[listito]

Hello,

I'm trying to build a r3 unhooker and i'd like to know if it is possible for ntdll.dll or any other microsoft dll change it's prologue signature from version to version? can it change?

Example:

776B0B12 > 8BFF MOV EDI,EDI
776B0B14 55 PUSH EBP
776B0B15 8BEC MOV EBP,ESP

[wacked2]

Short answer: Highly unlikely. That unlikely that you can bet your ass on it.

The code you showed consists of two parts.

PUSH EBP & MOV EBX, ESP are the function prologue.
The function prologue is the default one for all x86 functions using the stack. There is no reason to change it.

MOV EDI, EDI belongs to hotpatching.
That could be any 2byte sized instruction but MS stated that it would stay that forever to allow for easy hooking (Before that there are at least 5 unused bytes - enough for a unconditional jump across the whole addressspace; Change those and overwrite MOV EDI, EDI with a short unconditional jump back)

But it seems like you plan to only replace the prologue. That can led to problems especially for functions looking like this:

Code: Select all

MOV EAX, SystemCallNumber
MOV EDX, _KUSER_SHARED_DATA->SystemCallStub
CALL DWORD PTR:[EDX]
RET X

[listito]

ok thanks for reply wacked, the api's im going to unhook are just a very few ones, so i'm thinking about restoring the first 6 bytes :)

[EP_X0FF]

Old binaries (Windows 2000 RTM, Windows XP RTM, Windows 2003 RTM) do not have this hotpatching prologue part. It was first introduced with Windows 2003 SP1 and higher version and after then come with service packs to XP. Aside from this many routines in NTDLL do not have such prologue at all (for example all Nt(Zw) stubs).

Example given, ntdll!CsrClientCallServer

Windows 2003 NO SP

Code: Select all

.text:77F49D69                 push    ebp
.text:77F49D6A                 mov     ebp, esp
.text:77F49D6C                 mov     eax, [ebp+arg_C]
.text:77F49D6F                 push    ebx

Windows 7 SP1

Code: Select all

.text:77F1EA70                 mov     edi, edi
.text:77F1EA72                 push    ebp
.text:77F1EA73                 mov     ebp, esp
.text:77F1EA75                 mov     ecx, [ebp+arg_8]
.text:77F1EA78                 mov     edx, [ebp+arg_C]

Windows XP SP3

Code: Select all

.text:7C912D71                 mov     edi, edi
.text:7C912D73                 push    ebp
.text:7C912D74                 mov     ebp, esp
.text:7C912D76                 mov     eax, [ebp+arg_C]

Windows 2003 SP2

Code: Select all

.text:7C93EBF3                 mov     edi, edi
.text:7C93EBF5                 push    ebp
.text:7C93EBF6                 mov     ebp, esp
.text:7C93EBF8                 mov     eax, [ebp+arg_C]

Another example, kernel32!GetStdHandle.

Windows 2000 SP4 (5.0.2195.7006) dated back to 2005 year.

Code: Select all

.text:79438797 ; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)
.text:79438797                 push    ebp
.text:79438798                 mov     ebp, esp
.text:7943879A                 push    esi
.text:7943879B                 mov     eax, large fs:18h

Windows XP SP2

Code: Select all

.text:7C812CA9 ; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)
.text:7C812CA9                 mov     edi, edi
.text:7C812CAB                 push    ebp
.text:7C812CAC                 mov     ebp, esp
.text:7C812CAE                 push    esi
.text:7C812CAF                 mov     eax, large fs:18h

So in simple words - you can't assume that you always have hotpatching prologue in NTDLL. If you plan restore functions body the only good way - read dll from disk and use it real data for restoring.

[listito]

thanks EP_X0FF, it looks like it really is the best solution checking for prologue at file and compare with the one mmaped in memory, could you please send me, or tell me were can i find all versions from at least kernel32.dll and ntdll.dll?

[wacked2]

How about right on the machine you are going to do the unhooking from?

(Then you have to protect against someone returning you the wrong bytes. Most just copy the files to %TEMP%\RandName.tmp and open that - in-suspicious name = no modificatio done.
You could also go for callgates depending how you do them you might have to watch out for hooks on KiFastSystemCallRet. Though I have not even heard rumors about a bot doing that)

[EP_X0FF]

thanks EP_X0FF, it looks like it really is the best solution checking for prologue at file and compare with the one mmaped in memory, could you please send me, or tell me were can i find all versions from at least kernel32.dll and ntdll.dll?

Why you need them? Follow wacked2 advice.