So when you detour normal functions you just have to write the JMP instruction (1 byte) and the relative offset (4 bytes) to the specified location and it will work while the minimum number of bytes is available. Another thing that's available is the hooking of Windows API functions which have hotpatching enabled (i'm not sure if it's all of them). Functions that have hotpatching enabled look like this :
This was initially created by Microsoft in order to make quick changes when source isn't available and as the name implies quickly patch shit up. So basically what you want to do when hooking these functions is place a short JMP to the start of MOV EDI,EDI since when this function is called that's where it start from. The short Jump instruction should redirect to the start of the NOP/INT3 instructions and since the size of all the NOP/INT3 instructions added up is 5 you can place an unconditional jump to the code you want.
In the end it will look something like this :
Now know that you can use a normal detour. I just wrote this up since I never knew about hotpatching and made a function for it. If you find it fun then cool
If you're wondering about the #define bytes I just went into ollydbg -> typed in the instructions -> checked what the raw bytes are
Now go make an unhook function, it just has to rewrite the NOP/INT3 instructions and the MOV EDI,EDI so it's not hard at all.
No comments:
Post a Comment