PolyHook_2_0
PolyHook_2_0 copied to clipboard
Published
20 hours ago •
stevemk14ebr
stevemk14ebr
Calling the original function fails after hooking the same function twice or more
Hey, this might be a linux specific problem but whenever I hook a function, unhook it and hook it again the process will crash when calling the original trampoline function. This is some pseudo code that will generate the following output:
PLH::x64Detour *getFov_hook = nullptr;
uint64_t getFov_addr;
float my_getFov(class LevelRendererPlayer *base, float param_1, bool flag)
{
return PLH::FnCast(getFov_addr, my_getFov)(base, param_1, flag); // this will crash the process after the second hook call
}
int main() {
getFov_hook = new PLH::x64Detour((uint64_t)base + 0x060f5930, (uint64_t)my_getFov, &getFov_addr);
auto error_log = std::make_shared<PLH::ErrorLog>();
PLH::Log::registerLogger(error_log);
getFov_hook->hook(); // trampoline works without error till this point
// do some stuff
getFov_hook->unHook(); // unhook after a few seconds
getFov_hook->hook(); // rehook after a few seconds later
}
The code will output this.
[+] Info: Original function:
7f2f2a275930 [2]: 41 57 push r15
7f2f2a275932 [2]: 41 56 push r14
7f2f2a275934 [1]: 53 push rbx
7f2f2a275935 [4]: 48 83 ec 30 sub rsp, 0x30
7f2f2a275939 [6]: f3 0f 11 44 24 0c movss dword ptr ss:[rsp+0x0C], xmm0
7f2f2a27593f [3]: 49 89 ff mov r15, rdi
7f2f2a275942 [3]: 40 84 f6 test sil, sil
7f2f2a275945 [6]: 0f 84 94 00 00 00 jz 0x00007F2F2A2759DF -> 7f2f2a2759df
7f2f2a27594b [7]: 49 8b 87 68 15 00 00 mov rax, qword ptr ds:[r15+0x1568]
7f2f2a275952 [7]: 48 8b b8 d8 02 00 00 mov rdi, qword ptr ds:[rax+0x2D8]
7f2f2a275959 [5]: be 22 00 00 00 mov esi, 0x22
7f2f2a27595e [5]: e8 4d 68 0e fe call 0x00007F2F2835C1B0 -> 7f2f2835c1b0
7f2f2a275963 [3]: 48 85 c0 test rax, rax
7f2f2a275966 [6]: 0f 84 d3 01 00 00 jz 0x00007F2F2A275B3F -> 7f2f2a275b3f
7f2f2a27596c [3]: 48 89 c3 mov rbx, rax
7f2f2a27596f [3]: 48 89 c7 mov rdi, rax
7f2f2a275972 [5]: e8 29 c7 0e fe call 0x00007F2F283620A0 -> 7f2f283620a0
7f2f2a275977 [5]: 0f 29 44 24 10 movaps xmmword ptr ss:[rsp+0x10], xmm0
7f2f2a27597c [3]: 48 89 df mov rdi, rbx
7f2f2a27597f [5]: e8 1c cd 19 fe call 0x00007F2F284126A0 -> 7f2f284126a0
7f2f2a275984 [5]: 0f 29 44 24 20 movaps xmmword ptr ss:[rsp+0x20], xmm0
7f2f2a275989 [3]: 48 89 df mov rdi, rbx
7f2f2a27598c [5]: e8 ff cc 19 fe call 0x00007F2F28412690 -> 7f2f28412690
[+] Info: Prologue to overwrite:
7f2f2a275930 [2]: 41 57 push r15
