1 / 11

Living With Detours

Living With Detours. Why Use Detours?. You want to replace some target binary code with new detour code. Detours will: Replace the first instructions of a target function with JMP to the detour function. Preserve the original function callable through a trampoline function.

karenv
Download Presentation

Living With Detours

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Living With Detours

  2. Why Use Detours? • You want to replace some target binary code with new detour code. • Detours will: • Replace the first instructions of a target function with JMP to the detour function. • Preserve the original function callable through a trampolinefunction. Detours Conference

  3. Caller() { Target(args); } Target(args) { // Target Stuff } Trampoline(args) { goto Target; } Caller() { Target(args); } Target(args) { goto Detour; } Detour(args) { // your code here } Trampoline(args) { // Target Stuff } Inserting A Detour: Before: After: DetourFunctionWithTrampoline (Trampoline, Detour); Detours Conference

  4. Target: push ebp [1 byte] mov ebp,esp [2 bytes] push ebx [1 bytes] push esi [1 byte] push edi .... Trampoline: jmp Target Target: jmp Detour [5 bytes] push edi .... Detour: ...Your Code... Trampoline: push ebp mov ebp,esp push ebx push esi jmp Target+5 In Detail: Before: After: Detours Conference

  5. Detours Are Cheap: • Runtime library adds <18KB to binary. • << 1 microsecond per detoured call: • 6 cycles for Empty Function • 71 cycles for CoCreateInstance (5 Args.) • NB: Added cost is in call from Detour to Trampoline. • 1 Cache line per detour. Detours Conference

  6. When can’t I use Detours? • Don’t know the address of the target code. • The target code is < 5 bytes (sizeof(JMP)). • First bytes of the target code contain the destination of a branch instruction. Target: ;;; code JNE Target + 2 • Not on x86 (no alpha or ia64 support). • Using .NET CLR (MSIL) code. Detours Conference

  7. class CTarget { void Target(); }; class CDetour // add “: CTarget” to access class vars. { void Detour() { Trampoline(); } void Trampoline(); // No member variables or virtual funcs.! }; DETOUR_TRAMPOLINE_EMPTY (void CDetour::Trampoline()); void main() { void (CTarget::* pfTarget)() = CTarget::Target; void (CDetour::* pfDetour)() = CDetour::Detour; void (CDetour::* pfTrampoline)() = CDetour::Trampoline; DetourFunctionWithEmptyTrampoline( *(PBYTE*)&pfTrampoline, *(PBYTE*)&pfTarget, *(PBYTE*)&pfDetour); CTarget target; // Call Ctarget (w/ Detour): target.Target(); // Call CTarget (w/o Detour): ((CDetour*)&target)->Trampoline(); } How do I detour a member function? Detours Conference

  8. HRESULT STDCALL (*pfSeekTrampoline)( IStream * This, LARGE_INTEGER dlibMove, DWORD dwOrigin, ULARGE_INTEGER *plibNewPos); HRESULT STDCALL SeekDetour( IStream * This, LARGE_INTEGER dlibMove, DWORD dwOrigin, ULARGE_INTEGER *plibNewPos) { return pfSeekTrampoline(This, dlibMove, dwOrgin, plibNewPos); } void detour_member_function(IStream *pi) { (*(PBYTE*)pfSeekTrampoline) = DetourFunction( (PBYTE)pi->lpVtbl->Seek, (PBYTE)SeekDetour); }; How do I detour a COM function? Detours Conference

  9. Static Trampolines:DETOUR_TRAMPOLINE - Create a trampoline w/ known target DETOUR_TRAMPOLINE_EMPTY - Create a trampoline w/o target Detouring Functions: DetourFunction - Detour function and alloc trampoline. DetourFunctionWithTrampoline(Ex) - Detour function named in trampoline. DetourFunctionWithEmptyTrampoline(Ex) - Detour function & set trampoline. DetourRemove - Remove detour. Code Functions: DetourFindFunction - Find function in exports or symbols. DetourGetFinalCode - Skip over indirection JMP statements. DetourCopyInstruction(Ex) - Disassemble instruction (can copy). Which APIs manipulate code? Detours Conference

  10. PE Image (Module) Enumeration Functions: DetourEnumerateModules - Find all PE images loaded into a process. DetourGetEntryPoint - Find the entry-point for an image. DetourEnumerateExportsForModule - Find all exports from an image. Payload Functions: DetourFindPayload - Find a specific payload. DetourGetSizeOfPayloads - Get size of all payloads in image. DLL Injection Functions: DetourCreateProcessWithDll - Create a new process and inject a DLL. DetourContinueProcessWithDll - Inject a DLL into an existing process. Exception Filter Functions: DetourFirstChanceExceptionFilter - Detour Win32 exception filtering. Which APIs help use Detours? Detours Conference

  11. Persistent Binary Manipulation Functions:DetourBinaryOpen - Open a PE binary. DetourBinaryEnumeratePayloads - Enumerate the payloads in the binary. DetourBinaryFindPayload - Find a specific payload. DetourBinarySetPayload - Set/replace a specific payload. DetourBinaryDeletePayload - Delete a specific payload DetourBinaryPurgePayloads - Delete all payloads from the binary. DetourBinaryEditImports - Modify the PE binary import table. DetourBinaryResetImports - Reset the PE binary import table. DetourBinaryWrite - Write the PE binary to a file. DetourBinaryClose - Close the PE binary. DetourBinaryBind - Bind a PE binary with BindImage(). Which APIs change PE binary files? Detours Conference

More Related