DarkLinkXXXX
daeken
/ gist:4995586
Created
February 20, 2013 13:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Daeken> well, it's actually pretty straightforward. i'm interested in the following functions: connect(), getpeername(), and closesocket() | |
| <Daeken> all of which are part of winsock and reside in ws2_32.dll | |
| <Daeken> winsock's functions all happen to have the same prolog (what sets up a function): mov edi, edi; push ebp; mov ebp, esp | |
| <Daeken> those three instructions happen to take up 5 bytes (2, 1, 2, respectively), the same size as a 32-bit jump. so these functions are candidates for trampolining. | |
| <Daeken> now, what that means is that you patch the beginning of the function with a jump to your own custom version of the function. this is advantageous in that any way you call the patched function, it ends up calling your replacement. | |
| <Daeken> so you patch beginning of the function with a jump to your replacement, and write the replacement just like you'd write it if you were to implement the function normally -- nothing special at all. | |
| <Daeken> now, where it gets a bit complex is if you want to call the |