mhook icon indicating copy to clipboard operation
mhook copied to clipboard

Published 20 hours ago verified publisher icon apriorit

Breaking on unsupported RIP-addressing?

Open Convery opened this issue 5 years ago • 11 comments

https://github.com/apriorit/mhook/blob/2238938ec54e88de16fe7282c8a0342278d4333a/mhook-lib/mhook.cpp#L1004-L1013

In this, and the following two cases, the break can (and does in my tests) cause the hook installation to fail. I have personally removed them on my end and it works well. But what's the reasoning for breaking here?

Convery avatar Nov 21 '19 19:11 Convery

What API are you trying to hook? Can you post its prologue from disasm?

SergiusTheBest avatar Nov 21 '19 19:11 SergiusTheBest

Looks like this and fails with found unsupported OP_IPREL on operand 1 on 0000000063812C84.

0000000063812C80  sub         rsp,28h  
0000000063812C84  mov         r9d,dword ptr [6382A770h]  
0000000063812C8B  test        r9d,r9d  
0000000063812C8E  je          0000000063812CA1  
0000000063812C90  xor         edx,edx  
0000000063812C92  mov         ecx,r9d  
0000000063812C95  call        00000000638126C0

Convery avatar Nov 21 '19 19:11 Convery

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 10 '20 20:01 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 01 '20 23:03 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 22 '20 08:04 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 11 '20 09:06 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 31 '20 09:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 19 '20 12:09 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 13 '20 01:11 stale[bot]

In case it helps anyone: DeleteFileW on Windows 11 21H2 experiences this issue as well:

mhooks: DisassembleAndSkip: found unsupported OP_IPREL on operand 0
mhooks: DisassembleAndSkip: instr byte 00: 0xe8
mhooks: DisassembleAndSkip: instr byte 01: 0x2f
mhooks: DisassembleAndSkip: instr byte 02: 0x00
mhooks: DisassembleAndSkip: instr byte 03: 0x00
mhooks: DisassembleAndSkip: instr byte 04: 0x00

Here is the disassembly of DeleteFileW (mhook breaks on second line):

KERNELBASE!DeleteFileW:
00007ffb`0dada600 4883ec28        sub     rsp,28h
00007ffb`0dada604 e82f000000      call    KERNELBASE!InternalDeleteFileW (00007ffb`0dada638)

razuit avatar Dec 10 '22 08:12 razuit

@razuit Thanks!

SergiusTheBest avatar Dec 11 '22 08:12 SergiusTheBest