A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #11917  by Tigzy
 Thu Mar 01, 2012 6:36 am
Why you want to unhook? To use free from hooks API, or what?
For fun ;)
This is more for challenging than to use absolutely in my product.
Hook can be installed deeper in function or/and it can be existing instruction patch.
Yes, but as I'm able to retrieve the original function from disk, I can go deeper to compare
And if this is hot patch from any program, I can get the module where it lies and compare to a WL. All this design is already done for my SSDT hooks which can also be legit
cmpxchg8b, cmpxchg16b
Thanks, I guess this is atomic functions?

---

I saw cli / sti could have been good, but not for multiprocessor systems.
I can't stop interrupts on every processor, cause we cannot decide which one we use.
 #11919  by lorddoskias
 Thu Mar 01, 2012 9:42 am
There is this very ugly hack where you can dispatch a DPC on every cpu core to spin in an empty while(custom-condition), do your patching and then set the custom-condition so that you can exit the DPC. But this is inherently unsafe :)
 #11921  by lorddoskias
 Thu Mar 01, 2012 10:19 am
How so? In one case you will be exchanging atomically 8/16 bytes at a time and in the DPC case you can exchange however many you like, as long as you can guarantee that the code is nonpaged since the page fault handler won't be able to kick in if you incur a page fault? Now, if any of the cores was in the middle of executing a hooked portion of an instruction and you overwrite it - thing might get messy, but the same can happen if you use the cmpxchg instructions - you overwrite 8/16 bytes of a larger inline hook and then it can crash again?
 #11922  by nullptr
 Thu Mar 01, 2012 2:18 pm
Why not just call a clean stub that then jumps into the hooked function further down the track? That way you avoid any need to unhook.
 #11932  by Tigzy
 Fri Mar 02, 2012 8:59 am
Hello

Just to say with the uglyiest way to do the app is stable, with no BSOD, and the inline hook is restored.
Tested on IceWord, by removing NtOpenProcess / NtTerminateProcess hooks, I'm able to kill it with task manager
Code: Select all
void RestoreInlineByAdress (DWORD dw_addr, BYTE* bytesToRestore, DWORD beginAtOffset)
{	
	int i = 0;	
	for (i = 0 ; i < BytesToGetFromNtos ; i++)
	{
		*((PBYTE)(dw_addr+beginAtOffset+i)) = bytesToRestore[i];
	}
}
BytesToGetFromNtos is 16...

@EP_X0FF: Do you have a short example on how to use cmpxchg16b ?

I found this : http://stackoverflow.com/questions/4825 ... 6b-correct
But seems too complicated to work in the kernel (template, volatile, ...)
 #11934  by EP_X0FF
 Fri Mar 02, 2012 9:24 am
Tigzy wrote:@EP_X0FF: Do you have a short example on how to use cmpxchg16b ?

I found this : http://stackoverflow.com/questions/4825 ... 6b-correct
But seems too complicated to work in the kernel (template, volatile, ...)
It is not recommended to use if you plan to support all machines, for example early versions even AMD 64-bit hardware do not support this instruction. The CMPXCHG16B instruction is available in 64-bit mode only. It is an extension of the functionality provided by CMPXCHG8B that operates on 128-bits of data, instuction compares 128 bit value in rdx:rax with the dest (r128) value. If they equal Zero flag is set and rcx:rbx copied in r128. Else the rdx:rax loaded with value in the r128.

Suggestion, before looking for any kind of C++ and other BS code snippets - check MSDN/Intel manuals first.
http://www.intel.com/content/dam/www/pu ... 325462.pdf
 #11935  by Tigzy
 Fri Mar 02, 2012 9:36 am
Ok, thanks.
Will work with my ugly loop for the moment. I will look at this, and at the synchronisations APIs provided by microsoft (spinlock, ...)

EDIT: That is a big doc... :shock:
 #11962  by Tigzy
 Mon Mar 05, 2012 7:08 am
In some case I got BSoD due to read-only memory writing (tried to unhook Avast :D ).
I guess maybe Avast protects its hooks...

Is there a mean to not crash the system with that? maybe with a try ... catch ?