|
|
Post by anixx on Feb 19, 2024 15:07:44 GMT -8
How do you know what exactly function you have to hook for this or that effect? How do you know what functions are called from where? How do you know the format of the call if the function is not documented?
|
|
ephemeralViolette
Sophomore Member
Posts: 190 
OS: Windows 10 (20H2), Windows 10 (22H2)
Theme: Windows XP Luna, Windows 7 Aero
CPU: AMD Ryzen 9 5900X
RAM: 64 GB
GPU: Radeon RX 580
|
Post by ephemeralViolette on Feb 19, 2024 15:21:44 GMT -8
I use a mixture of IDA and x64dbg, with debugging symbols downloaded from Microsoft's own symbol server for assistance.
If the format of the call is not documented, then it depends. Sometimes IDA will be able to guess correctly for you, and other times you'll have to look at the assembly code. In the worst cases, you might have to copy the function prologue into inline assembly in C++ to prevent memory corruption, but I personally never had to do this. If you're working with Win64 assembly, then it's no big deal. Most 64-bit WinAPI function calls use one single standard call convention, but 32-bit WinAPI is a much bigger mess where the compiler can sometimes generate really weird ones.
If you have debugging symbols, then guessing the correct function to hook can be as simple as searching for various keywords until you find a function that looks like it's the one you want to modify.
Knowing the caller of a function can be difficult sometimes (as is tracking down certain function calls). This particularly applies to C++ virtual methods (i.e. COM applications), which are members of an object rather than a direct pointer to the function in the code itself, meaning that you need to do extra work to track them down. If you want to avoid the hassle, then you can often attach a dynamic debugger (like x64dbg), set a breakpoint within that function, and look at the call stack.
|
|
|
|
Post by anixx on Apr 2, 2024 13:46:20 GMT -8
I use a mixture of IDA and x64dbg, with debugging symbols downloaded from Microsoft's own symbol server for assistance. If the format of the call is not documented, then it depends. Sometimes IDA will be able to guess correctly for you, and other times you'll have to look at the assembly code. In the worst cases, you might have to copy the function prologue into inline assembly in C++ to prevent memory corruption, but I personally never had to do this. If you're working with Win64 assembly, then it's no big deal. Most 64-bit WinAPI function calls use one single standard call convention, but 32-bit WinAPI is a much bigger mess where the compiler can sometimes generate really weird ones. If you have debugging symbols, then guessing the correct function to hook can be as simple as searching for various keywords until you find a function that looks like it's the one you want to modify. Knowing the caller of a function can be difficult sometimes (as is tracking down certain function calls). This particularly applies to C++ virtual methods (i.e. COM applications), which are members of an object rather than a direct pointer to the function in the code itself, meaning that you need to do extra work to track them down. If you want to avoid the hassle, then you can often attach a dynamic debugger (like x64dbg), set a breakpoint within that function, and look at the call stack. So, suppose I want to know what function creates the cuntrol panel icon view. What should I begin with? Can I see a list of functions called from a module or provided by a module? |
|
ephemeralViolette
Sophomore Member
Posts: 190
OS: Windows 10 (20H2), Windows 10 (22H2)
Theme: Windows XP Luna, Windows 7 Aero
CPU: AMD Ryzen 9 5900X
RAM: 64 GB
GPU: Radeon RX 580
|
Post by ephemeralViolette on Apr 2, 2024 15:21:24 GMT -8
I use a mixture of IDA and x64dbg, with debugging symbols downloaded from Microsoft's own symbol server for assistance. If the format of the call is not documented, then it depends. Sometimes IDA will be able to guess correctly for you, and other times you'll have to look at the assembly code. In the worst cases, you might have to copy the function prologue into inline assembly in C++ to prevent memory corruption, but I personally never had to do this. If you're working with Win64 assembly, then it's no big deal. Most 64-bit WinAPI function calls use one single standard call convention, but 32-bit WinAPI is a much bigger mess where the compiler can sometimes generate really weird ones. If you have debugging symbols, then guessing the correct function to hook can be as simple as searching for various keywords until you find a function that looks like it's the one you want to modify. Knowing the caller of a function can be difficult sometimes (as is tracking down certain function calls). This particularly applies to C++ virtual methods (i.e. COM applications), which are members of an object rather than a direct pointer to the function in the code itself, meaning that you need to do extra work to track them down. If you want to avoid the hassle, then you can often attach a dynamic debugger (like x64dbg), set a breakpoint within that function, and look at the call stack. So, suppose I want to know what function creates the cuntrol panel icon view. What should I begin with? Can I see a list of functions called from a module or provided by a module? Windows binaries typically have PDB debugging symbols available, so you can download those and look through them with a disassembler (I recommend IDA for this purpose in particular). You'll just need to do a bit of guesswork as what the functions may be called.
