CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 9 of 9
  1. #1
    Join Date
    May 1999
    Location
    Germany
    Posts
    106

    size of function in bytes

    Hi,

    in my program i create and start a remote thread in another process using CreateRemoteThread.
    Befor i do this i have to allocate some memory in the destination process' address space (VirtualAllocEx) and copy my function into the allocated area (WriteProcessMemory).

    Everything works fine, but how can i get the size of my function?

    For example if i have a function


    DWORD WINAPI ThreadProc(LPVOID lpParameter)
    {
    int x;
    int y;
    ...

    return 0;
    }




    How big will this function be? 10 Bytes? 100 Bytes? 1000 Bytes?

    At the moment i estimate the size to be maximal 16384 Bytes, but i need more exact information.


    Any hints appreciated

    Thanks
    Peter



  2. #2
    Join Date
    Jan 2001
    Location
    Israel
    Posts
    226

    Re: size of function in bytes

    You cannot copy functions. What exactly are you trying to accomplish?

    _________________________________
    Assaf Lavie
    ICQ: 14672644

  3. #3
    Join Date
    May 2001
    Location
    South Korea
    Posts
    150

    Re: size of function in bytes

    Here is the simplest example.
    This example uses the fact that almost all C functions begin with

    push ebp
    mov ebp, esp
    HEX 55; 8B; EC

    and end with

    mov esp, ebp
    pop ebp
    ret (or ret N)

    HEX (without ret) 8B; E5; 5D

    Here is the text:



    #include "stdafx.h"


    unsigned int SomeFunction(int p_nSomeParams, bool p_bCalcSize);




    int main(int argc, char* argv[])
    {
    unsigned int uiFuncSize = SomeFunction(0, true);

    printf("The size of SomeFunction() is %d bytes.\n", uiFuncSize);
    return 0;
    }



    unsigned int SomeFunction(int p_nSomeParams, bool p_bCalcSize)
    {
    unsigned int uiResult = 0;


    if (p_bCalcSize) {

    const c_MaxGap = 100;
    unsigned char* pbyApproxBeginning = NULL;
    unsigned char* pbyExactBeginning = NULL;
    unsigned char* pbyApproxEnd = NULL;
    unsigned char* pbyExactEnd = NULL;

    __asm {
    // Store registers
    push eax
    push ebx

    // Get approximate address of the beginning
    call DummyLabel
    DummyLabel: pop ebx
    mov dword ptr [pbyApproxBeginning], ebx

    // Get approximate address of the end
    lea eax, end_of_function
    mov dword ptr [pbyApproxEnd], eax

    pop ebx
    pop eax

    }
    bool bFoundedBeginning = false;
    bool bFoundedEnd = false;

    for (int ii = 0; ii <= c_MaxGap; ii++) {
    // Searching for
    // mov esp, ebp
    // pop ebp

    if (!bFoundedEnd &&
    (0x8B == pbyApproxEnd[ii]) &&
    (0xE5 == pbyApproxEnd[ii+1]) &&
    (0x5D == pbyApproxEnd[ii+2])) {
    // Calculate exact end. Make a little bigger than it really is.
    pbyExactEnd = pbyApproxEnd + ii + 10;
    bFoundedEnd = true;
    }

    // Searching for
    // push ebp
    // mov ebp, esp

    if (!bFoundedBeginning &&
    (0x55 == *(pbyApproxBeginning - ii - 2)) &&
    (0x8B == *(pbyApproxBeginning - ii - 1)) &&
    (0xEC == *(pbyApproxBeginning - ii))) {
    // Calculate exact beginning.
    pbyExactBeginning = pbyApproxBeginning - ii - 2;
    bFoundedBeginning = true;
    }

    if (bFoundedBeginning && bFoundedEnd)
    break;

    }

    if (bFoundedBeginning && bFoundedEnd) {
    uiResult = static_cast<unsigned int>(pbyExactEnd - pbyExactBeginning);
    } else {
    // Something has failed
    uiResult = 0;
    }
    } else {



    // ................................
    // do some your-task-specific stuff
    // ................................


    }
    return uiResult;

    __asm {
    end_of_function:
    }
    }






    Alex.


  4. #4
    Join Date
    May 1999
    Location
    Germany
    Posts
    106

    Re: size of function in bytes

    You can copy functions.
    I'd like to copy the functions into the address space of another process and execute them as a remote process.

    So i can hook some api calls.

    Bye
    Peter


  5. #5
    Join Date
    May 1999
    Location
    Germany
    Posts
    106

    Re: size of function in bytes

    Thank you very much.

    Was very interesting to read.
    But i guess i first have to do some assembler studies, before i get this to run.

    Thanks again.

    Bye
    Peter


  6. #6
    Join Date
    Jan 2001
    Location
    Israel
    Posts
    226

    Re: size of function in bytes

    Then why not use shared memory? Or any kind of RPC mechanism? (like COM...)

    _________________________________
    Assaf Lavie
    ICQ: 14672644

  7. #7
    Join Date
    May 1999
    Location
    Germany
    Posts
    106

    Re: size of function in bytes

    Hello Assaf Lavie

    When the hooked application calls a API function (for example TextOutA), i need to run my own implementation of this function. For example this implementation can log all the text that is displayed on a DC and than calls the original microsoft-implementation of this function which displays the text.
    Even in shared memory i would have the problem of "how big has this shared memory to be", because i write a function and don't now how many bytes it will take in the compiled executable.

    Alexandrov Alex gave me some advice how to determine the size of the function. (But i was very difficult for me (i have no assembler know-how) so i think i will just estimate the size, as i did it until now.)

    Bye
    Peter



  8. #8
    Join Date
    Jan 2001
    Location
    Israel
    Posts
    226

    Re: size of function in bytes

    Ok. Since API hooking is what your after, you might want to check out this article which shows several methods of achieving that goal:
    http://www.internals.com/articles/apispy/apispy.htm

    _________________________________
    Assaf Lavie
    ICQ: 14672644

  9. #9
    Join Date
    May 1999
    Location
    Germany
    Posts
    106

    Thank you

    Yes, this article helps.

    Thank you

    Bye
    Peter


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured