This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Add support for the Win32 hook prologue (try 3)

From: rridge at csclub dot uwaterloo dot ca (Ross Ridge)
To: gcc-patches at gcc dot gnu dot org
Date: Fri, 11 Sep 2009 16:16:19 -0400 (EDT)
Subject: Re: Add support for the Win32 hook prologue (try 3)

Pedro Alves writes:
>Googling hits this: <http://www.openrce.org/articles/full_view/22>, which
>mentions something about ">= 5 bytes, padded with 0xCC".  I didn't take
>the time to read the whole document

This is refering to replacing an instruction (or sequence of instructions)
that is at least 5 bytes long with a 5 byte JMP instruction.  If the
number of bytes to be replaced is longer than the 5 byte JMP then the
remaining bytes are padded by Microsoft's hotpatching routines with 0xCC.
The replaced bytes could be anything and be anywhere.  The "x86 Patch
Examples" section shows this kind of hook being applied to the 5 bytes of
NOPs (0x90) before the start of the function in the first two examples,
and the 6 byte "mov esi, g_Data" instruction in middle of the function
in the last example.

Poking through some of the Microsoft system DLLs on my Windows XP
machine, they're mostly padded with 0x90 byte values, but some are padded
with 0xCC.  Microsoft's linker (my version at least) pads with 0xCC.
It probably doesn't matter what padding you put before the start of
hookable functions. 

				Ross Ridge

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]