FF25 jump

I'm doing mid-function hook, I want to hook just before the 'CALL' instruction.

before my fix:

runtime_log_pos addr 7ff926d6516f
runtime_log_user_tramp addr 7ff923622250
[+] Info: setting: Do NOT follow CALL on fnAddress
[+] Info: First assembly instruction is CALL
[+] Info: Original function:
7ff926d6516f [5]: e8 fc 59 48 01                          call 0x00007FF9281EAB70 -> 7ff9281eab70
7ff926d65174 [1]: 90                                      nop nop
7ff926d65175 [4]: 48 8d 45 f0                             lea rax, ss:[rbp-0x10]
7ff926d65179 [4]: 48 8b 4d e0                             mov rcx, qword ptr ss:[rbp-0x20]
7ff926d6517d [3]: 48 3b c8                                cmp rcx, rax
7ff926d65180 [2]: 74 05                                   jz 0x00007FF926D65187 -> 7ff926d65187
7ff926d65182 [5]: e8 2d 39 93 01                          call 0x00007FF928698AB4 -> 7ff928698ab4
7ff926d65187 [7]: 48 8b 8d 00 12 00 00                    mov rcx, qword ptr ss:[rbp+0x1200]
7ff926d6518e [3]: 48 33 cc                                xor rcx, rsp
7ff926d65191 [5]: e8 2a b8 91 01                          call 0x00007FF9286809C0 -> 7ff9286809c0
7ff926d65196 [7]: 48 81 c4 18 13 00 00                    add rsp, 0x1318
7ff926d6519d [2]: 41 5f                                   pop r15
7ff926d6519f [2]: 41 5e                                   pop r14
7ff926d651a1 [2]: 41 5d                                   pop r13
7ff926d651a3 [2]: 41 5c                                   pop r12
7ff926d651a5 [1]: 5f                                      pop rdi
7ff926d651a6 [1]: 5e                                      pop rsi
7ff926d651a7 [1]: 5b                                      pop rbx
7ff926d651a8 [1]: 5d                                      pop rbp
7ff926d651a9 [1]: c3                                      ret ret

[+] Info: Prologue to overwrite:
7ff926d6516f [5]: e8 fc 59 48 01                          call 0x00007FF9281EAB70 -> 7ff9281eab70
7ff926d65174 [1]: 90                                      nop nop

[+] Info: Instructions needing entry:
7ff926d6516f [5]: e8 fc 59 48 01                          call 0x00007FF9281EAB70 -> 7ff9281eab70

[+] Info: Trampoline address: 0x0000019b87dce170
[+] Info: Jmp To Prol:
19b87dce176 [6]: ff 25 4c 00 00 00                       jmp [19b87dce1c8] ->7ff926d65175
19b87dce1c8 [8]: 75 51 d6 26 f9 7f 00 00                 dest holder

[+] Info: m_trampoline: 0x0000019b87dce170

[+] Info: m_trampolineSz: 0x0061

[+] Info: Trampoline:
19b87dce170 [5]: e8 07 00 00 00                          call 0x0000019B87DCE17C -> 19b87dce17c
19b87dce175 [1]: 90                                      nop nop
19b87dce176 [6]: ff 25 4c 00 00 00                       jmp qword ptr ds:[0x0000019B87DCE1C8] -> 7ff926d65175

[+] Info: Trampoline Jmp Tbl:
19b87dce17c [6]: ff 25 3e 00 00 00                       jmp [19b87dce1c0] ->7ff9281eab70
19b87dce1c0 [8]: 70 ab 1e 28 f9 7f 00 00                 dest holder

[+] Info: Hook instructions:
7ff926d6516f [6]: ff 25 8b ae 08 80                       jmp [7ff8a6df0000] ->19b89bc0000
7ff8a6df0000 [8]: 00 00 bc 89 9b 01 00 00                 dest holder

[+] Info: Hook size: 6

[+] Info: Prologue offset: 6

after my fix:

runtime_log_pos addr 7ff926d6516f
runtime_log_user_tramp addr 7ff923622250
[+] Info: setting: Do NOT follow CALL on fnAddress
[+] Info: First assembly instruction is CALL
[+] Info: Original function:
7ff926d6516f [5]: e8 fc 59 48 01                          call 0x00007FF9281EAB70 -> 7ff9281eab70
7ff926d65174 [1]: 90                                      nop nop
7ff926d65175 [4]: 48 8d 45 f0                             lea rax, ss:[rbp-0x10]
7ff926d65179 [4]: 48 8b 4d e0                             mov rcx, qword ptr ss:[rbp-0x20]
7ff926d6517d [3]: 48 3b c8                                cmp rcx, rax
7ff926d65180 [2]: 74 05                                   jz 0x00007FF926D65187 -> 7ff926d65187
7ff926d65182 [5]: e8 2d 39 93 01                          call 0x00007FF928698AB4 -> 7ff928698ab4
7ff926d65187 [7]: 48 8b 8d 00 12 00 00                    mov rcx, qword ptr ss:[rbp+0x1200]
7ff926d6518e [3]: 48 33 cc                                xor rcx, rsp
7ff926d65191 [5]: e8 2a b8 91 01                          call 0x00007FF9286809C0 -> 7ff9286809c0
7ff926d65196 [7]: 48 81 c4 18 13 00 00                    add rsp, 0x1318
7ff926d6519d [2]: 41 5f                                   pop r15
7ff926d6519f [2]: 41 5e                                   pop r14
7ff926d651a1 [2]: 41 5d                                   pop r13
7ff926d651a3 [2]: 41 5c                                   pop r12
7ff926d651a5 [1]: 5f                                      pop rdi
7ff926d651a6 [1]: 5e                                      pop rsi
7ff926d651a7 [1]: 5b                                      pop rbx
7ff926d651a8 [1]: 5d                                      pop rbp
7ff926d651a9 [1]: c3                                      ret ret

[+] Info: Prologue to overwrite:
7ff926d6516f [5]: e8 fc 59 48 01                          call 0x00007FF9281EAB70 -> 7ff9281eab70
7ff926d65174 [1]: 90                                      nop nop
7ff926d65175 [4]: 48 8d 45 f0                             lea rax, ss:[rbp-0x10]
7ff926d65179 [4]: 48 8b 4d e0                             mov rcx, qword ptr ss:[rbp-0x20]

[+] Info: Instructions needing entry:
7ff926d6516f [5]: e8 fc 59 48 01                          call 0x00007FF9281EAB70 -> 7ff9281eab70

[+] Info: Trampoline address: 0x0000019403cd5f10
[+] Info: Jmp To Prol:
19403cd5f1e [6]: ff 25 4c 00 00 00                       jmp [19403cd5f70] ->7ff926d6517d
19403cd5f70 [8]: 7d 51 d6 26 f9 7f 00 00                 dest holder

[+] Info: m_trampoline: 0x0000019403cd5f10

[+] Info: m_trampolineSz: 0x0069

[+] Info: Trampoline:
19403cd5f10 [5]: e8 0f 00 00 00                          call 0x0000019403CD5F24 -> 19403cd5f24
19403cd5f15 [1]: 90                                      nop nop
19403cd5f16 [4]: 48 8d 45 f0                             lea rax, ss:[rbp-0x10]
19403cd5f1a [4]: 48 8b 4d e0                             mov rcx, qword ptr ss:[rbp-0x20]
19403cd5f1e [6]: ff 25 4c 00 00 00                       jmp qword ptr ds:[0x0000019403CD5F70] -> 7ff926d6517d

[+] Info: Trampoline Jmp Tbl:
19403cd5f24 [6]: ff 25 3e 00 00 00                       jmp [19403cd5f68] ->7ff9281eab70
19403cd5f68 [8]: 70 ab 1e 28 f9 7f 00 00                 dest holder

[+] Info: Hook instructions:
7ff926d6516f [6]: ff 25 8b ae 08 80                       jmp [7ff8a6df0000] ->19405970000
7ff8a6df0000 [8]: 00 00 97 05 94 01 00 00                 dest holder

[+] Info: Hook size: 14

[+] Info: Prologue offset: 14

[wongsyrone]

To summarize, I fixed two important issues.

1. I intended to hook before a 'CALL' instruction is executed, while the current version follows jumps and hook at the beginning of the called function.
2. x64 FF25 jump takes 14 bytes in total, 6 for the jmp, 8 for the actual destination. The instructions overwritten by the 8 bytes are not taken into account.

Please feel free to partially merge or cherry-pick.

[stevemk14ebr]

Interesting problems, I like the fix here. It makes sense the ff 25 length wouldn't include the data chunk as that can be far away, but we should be fine to always pretend it's adjacent. I will test out the linking changes on master to see if they're ok

[stevemk14ebr]

I was looking back over this, why is "x64 FF25 jump takes 14 bytes in total, 6 for the jmp, 8 for the actual destination. The instructions overwritten by the 8 bytes are not taken into account" required? The destination holder for the ff 25 jump is not adjacent to the jmp and is intentionally placed into scratch space or a near heap allocation - was it corrupting something adjacent or?

[wongsyrone]

I will retest without ff25 changes.