C ++中间函数钩子：获取寄存器值并跳回[x86 assembly on windows] [英] C++ mid-function hook: get register values and jump back [x86 assembly on windows]

问题描述

寄存器 EBP 中有一个int值， EBX 中有一个字符串。我需要从自己的函数中获取这些寄存器的值，对它们进行一些操作，最后跳回到下面的代码。

我做一个 JMP <$ p



  void JmpHook（）
 {
 char * mystring; 
 _asm mov mystring，ebx 
 
 printf（value：％s，mystring）; 
 
 _asm 
 {
 jmp [0x46AA87] 
} 
} 
  

正如你所看到的，我试图将 EBX 中的字符串移动到 mystring ，最后跳转到 JMP JmpHook 下面的一些行下面的 0x46AA87 >



printf 正在被调用并且mystring被输出，但是这在OllyDbg中似乎很不整洁。我也不能得到 EBP ，因为它被覆盖在 JmpHook 开头（在OllyDbg中看到）。 JmpHook 结尾处的 JMP 也不起作用：


所以我的问题是如何正确跳转到我自己的函数，保存两个寄存器中有变量，然后在一些操作后跳回到原始代码。

谢谢！

解决方案

您可以从堆栈中获取最后一个EBP的值。

这是在调用函数时在堆栈上推送的第一个值。如果我没有错误，它会在[EBP]。

对于跳跃，你能让它，所以，而不是跳到钩子，你叫它？函数返回后，代码将从下一个地址继续。

得到错误的原因是因为你从未到达函数的末尾。
通常，函数包含一个序言和一个结语，其中保存和检索堆栈指针。

序言：

  push ebp 
 mov ebp，esp 
  

结语：

  pop ebp 
  

由于你从未到达函数的结尾，所以不会调用pop，并且你的堆栈已损坏。

跳转是因为你跳转到地址0x46AA87的内存指向的位置。您可能想跳转到地址，因此括号是不必要的。

There is an int value in register EBP and a string in EBX. I need to get the values from these registers in my own function, do some operations on them and finally jump back some code below.

I do a JMP at 0x46AA17 to my function called JmpHook.

 void JmpHook()
 {
      char *mystring;
      _asm mov mystring, ebx

      printf("value: %s", mystring);

      _asm
      {
          jmp       [0x46AA87]
      }
  }

As you can see, I am trying to move the string at EBX into mystring and at the end jump back to 0x46AA87 which is located some lines below my JMP JmpHook.

printf is being called and mystring being output but all this seems very untidy in OllyDbg. I am also unable to get EBP as it's being overwritten at the beginning of JmpHook(Saw that in OllyDbg). The JMP at the end of JmpHook also does not work:

So my question is how to properly jump to my own function, save the two registers there in variables and then after some operations jump back to the original code.

Thank you!

解决方案

You can get the value of the last EBP from the stack.

It is the first value that is pushed on the stack when you call your function. If I am not mistaken it will be at [EBP].

As for the jump, can you make it so that instead of jumping to the hook, you call it? After the function returns the code will continue from the next address.

The reason you are getting an error is because you never reach the end of the function. Normally a function contains a prologue and an epilogue, where stack pointers are saved and retrieved.

Prologue:

push ebp
mov  ebp, esp

Epilogue:

pop ebp

Since you never reach the end of the function, the pop is not called, and your stack is corrupted.

The error you are getting with the jump is because you are jumping to a location pointed to by the memory in the address 0x46AA87. You probably wanted to jump to the address, so the brackets are unnecessary.

这篇关于C ++中间函数钩子：获取寄存器值并跳回[x86 assembly on windows]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！