Class: Ragweed::Detour::Detour

Inherits:

Object

• Object
• Ragweed::Detour::Detour

Defined in:

lib/ragweed/detour.rb

Overview

“Ghetto Detours”, as Scott Stender might say. Patch subprograms in to running programs as a hooking mechanism.

Direct Known Subclasses

Dbreak

Instance Attribute Summary

• #dpoint ⇒ Object readonly

  Returns the value of attribute dpoint.

• #snarfed ⇒ Object readonly

  Returns the value of attribute snarfed.

• #stack ⇒ Object readonly

  Returns the value of attribute stack.

Instance Method Summary

• #call ⇒ Object

  Patch the target function.

• #initialize(p, opts = {}) ⇒ Detour constructor

  Easiest way to do this is just to ask WinProcess#detour.

• #inner_block ⇒ Object

  Hook function.

• #release ⇒ Object

  Release the detour and its associated memory, unpatch the target function.

Constructor Details

#initialize(p, opts = {}) ⇒ Detour

Easiest way to do this is just to ask WinProcess#detour. Wants “p” to be a pointer into the process, presumable returned from WinProcess#get_proc.

In theory, “p” should be OK anywhere as long as there are 5 bytes of instructions before the end of the basic block its in. In practice, this only really stands a chance of working if “p” points to a function prologue.

# File 'lib/ragweed/detour.rb', line 17

def initialize(p, opts={})      
  @p = p.p
  @dpoint = p
  @opts = opts
  @a = @opts[:arena] || @p.arena
  @stack = @a.alloc(2048)
  @snarfed = snarf_prologue
end

Instance Attribute Details

#dpoint ⇒ Object (readonly)

Returns the value of attribute dpoint.

# File 'lib/ragweed/detour.rb', line 6

def dpoint
  @dpoint
end

#snarfed ⇒ Object (readonly)

Returns the value of attribute snarfed.

# File 'lib/ragweed/detour.rb', line 5

def snarfed
  @snarfed
end

#stack ⇒ Object (readonly)

Returns the value of attribute stack.

# File 'lib/ragweed/detour.rb', line 7

def stack
  @stack
end

Instance Method Details

#call ⇒ Object

Patch the target function. There is a 70% chance this will totally fuck your process.

You would be wise to have the threads in the process suspended while you do this, but I’m not going to do it for you.

# File 'lib/ragweed/detour.rb', line 38

def call
  # a Detours-style trampoline --- the location we patch the
  # target function to jump to --- consists of:
  #
  # - A stack switch (to push/pop w/o fucking the program)
  # - A context save
  # - The Detour code
  # - A context restore
  # - A stack restore
  # - The code we patched out of the target
  # - A jump back to the target function (after the prologue)

  # Do this now to make room for the (probably 5 byte) jump. 
  # We don't know what the address will be until we allocate.
  jumpback = (Jmp 0xDEADBEEF) # patch back later

  # Build the trampoline
  tramp = trampoline(@stack).assemble

  # Figure out how big the whole mess will be, allocate it
  tsz = tramp.size + @snarfed.size + jumpback.to_s.size
  tbuf = @a.alloc(tsz + 10)
  
  # assume trampoline is ahead of the patched program text;
  # jump to [dpoint+patch]
  jumpback.dst = (@dpoint.to_i + @snarfed.size) - (tbuf + tsz)
  
  # Write it into memory. It's not "live" yet because we haven't
  # patched the target function.
  @p.write(tbuf, tramp + @snarfed + jumpback.to_s)

  # But now it is. =)
  @p.write(@dpoint, injection(tbuf).assemRASble)
end

#inner_block ⇒ Object

Hook function. Override this in subclasses to provide different behavior.

# File 'lib/ragweed/detour.rb', line 75

def inner_block
  i = Ragweed::Rasm::Subprogram.new
  i.<< Int(3)
end

#release ⇒ Object

Release the detour and its associated memory, unpatch the target function.

# File 'lib/ragweed/detour.rb', line 28

def release
  @dpoint.write(@snarfed)
  @a.release if not @opts[:arena]
end