Detouring a single instruction?

[Void]

Ohai guise.

So... I have this single instruction.

Code:

mov [esi+0x154],edi

I need to change what is written to ESI+0x154, the problem is ESI is dynamic. Now, I had a couple of ideas but obviously they didn't get me far otherwise I wouldn't be making this thread.

Any suggestions on how to retrieve the contents of ESI without having to set a breakpoint on it? As the title says, I was thinking about a detour, but it isn't a function so I wouldn't get how that would work. I was also thinking of just having an instruction to call my own function but I have no idea where to begin.

Bare with me, I'm terrible at memory hacking and just getting the basics. I didn't put this in the assembly/reversing section 'cause I want to code this in C++ and hoping some of you could lend me a hand.

So guise, any suggestions?

[radnomguywfq3]

Allocate some memory, relocate a couple instructions near where you're placing the detour and place it in the allocated memory to make room for a long jump or for a push and ret instruction(assuming you're performing an absolute jump to the allocated memory.) After the relocated instructions place a call to a naked routine(no epi\sublog) in your injected code. Have this code log whatever ESI is, then do an absolute jump to return. Also, make sure this memory region has executable flags set for it.

You could also do calls instead of jumps, which would be much easier.

IMHO, That's way overkill, just use a hardware breakpoint and install a vectored exception handler(make sure yours is first in the chain..)

[Obama]

Allocate some memory, relocate a couple instructions near where you're placing the detour and place it in the allocated memory to make room for a long jump or for a push and ret instruction(assuming you're performing an absolute jump to the allocated memory.) After the relocated instructions place a call to a naked routine(no epi\sublog) in your injected code. Have this code log whatever ESI is, then do an absolute jump to return. Also, make sure this memory region has executable flags set for it.

You could also do calls instead of jumps, which would be much easier.

IMHO, That's way overkill, just use a hardware breakpoint and install a vectored exception handler(make sure yours is first in the chain..)

The master returns D:

[scimmyboy]

omg jetamay can speak binary xD

[Hell_Demon]

Hit me on msn I have hw breakpoint shizzle for u ^^

[why06]

I tried that vectored exception handling, shit.... as soon as it get to my handler shit starts failing epicly for unknown reasons? all I know is if I return Continue search I only get two iterations, but if I call COntinue execution I get more, but my exception I wanted to handle is still never handled. Im injecting my exception handler, so I don't know if that's having issues or what... I also heard there's only certain function u can call in an exception handler.

Code:

LONG CALLBACK ExceptionHandler( EXCEPTION_POINTERS* e )
{

    if( e->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP )
    {
		e->ContextRecord->EFlags |= (1 << 16);
        return EXCEPTION_CONTINUE_SEARCH;
    }
	

    Context_t *Context = GContextHook.GetContextInfo();
	
	//this code is never entered.
    if( Context )
    {

        if( e->ExceptionRecord->ExceptionAddress == ( PVOID )Context->Hook1 ||
            e->ExceptionRecord->ExceptionAddress == ( PVOID )Context->Hook2 ||
            e->ExceptionRecord->ExceptionAddress == ( PVOID )Context->Hook3 ||
            e->ExceptionRecord->ExceptionAddress == ( PVOID )Context->Hook4 )
        {
            oCHandler Handler = GContextHook.GetHandlerInfo(); //whatever ur personal handler is gonna be
			
            if( Handler )
            {
                Handler( Context, e ); // will call ur handler now using the Context_t class
            }

            return EXCEPTION_CONTINUE_EXECUTION;
        }
    }
    return EXCEPTION_CONTINUE_SEARCH;
}

[Void]

Thanks guys.

Jetamay, I believe I've tried your method but I just keep getting errors ( not compiling errors ). Hardcoding has always been really hard for me.

I've tried allocating memory, jumping to it, place the original instruction there and return back, just to test if the jump would work, and it wouldn't work at all. Mind giving me a small example of how you would go about it?

[radnomguywfq3]

Void, what's the problem? Do you have any description of the exception being thrown, and is your target protected?

Make sure after you've inserted your call and nops, that all the instructions are aligned and that none have been overwritten(other than the once you've relocated ofc).

Can you show me what you've got in your naked routine?

[Hell_Demon]

Can you show me what you've got in your naked routine?

David, with that he means code, not you doing scary stuff without clothes infront of your PC.

[Void]

I haven't got anything coded yet, I was busy all day and yesterday I was failing horribly. Seeing as I'm not able to do this even with you're guys' guidance I guess I should look more into this subject before attempting this.

And yes Wesley, I know that..

[shad0w']

Find the pointer to ESI, everything mentioned above is beyond overkill.

[Void]

ESI is a register not an address..

[shad0w']

ESI is a register not an address..

ESI is probably holding a pValue.

Every class has a pointer set dynamically to it once initialised for the processor to copy it to the next segment.

I understand that ESI is a register, trust me. However you must understand that ESI isn't any old register it's actually a source index that point's to data.

FYI, In the assembly you posted; a string is being copied or will be copied (Probably).

EDIT: Perhaps if you were to post more of the assembly than one instruction I/Others could be of more help

[radnomguywfq3]

ESI is probably holding a pValue.

Every class has a pointer set dynamically to it once initialised for the processor to copy it to the next segment.

I understand that ESI is a register, trust me. However you must understand that ESI isn't any old register it's actually a source index that point's to data.

FYI, In the assembly you posted; a string is being copied or will be copied (Probably).

EDIT: Perhaps if you were to post more of the assembly than one instruction I/Others could be of more help

You said "Find the pointer to esi". A pointer is something which points to a point in your RAM. Since ESI isn't located anywhere in memory(except on the processor), we cannot 'point' to it. If you wan't to get REALLY technical though, windows does save the registers on a temporary stack while switching between threads, but you still cannot point to this from a usermode application. Whether you write or copy to\from this register is held in the object-code constructing the instruction being executed.

Also, a pointer to a register would be completely useless because the register changes like a million times in a single second. You'd have no way of determining what it's been pointing to after the first change.

[why06]

if there was ever any doubt that settled it. Sometimes its better to just admit ur wrong, arguing little points like this detours the conversation. As is usually the outcome when trying to get technical, with other technical people.