Relocate strange 32bit EIP relative addressing about polyhook_2_0 HOT 4 CLOSED

To handle stuff like this I'd have to implement a side effect tracker and/or some emulation engine. Unfortunately it's not supported even in 2.0, I'd recommend a dumb ole byte patch for now 😔

from polyhook_2_0.

Yeah... I thought so. Thanks for the input, cheers from UC ;)

from polyhook_2_0.

I've been working on asmjit integration to make callback code generatable at runtime, https://github.com/stevemk14ebr/PolyHook_2_0/blob/inlineNOtypedef/sources/ILCallback.cpp#L14. This may help you, your specific use case is a little more lower level than the abstraction im introducing, but you can gut this where i linked and just emit your callback to do your mov into ebx as first line. This isn't done at all yet and only works on x64 for now, but it might help.

The asm jit stub completely replaces the C callback you usually write, and holds the allocated trampoline pointer in the ILCallback object.

If you get polyhook working on linux i'd like to see that 😄

from polyhook_2_0.

I actually made a small hack which would detect functions which simply place EIP into a register after which I could update relocations for that register -- I don't really see any further emulation being necessary because this is just a ghetto 32bit workaround for inability to do direct RIP relative addressing.

static bool __detect_ip_retrieval(cs_insn *curins, uintptr_t from, uintptr_t to, x86_reg *fixup_reg)
{
    cs_insn *instructioninfo;
    if (!curins) {
        return false;
    }
    cs_x86 *x86 = &(curins->detail->x86);
    cs_x86_op *op = &(x86->operands[0]);
    off_t offset = (to - from);
    size_t instructioncount = cs_disasm(capstone_handle, op->imm - offset, 16, (uintptr_t)op->imm - offset, 0, &instructioninfo);
    size_t i = 0;
    size_t j = 0;

    if (instructioncount < 2) {
        return false;
    }

#ifdef _X64
#define SP_REG X86_REG_RSP
#else
#define SP_REG X86_REG_ESP
#endif

    cs_x86 *op1 = &(instructioninfo[0].detail->x86);
    cs_x86 *op2 = &(instructioninfo[1].detail->x86);

    if (op1->op_count != 2) {
        return false;
    }
    if (op1->operands[0].type != X86_OP_REG) {
        return false;
    }
    if (op1->operands[1].type != X86_OP_MEM) {
        return false;
    }
    if (op1->operands[1].mem.base != SP_REG) {
        return false;
    }
    if (op1->operands[1].mem.scale != 1) {
        return false;
    }
    if (op1->operands[1].mem.disp != 0) {
        return false;
    }

    // the register that is the destination of esp/rsp
    if (fixup_reg) {
        *fixup_reg = op1->operands[0].reg;
    }

    return true;
}

If you get polyhook working on linux i'd like to see that smile

I really just re-wrote the code you used to generate relocations to fit with my hooking code. I used the polyhool1 code, not polyhook2.

from polyhook_2_0.