stevemk14ebr/PolyHook_2_0

Incorrect disassembly in x86 (A: Debugger breakpoint)

acidicoala opened this issue · 4 comments

Hello. I've stumbled upon a very peculiar case, and was hoping you could have a look at it. Here is the function I wish to hook (starts at 0x52CC7130):

func_before_hook

When hooking it in a real environment, it doesn't disassemble the prologue correctly. For some reason it reads a cc at the end.:

Original function:
517f7130 [1]: 55                                      push ebp
517f7131 [2]: 8b ec                                   mov ebp, esp
517f7133 [1]: 56                                      push esi
517f7134 [1]: cc                                      int3 int3

Prologue to overwrite:
517f7130 [1]: 55                                      push ebp
517f7131 [2]: 8b ec                                   mov ebp, esp
517f7133 [1]: 56                                      push esi
517f7134 [1]: cc                                      int3 int3

Trampoline:
4155b80 [1]: 55                                      push ebp
4155b81 [2]: 8b ec                                   mov ebp, esp
4155b83 [1]: 56                                      push esi
4155b84 [1]: cc                                      int3 int3

Hook instructions:
517f7130 [5]: e9 72 74 f4 01                          jmp 0x000000005373e5a7

However, when copying this function prologue and pasting it as one of the unit tests (you can see it in the pending PR), Polyhook parses it as expected:

[+] Info: Original function:
110654c [1]: 55                                      push ebp
110654d [2]: 8b ec                                   mov ebp, esp
110654f [1]: 56                                      push esi
1106550 [3]: 8b 75 08                                mov esi, dword ptr ss:[ebp+0x08]
1106553 [4]: f6 46 30 02                             test byte ptr ds:[esi+0x30], 0x02
1106557 [1]: c3                                      ret ret


[+] Info: Prologue to overwrite:
110654c [1]: 55                                      push ebp
110654d [2]: 8b ec                                   mov ebp, esp
110654f [1]: 56                                      push esi
1106550 [3]: 8b 75 08                                mov esi, dword ptr ss:[ebp+0x08]


[+] Info: Trampoline:
15220c0 [1]: 55                                      push ebp
15220c1 [2]: 8b ec                                   mov ebp, esp
15220c3 [1]: 56                                      push esi
15220c4 [3]: 8b 75 08                                mov esi, dword ptr ss:[ebp+0x08]
15220c7 [5]: e9 87 44 be ff                          jmp 0x01106553 -> 1106553



[+] Info: Hook instructions:
110654c [5]: e9 3e 20 b7 ff                          jmp 0x0000000000c7858f

Do you have any ideas what might be causing this?

Can you share the binary? I guess it's possible that a tool is setting a return breakpoint and polyhook sees that? Any requeson you think this might have anti debug or any tracing from your debugger occurring?

Can you share the binary?

Sure: dll.zip. File offset: 0x966530. Typedef: void coroutine_callback(struct CallbackData* data) { ... }

I don't think it has any kind of anti-debugging capabilities.

Edit: Damn, it looks like it's disassembling the prologue correctly when a debugger is not attached. The thing is that it crashes at some point down the road and I wanted to debug it. But I cannot debug it because then it starts disassembling incorrectly and not reaching that point at all.

Turns out I had a breakpoint there in function prologue, but the debugger just wasn't showing it. As soon as I removed it, the hooking went as expected. Hope this helps others in the future.

ok cool I thought it might be a debugger breakpoint!