Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to hook the end of a function #27

Open
MillionSky opened this issue Nov 27, 2018 · 7 comments
Open

How to hook the end of a function #27

MillionSky opened this issue Nov 27, 2018 · 7 comments

Comments

@MillionSky
Copy link

MillionSky commented Nov 27, 2018
edited
Loading

Currently, we can hook the begin of a function。How to hook the end of a function? So that we can check the return value of the function, or execute some code after the function end.
@lunixbochs
Copy link
Owner

lunixbochs commented Nov 27, 2018 via email

@MillionSky
Copy link
Author

You can hook any address.
Oh, Thanks very much!

@MillionSky
Copy link
Author

So, if the function have multi ret point, we must hook every address.

@MillionSky
Copy link
Author

MillionSky commented Nov 28, 2018
edited
Loading

I encountered a problem when hook the end of a function. The hook seems have side effect.
The original instructions before hook:
.text:08049A18 5B pop ebx
.text:08049A19 5E pop esi
.text:08049A1A 5F pop edi
.text:08049A1B 5D pop ebp
.text:08049A1C C3 retn
.text:08049A1C TargetFunc endp
.text:08049A1C
.text:08049A1D
.text:08049A1D ; =============== S U B R O U T I N E ============
.text:08049A1D
.text:08049A1D ; Attributes: bp-based frame
.text:08049A1D
.text:08049A1D ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:08049A1D public main
.text:08049A1D main proc near ; DATA XREF: _start+17
.text:08049A1D 8D 4C 24 04 lea ecx, [esp+4]
.text:08049A21 83 E4 F0 and esp, 0FFFFFFF0h
.text:08049A24 FF 71 FC push dword ptr [ecx-4]
.text:08049A27 55 push ebp
.text:08049A28 89 E5 mov ebp, esp

After hook, the begin of main function was modified:
.text:08049A18 5B pop ebx
.text:08049A19 5E pop esi
.text:08049A1A 5F pop edi
.text:08049A1B 5D pop ebp
.text:08049A1B TargetFunc endp ; sp-analysis failed
.text:08049A1C E9 db 0E9h
.text:08049A1D
.text:08049A1D ; =============== S U B R O U T I N E ==============
.text:08049A1D
.text:08049A1D
.text:08049A1D ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:08049A1D public main
.text:08049A1D main proc near ; DATA XREF: _start+17
.text:08049A1D 72 B6 jb short loc_80499D5
.text:08049A1F 02 00 add al, [eax]
.text:08049A21 83 E4 F0 and esp, 0FFFFFFF0h
.text:08049A24 FF 71 FC push dword ptr [ecx-4]
.text:08049A27 55 push ebp
.text:08049A28 89 E5 mov ebp, esp

We can discover that ret instruction(C3) and following 4 bytes in main was modified to "e9 72 B6 02 00"。As the result, the program failed to start.

@lunixbochs
Copy link
Owner

lunixbochs commented Nov 28, 2018 via email

@lunixbochs
Copy link
Owner

lunixbochs commented Nov 28, 2018 via email

@MillionSky
Copy link
Author

OK,I understand. Thanks very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lunixbochs @MillionSky