0

I used Detours (http://research.microsoft.com/en-us/projects/detours/) under Windows, but now i using Linux Ubuntu and i want to Detour / Hook a function. I want to detour the function to mine, after that i want to call the original function. (I can hook the function, but i can't use the original after that).

So, i decided to write a detour function. First of all, I copied the function to another place, but I couldn't execute it. Can you help me, why I couldn't execute it? I got segmentation fault.

My code:

int (* h_Com_Printf)(const char *fmt, ...);
...
void *memBuffer;
int size = 0x4F; // size of the function

memBuffer = (void*)malloc(size);
memcpy(memBuffer, (void*)0x08060DEA, size); // copy the function

h_Com_Printf = (int (*)(const char *fmt, ...))memBuffer;
h_Com_Printf("print function: %d\n", 1); // segmentation fault HERE

Thanks!

Com_Printf in the "executable file" (IDA Pro): Image: http://kepfeltoltes.hu/150818/ida_printf_www.kepfeltoltes.hu_.png

Linux running in VirtualBox. (Can it be the problem?)

Adam
  • 11
  • 8
  • I found [this](http://aimbots.net/threads/14469-Detours-for-Linux-amp-Windows) piece of templating goodness that *might* be helpful for you. – DevSolar Aug 18 '15 at 14:33
  • It didn't work :( Segmetation fault again... – Adam Aug 18 '15 at 15:43
  • What makes you think that the memory at the apparently arbitrary address 0x08060dea contains the instructions for a function? Not saying that it doesn't - but this is definitely not a [MCVE](http://stackoverflow.com/help/mcve) as is... – twalberg Aug 18 '15 at 16:04
  • I thought it from Ida Pro: http://kepfeltoltes.hu/150818/ida_printf_www.kepfeltoltes.hu_.png – Adam Aug 18 '15 at 16:57

1 Answers1

1

Just copying the function bytes is not enough, even provided you know the exact size of if (which is not always the case), because there are lots of instructions that are relative to the EIP (call _vsnprintf in your sample, for instance). Therefore, what is usually done (and, as a matter of fact, what Detours is doing) is to copy just the bytes that got overwritten by hook code (JMP or CALL ) and recalculate the EIP-related offsets. For this, you need disassembler that is capable of decoding the instructions and recalculating the relative offsets if necessary. Detours actually includes one. I suggest you look at the Detours sources to get better understanding of what is done in order to place a hook.

Hope this helps

David Elkind
  • 169
  • 7