-
June 18th, 2001, 09:21 AM
#1
size of function in bytes
Hi,
in my program i create and start a remote thread in another process using CreateRemoteThread.
Befor i do this i have to allocate some memory in the destination process' address space (VirtualAllocEx) and copy my function into the allocated area (WriteProcessMemory).
Everything works fine, but how can i get the size of my function?
For example if i have a function
DWORD WINAPI ThreadProc(LPVOID lpParameter)
{
int x;
int y;
...
return 0;
}
How big will this function be? 10 Bytes? 100 Bytes? 1000 Bytes?
At the moment i estimate the size to be maximal 16384 Bytes, but i need more exact information.
Any hints appreciated
Thanks
Peter
-
June 19th, 2001, 04:17 AM
#2
Re: size of function in bytes
You cannot copy functions. What exactly are you trying to accomplish?
_________________________________
Assaf Lavie
ICQ: 14672644
-
June 19th, 2001, 06:03 AM
#3
Re: size of function in bytes
Here is the simplest example.
This example uses the fact that almost all C functions begin with
push ebp
mov ebp, esp
HEX 55; 8B; EC
and end with
mov esp, ebp
pop ebp
ret (or ret N)
HEX (without ret) 8B; E5; 5D
Here is the text:
#include "stdafx.h"
unsigned int SomeFunction(int p_nSomeParams, bool p_bCalcSize);
int main(int argc, char* argv[])
{
unsigned int uiFuncSize = SomeFunction(0, true);
printf("The size of SomeFunction() is %d bytes.\n", uiFuncSize);
return 0;
}
unsigned int SomeFunction(int p_nSomeParams, bool p_bCalcSize)
{
unsigned int uiResult = 0;
if (p_bCalcSize) {
const c_MaxGap = 100;
unsigned char* pbyApproxBeginning = NULL;
unsigned char* pbyExactBeginning = NULL;
unsigned char* pbyApproxEnd = NULL;
unsigned char* pbyExactEnd = NULL;
__asm {
// Store registers
push eax
push ebx
// Get approximate address of the beginning
call DummyLabel
DummyLabel: pop ebx
mov dword ptr [pbyApproxBeginning], ebx
// Get approximate address of the end
lea eax, end_of_function
mov dword ptr [pbyApproxEnd], eax
pop ebx
pop eax
}
bool bFoundedBeginning = false;
bool bFoundedEnd = false;
for (int ii = 0; ii <= c_MaxGap; ii++) {
// Searching for
// mov esp, ebp
// pop ebp
if (!bFoundedEnd &&
(0x8B == pbyApproxEnd[ii]) &&
(0xE5 == pbyApproxEnd[ii+1]) &&
(0x5D == pbyApproxEnd[ii+2])) {
// Calculate exact end. Make a little bigger than it really is.
pbyExactEnd = pbyApproxEnd + ii + 10;
bFoundedEnd = true;
}
// Searching for
// push ebp
// mov ebp, esp
if (!bFoundedBeginning &&
(0x55 == *(pbyApproxBeginning - ii - 2)) &&
(0x8B == *(pbyApproxBeginning - ii - 1)) &&
(0xEC == *(pbyApproxBeginning - ii))) {
// Calculate exact beginning.
pbyExactBeginning = pbyApproxBeginning - ii - 2;
bFoundedBeginning = true;
}
if (bFoundedBeginning && bFoundedEnd)
break;
}
if (bFoundedBeginning && bFoundedEnd) {
uiResult = static_cast<unsigned int>(pbyExactEnd - pbyExactBeginning);
} else {
// Something has failed
uiResult = 0;
}
} else {
// ................................
// do some your-task-specific stuff
// ................................
}
return uiResult;
__asm {
end_of_function:
}
}
Alex.
-
June 20th, 2001, 05:25 AM
#4
Re: size of function in bytes
You can copy functions.
I'd like to copy the functions into the address space of another process and execute them as a remote process.
So i can hook some api calls.
Bye
Peter
-
June 20th, 2001, 05:26 AM
#5
Re: size of function in bytes
Thank you very much.
Was very interesting to read.
But i guess i first have to do some assembler studies, before i get this to run.
Thanks again.
Bye
Peter
-
June 20th, 2001, 11:57 PM
#6
Re: size of function in bytes
Then why not use shared memory? Or any kind of RPC mechanism? (like COM...)
_________________________________
Assaf Lavie
ICQ: 14672644
-
June 21st, 2001, 06:14 AM
#7
Re: size of function in bytes
Hello Assaf Lavie
When the hooked application calls a API function (for example TextOutA), i need to run my own implementation of this function. For example this implementation can log all the text that is displayed on a DC and than calls the original microsoft-implementation of this function which displays the text.
Even in shared memory i would have the problem of "how big has this shared memory to be", because i write a function and don't now how many bytes it will take in the compiled executable.
Alexandrov Alex gave me some advice how to determine the size of the function. (But i was very difficult for me (i have no assembler know-how) so i think i will just estimate the size, as i did it until now.)
Bye
Peter
-
June 21st, 2001, 06:22 AM
#8
Re: size of function in bytes
Ok. Since API hooking is what your after, you might want to check out this article which shows several methods of achieving that goal:
http://www.internals.com/articles/apispy/apispy.htm
_________________________________
Assaf Lavie
ICQ: 14672644
-
June 21st, 2001, 08:12 AM
#9
Thank you
Yes, this article helps.
Thank you
Bye
Peter
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|