Reliable method for getting the size of a naked function.

[radnomguywfq3]

Anyone know of any compile-time macros that could be used? I've been searching for awhile and got some crap solutions that were very unpredictable and unreliable.

Anyway, I was writing an injector and I wrote my own solution - I'm not sure how applicable it is though but it should be reliable, does anyone want to give it a shot?

NOTE: The epilog(the part that determines the size of the function at runtime) is not supposed to be factored into the function's size.

Also: If you have variables local to the function you need to make sure the compiler isn't using eax for those local variables.

*edit* Made it more neat, I just quickly hacked this up.

Code:

#include "stdafx.h"

#include <stdio.h>
#include <windows.h>

const unsigned long SIGOFSIZE = 'SGSZ';

const void* LOADLIBA = (void*)LoadLibraryA; //Should be constant for every application...

void __declspec(naked) inject()
{
start:
    __asm
    {
		push ebp;
		mov ebp, esp;

		mov eax, dword ptr [ebp + 0x8];
        cmp eax, SIGOFSIZE;
        jz getSize;

        push eax;
        call LOADLIBA;
		pop ebp
        ret 0x4;
    };

getSize:
    __asm
    {
        mov eax, getSize;
        sub eax, start;
		pop ebp
        ret 0x4;
    }
};

int _tmain(int argc, _TCHAR* argv[])
{
    unsigned long cb;

    printf("Alterations Injector\n");

    __asm 
	{
		push SIGOFSIZE;
		call inject;
		mov cb, eax;
	}
    
    printf("Injectee is of %u bytes in length..\n", cb);

    return 0;
}

[Hell_Demon]

Add another empty naked right behind it e.g.

Code:

void __declspec(naked) myFunction(void)
{
  //code  
}
void __declspec(naked) myFunctionEnd(void) { }

Hasn't fucked up yet for me :3

[radnomguywfq3]

Add another empty naked right behind it e.g.

Code:

void __declspec(naked) myFunction(void)
{
  //code  
}
void __declspec(naked) myFunctionEnd(void) { }

Hasn't fucked up yet for me :3

That's incredibly unreliable though because the compiler might align the routines for optimization purposes or add padding. Mine does :/

Plus whats forcing the compiler to put what function after the other?

[Hell_Demon]

INT3 and an exception handler then? :P

[radnomguywfq3]

INT3 and an exception handler then? :P

xd That's waaay overkill and probably nearly as unreliable. I think I'll just stick to my method but if anyone has any ideas :O

[why06]

What is this supposed to do? const unsigned long SIGOFSIZE = 'SGSZ';

I guess it is pretty complicated to get the size of a naked function at runtime. I've never seen a simple solution, but I never looked much either.

Here's maybe one other solution:

Code:

GetSize(int beg,int end)
{
int size = end - beg;
return size;
}

int Function(void)
{
_asm push EIP;
//function code here...
_asm
{
    push EIP;
    push [ESP + C];
    ret;
}

int size = GetSize(esp, esp+4);
//rebalance stack... I think, my math may be wrong stack confuses me...
_asm
{
   pop ebx;
   pop ebx;
}
return size;
}

[radnomguywfq3]

What is this supposed to do? const unsigned long SIGOFSIZE = 'SGSZ';

I guess it is pretty complicated to get the size of a naked function at runtime. I've never seen a simple solution, but I never looked much either.

Here's maybe one other solution:

Code:

GetSize(int beg,int end)
{
int size = end - beg;
return size;
}

int Function(void)
{
_asm push EIP;
//function code here...
_asm
{
    push EIP;
    push [ESP + C];
    ret;
}

int size = GetSize(esp, esp+4);
//rebalance stack... I think, my math may be wrong stack confuses me...
_asm
{
   pop ebx;
   pop ebx;
}
return size;
}

Look at the code snippet again. I pasted the wrong version in there.

Your solution is confusing :/ GetSize should in theory be handling the data incorrectly(though most compilers see int as 4 bytes it should still be of type DWORD(unsigned long)).

Also your code misses the prolog-eiplog evident in(I assume) the cdecl calling convention which would normally be the default. This wouldn't be an issue if your calling convention was void of any prolog or epilog but assuming the cdecl calling convention your going to get a clip of the routine if you use the size returned.

mmz then you push the instruction pointer twice(at the start and end of the function body) which make sense but then you push the third parameter which is then being called(indirectly via ret instruction). You should be finding the difference of these two by making a call to getsize．

I see where you were going with this though and it's not a bad idea.

I'm going to inject this block of executable code into a remotely allocated memory region via VirtualAllocEx and the initiate a remote thread at it's base. At which point it will load a library via the LoadLibraryA api inside of the targets address space - Dll-Injection.

*edit*

Here, this is my final solution:

Code:

#include "stdafx.h"

#include <stdio.h>
#include <windows.h>

const unsigned long SIGOFSIZE = 'SGSZ';

const void* LOADLIBA = (void*)LoadLibraryA; //Should be constant for every application...

void __declspec(naked) inject()
{
start:
    __asm
    {
	push ebp;
	mov ebp, esp;

	mov eax, dword ptr [ebp + 0x8];
        cmp eax, SIGOFSIZE;
        jz getSize;

        push eax;
        call LOADLIBA;
	pop ebp
        ret 0x4;
    };

getSize:
    __asm
    {
        mov eax, getSize;
        sub eax, start;
	pop ebp
        ret 0x4;
    }
};

int _tmain(int argc, _TCHAR* argv[])
{
    unsigned long cb;

    printf("Alterations Injector\n");

    __asm 
   {
        push SIGOFSIZE;
	call inject;
	mov cb, eax;
    }
    
    printf("Injectee is of %u bytes in length..\n", cb);

    return 0;
}