Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

relocation address error #4

Open
nblog opened this issue Jan 17, 2020 · 5 comments
Open

relocation address error #4

nblog opened this issue Jan 17, 2020 · 5 comments
Assignees
@flobernd
Labels
A-general Area: General library functionality (mainly hooking) C-bug Category: This is a bug P-high Priority: High

Comments

@nblog
Copy link

nblog commented Jan 17, 2020

samlpe:

ZyrexInstallInlineHook((void*)&CopyFileW, (const void*)&callback, &original);

for example:
kernel32.dll->CopyFileW
nop
nop
nop
jmp $-0xC
无标题

trampoline->code_buffer :
无标题

jmp 0x7752E597 ; error jmp

"jmp 0x7752E598" that's the right jump, It should be a calculation error.
@nblog
Copy link
Author

nblog commented Jan 17, 2020

ZyrexCalculateRelativeOffset(length, (ZyanUPointer)address,
address value error.

maybe like this.
#L568

        // Write opcode
        ZyanU8* address = (ZyanU8*)context->destination + context->bytes_written;
        ZyanUPointer ptr = (ZyanUPointer)address;
        if (opcode == 0xE9)
        {
            *address++ = 0xE9;
        } else
        {
            *address++ = 0x0F;
            *address++ = opcode;
        }

        // Write relative offset
        *(ZyanI32*)(address) = 
            ZyrexCalculateRelativeOffset(length, ptr,
                instruction->absolute_target_address);

@flobernd flobernd self-assigned this Jan 17, 2020
@flobernd flobernd added A-general Area: General library functionality (mainly hooking) C-bug Category: This is a bug P-high Priority: High labels Jan 17, 2020
@flobernd
Copy link
Member

Thanks for reporting. I will have a look later. It’s very possible that the 32-bit hooking is still off a bit because I mainly tested on 64-bit for now.

A first stable version is expected to be released in the next two weeks.

@flobernd
Copy link
Member

@nblog
I was not able to reproduce the problem on my local branch - but I already made some changes, so it might have been fixed in the meantime.

Probably going to push my local changes on the weekend after some cleaning.

@nblog
Copy link
Author

nblog commented Feb 6, 2020

I have tested the error still exists
The reason for the error is when you calculate the relative address
#L581 ZyrexCalculateRelativeOffset source_address = address
And you were address ++ at #L572, and #L575 #L576.
The calculated relative offset is also wrong
The correct approach should be to save the address once after #L569

        // Write opcode
        ZyanU8* address = (ZyanU8*)context->destination + context->bytes_written;
        ZyanUPointer ptr = (ZyanUPointer)address;
        if (opcode == 0xE9)
        {
            *address++ = 0xE9;
        } else
        {
            *address++ = 0x0F;
            *address++ = opcode;
        }

        // Write relative offset
        *(ZyanI32*)(address) = 
            ZyrexCalculateRelativeOffset(length, ptr,
                instruction->absolute_target_address);

flobernd added a commit that referenced this issue Feb 6, 2020
@flobernd
Trampoline and Transaction progress and bugfixes
176e2c9 
related to #4
@flobernd
Copy link
Member

flobernd commented Feb 6, 2020

Sorry I am busy with work at the moment and had no time to finish my changes. I just pushed my local progress which definitely does not have the problem you describe. Might have other issues tho .. still work in progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flobernd flobernd

Labels
A-general Area: General library functionality (mainly hooking) C-bug Category: This is a bug P-high Priority: High
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flobernd @nblog