pDevice (06-06-2012)
Well, I'm bored so I decided to lay down a little challenge to anyone that's interested.
The challenge: Spoof a caller address to a function, and make sure the program continues executing afterwards.
Dafuq?
Okay basically whenever you call a function, the address where the program needs to return to is stored on the stack (so it knows how to get back to your code after it calls the function). Typically the address is stored at the top of the stack (so [esp] holds the return address at the start of the function). In assembly, a CALL instruction does this automatically and it's not overtly apparent that it happens (i.e there's no "push" before the call that puts the return address on the stack, but the address ends up there nevertheless.
Now, some functions that do not wish to be called from people's hacks might decide to check where the return address is (i.e, where was the function called from), to make sure the call didn't originate from some unknown address range (i.e, your DLL). To get around this, you can put your own "return address" on the stack, which is within a "valid" address range and the function will never know that the actual call originated from your hack. However, this introduces a new problem: once the function finishes, the code jumps back to the return address (which should be the first instruction after the function call).
Consider this:
When the "call SomeFunction" instruction is executed, the return address is put on the top of the stack. In this case, the return address is 0x100F, which is the first instruction after the call. When the function finishes, the code will resume executing at 0x100F. In our case though, we've put a fake address as the return address in order to fool the function, now when the function jumps back into execution, it will be in the middle of nowhere and most likely cause the whole process to crash.Code:... 0x1000 push param1 0x1005 push param2 0x100A call SomeFunction 0x100F add esp, 8 ...
You mission, should you choose to accept it, is to implement this "caller-spoofing" and ensure that the programs execution resumes where you would expect it to (i.e right after your call).
Hint #1
To fake the caller address, don't use the "CALL" instruction to call the function. Use a push and a jmp.
Hint #2
To get the execution back where you expect it, you'll need to put an assembly stub at wherever you defined the "fake" return address. At most this stub should be about 10 bytes. Ideally, less.
Hint #3
You'll need to know the EIP value to accurately return.
Now, what function you "spoof" the caller to is really up to you. You can do any function you want to really.
I'm not expecting many entries, but maybe someone will give it a crack :3. I'm not expecting a generic solution (i.e your provided code can work for only 1 specific function)
Have at it.
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
pDevice (06-06-2012)
simple.. just patch the called function and calculate the offset of the function you want the call to return to by subtracting or adding to esp..
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
then you need to change the caller address to your own function once in your own function preserve the registers including pushad...popad.... then once jumping back to original caller function the next execution would be to call the called as per normal by reducing esp by x amount it will call it self twice but inbeteen you have already replace the original call by its original arddress
for example...
caller function:
balhh blahhh
call callee <--- replace callee with your address to custom function..
Custom function:
pushad
replace "call callee" with original adrress
do some shit
popad
minus esp amount of byte which return you back to "call callee" address but this time it now holds original address
ret
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
I am not saying you don't know how... I am just giving ideas to for solution to your challenge, you could also spoof the import table with your own dll
Except for most cases the functions aren't actually publicly exported, so reversing the PE isn't viable, plus that just becomes IAT hooking :3.
I have a generic method in mind, but it involves some asshattery because the stack frame for the function is already set prior to the spoof, which is a pain in the ass. Unfortunately I have an exam tomorrow so I can't put it down into code
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)