Calculate code length
huoji120 opened this issue · 2 comments
huoji120 commented
hi, I got some problems in the ShpSetupInlineHook->ShpGetInstructionSize()
when i try hook ssdt function its aways return 0, so i change it :
ShpSetupInlineHook:
/*
const auto patch_size = ShpGetInstructionSize(patch_address);
if (!patch_size) {
return false;
}*/
ULONG patch_size;
if (FindCodeLenght(patch_address, &patch_size) == FALSE)
{
return false;
}
copy from other project (svm ver Ddimon)
BOOLEAN
FindCodeLenght(
_In_ PVOID HookAddress,
_Out_ PULONG InstructionLength
)
{
BOOLEAN ok;
typedef struct _BYTE_PATTERN
{
ULONG InsructionLength;
ULONG MatchLength;
UCHAR Bytes[15];
} BYTE_PATTERN, * PBYTE_PATTERN;
static const BYTE_PATTERN knownPatterns[] =
{
{ // push rbx
2, 2, { 0x40, 0x53, },
},
{ // push rbp
2, 2, { 0x40, 0x55, },
},
{ // push rdi
2, 2, { 0x40, 0x57, },
},
{ // sub rsp, Imm
4, 3, { 0x48, 0x83, 0xEC, /*Imm*/ },
},
{ // mov [rsp - 8 + arg_8], rdx
5, 5, { 0x48, 0x89, 0x54, 0x24, 0x10, },
},
{ // mov [rsp + Offset], rbx
5, 4, { 0x48, 0x89, 0x5c, 0x24, /*Offset*/ },
},
{ // mov rax, rsp
3, 3, { 0x48, 0x8B, 0xC4, },
},
{ // xor edx, edx
2, 2, { 0x33, 0xD2, },
},
{ // a little change for hook NtGetContextThread
2, 2, { 0x4c, 0x8b, },
},
};
*InstructionLength = 0;
ok = FALSE;
for (auto& pattern : knownPatterns)
{
if (RtlEqualMemory(HookAddress, pattern.Bytes, pattern.MatchLength) != FALSE)
{
*InstructionLength = pattern.InsructionLength;
ok = TRUE;
goto Exit;
}
}
Exit:
return ok;
}
hope can help people with the same problems
tandasat commented
@huoji120
Did you check which part of ShpGetInstructionSize is failing? The correct way to fix this issue appears to be fixing the function instead of replacing it with the inflexible version.
tandasat commented
Closing this due to inactivity.