CODEWITHSUNDEEP
c++linuxubuntuhookdetours
Adam
Adam

Reputation: 11

Detour function under Linux Ubuntu

I used Detours (http://research.microsoft.com/en-us/projects/detours/) under Windows, but now i using Linux Ubuntu and i want to Detour / Hook a function. I want to detour the function to mine, after that i want to call the original function. (I can hook the function, but i can't use the original after that).

So, i decided to write a detour function. First of all, I copied the function to another place, but I couldn't execute it. Can you help me, why I couldn't execute it? I got segmentation fault.

My code:

int (* h_Com_Printf)(const char *fmt, ...);
...
void *memBuffer;
int size = 0x4F; // size of the function

memBuffer = (void*)malloc(size);
memcpy(memBuffer, (void*)0x08060DEA, size); // copy the function

h_Com_Printf = (int (*)(const char *fmt, ...))memBuffer;
h_Com_Printf("print function: %d\n", 1); // segmentation fault HERE

Thanks!

Com_Printf in the "executable file" (IDA Pro): Image: http://kepfeltoltes.hu/150818/ida_printf_www.kepfeltoltes.hu_.png

Linux running in VirtualBox. (Can it be the problem?)

Upvotes: 0

Views: 1459

Answers (1)

David Elkind
David Elkind

Reputation: 169

Just copying the function bytes is not enough, even provided you know the exact size of if (which is not always the case), because there are lots of instructions that are relative to the EIP (call _vsnprintf in your sample, for instance). Therefore, what is usually done (and, as a matter of fact, what Detours is doing) is to copy just the bytes that got overwritten by hook code (JMP or CALL ) and recalculate the EIP-related offsets. For this, you need disassembler that is capable of decoding the instructions and recalculating the relative offsets if necessary. Detours actually includes one. I suggest you look at the Detours sources to get better understanding of what is done in order to place a hook.

Hope this helps

Upvotes: 1

Related Questions