By the way, you can use Process Explorer to see loaded modules in a process. This can be useful to track down which module may contain code you're looking for.
|
|
|
|
Post by anixx on Apr 2, 2024 18:17:58 GMT -8
By the way, you can use Process Explorer to see loaded modules in a process. This can be useful to track down which module may contain code you're looking for.
Explorer loads quite a lot of modules... By the way, where does EP or Windhawk store the symbols? |
|
ephemeralViolette
Sophomore Member
Posts: 190
OS: Windows 10 (20H2), Windows 10 (22H2)
Theme: Windows XP Luna, Windows 7 Aero
CPU: AMD Ryzen 9 5900X
RAM: 64 GB
GPU: Radeon RX 580
|
Post by ephemeralViolette on Apr 2, 2024 20:58:30 GMT -8
By the way, you can use Process Explorer to see loaded modules in a process. This can be useful to track down which module may contain code you're looking for.
Explorer loads quite a lot of modules... By the way, where does EP or Windhawk store the symbols? I don't know for ExplorerPatcher, but Windhawk stores symbol files it downloads at %ProgramData%\Windhawk\Engine\Symbols. |
|
|
|
Post by anixx on Apr 2, 2024 21:26:29 GMT -8
Explorer loads quite a lot of modules... By the way, where does EP or Windhawk store the symbols? I don't know for ExplorerPatcher, but Windhawk stores symbol files it downloads at %ProgramData%\Windhawk\Engine\Symbols. How do I open the symbols database with IDA? |
|
|
|
Post by anixx on Apr 2, 2024 21:40:42 GMT -8
Okay, I opebed a dll, but how can I search functions by name for instance?
|
|
ephemeralViolette
Sophomore Member
Posts: 190
OS: Windows 10 (20H2), Windows 10 (22H2)
Theme: Windows XP Luna, Windows 7 Aero
CPU: AMD Ryzen 9 5900X
RAM: 64 GB
GPU: Radeon RX 580
|
Post by ephemeralViolette on Apr 3, 2024 13:14:56 GMT -8
Okay, I opebed a dll, but how can I search functions by name for instance? There should be a symbols window open to the left by default. At the bottom of that, you can find a filter bar. |
|
|
|
Post by anixx on Apr 3, 2024 17:25:25 GMT -8
Okay, I opebed a dll, but how can I search functions by name for instance? There should be a symbols window open to the left by default. At the bottom of that, you can find a filter bar. Hmm. I don't see the filter bar. |
|
ephemeralViolette
Sophomore Member
Posts: 190
OS: Windows 10 (20H2), Windows 10 (22H2)
Theme: Windows XP Luna, Windows 7 Aero
CPU: AMD Ryzen 9 5900X
RAM: 64 GB
GPU: Radeon RX 580
|
Post by ephemeralViolette on Apr 3, 2024 20:43:38 GMT -8
There should be a symbols window open to the left by default. At the bottom of that, you can find a filter bar. Hmm. I don't see the filter bar. Ah wait, I think you need to press CTRL+F first. |
|