7f2f2a275932 [2]: 41 56 push r14
7f2f2a275934 [1]: 53 push rbx
7f2f2a275935 [4]: 48 83 ec 30 sub rsp, 0x30
[+] Info: Trampoline address: 0x0000000005e93270
[+] Info: Jmp To Prol:
5e93279 [6]: ff 25 49 00 00 00 jmp [5e932c8] ->7f2f2a275939
5e932c8 [8]: 39 59 27 2a 2f 7f 00 00 dest holder
[+] Info: m_trampoline: 0x0000000005e93270
[+] Info: m_trampolineSz: 0x0064
[+] Info: Trampoline:
5e93270 [2]: 41 57 push r15
5e93272 [2]: 41 56 push r14
5e93274 [1]: 53 push rbx
5e93275 [4]: 48 83 ec 30 sub rsp, 0x30
5e93279 [6]: ff 25 49 00 00 00 jmp qword ptr ds:[0x0000000005E932C8] -> 7f2f2a275939
[+] Info: Hook instructions:
7f2f2a275930 [6]: ff 25 ca 56 eb 31 jmp [7f2f5c12b000] ->7f2ed44e8ad8
7f2f5c12b000 [8]: d8 8a 4e d4 2e 7f 00 00 dest holder
[+] Info: Hook size: 9
[+] Info: Prologue offset: 6
**First hook done**
**Second hook started**
[+] Info: Original function:
7f2f2a275930 [2]: 41 57 push r15
7f2f2a275932 [2]: 41 56 push r14
7f2f2a275934 [1]: 53 push rbx
7f2f2a275935 [4]: 48 83 ec 30 sub rsp, 0x30
7f2f2a275939 [6]: f3 0f 11 44 24 0c movss dword ptr ss:[rsp+0x0C], xmm0
7f2f2a27593f [3]: 49 89 ff mov r15, rdi
7f2f2a275942 [3]: 40 84 f6 test sil, sil
7f2f2a275945 [6]: 0f 84 94 00 00 00 jz 0x00007F2F2A2759DF -> 7f2f2a2759df
7f2f2a27594b [7]: 49 8b 87 68 15 00 00 mov rax, qword ptr ds:[r15+0x1568]
7f2f2a275952 [7]: 48 8b b8 d8 02 00 00 mov rdi, qword ptr ds:[rax+0x2D8]
7f2f2a275959 [5]: be 22 00 00 00 mov esi, 0x22
7f2f2a27595e [5]: e8 4d 68 0e fe call 0x00007F2F2835C1B0 -> 7f2f2835c1b0
7f2f2a275963 [3]: 48 85 c0 test rax, rax
7f2f2a275966 [6]: 0f 84 d3 01 00 00 jz 0x00007F2F2A275B3F -> 7f2f2a275b3f
7f2f2a27596c [3]: 48 89 c3 mov rbx, rax
7f2f2a27596f [3]: 48 89 c7 mov rdi, rax
7f2f2a275972 [5]: e8 29 c7 0e fe call 0x00007F2F283620A0 -> 7f2f283620a0
7f2f2a275977 [5]: 0f 29 44 24 10 movaps xmmword ptr ss:[rsp+0x10], xmm0
7f2f2a27597c [3]: 48 89 df mov rdi, rbx
7f2f2a27597f [5]: e8 1c cd 19 fe call 0x00007F2F284126A0 -> 7f2f284126a0
7f2f2a275984 [5]: 0f 29 44 24 20 movaps xmmword ptr ss:[rsp+0x20], xmm0
7f2f2a275989 [3]: 48 89 df mov rdi, rbx
7f2f2a27598c [5]: e8 ff cc 19 fe call 0x00007F2F28412690 -> 7f2f28412690
[+] Info: Prologue to overwrite:
7f2f2a275930 [2]: 41 57 push r15
7f2f2a275932 [2]: 41 56 push r14
7f2f2a275934 [1]: 53 push rbx
7f2f2a275935 [4]: 48 83 ec 30 sub rsp, 0x30
[+] Info: Trampoline address: 0x0000000005e94030
[+] Info: Jmp To Prol:
5e94039 [6]: ff 25 49 00 00 00 jmp [5e94088] ->7f2f2a275939
5e94088 [8]: 39 59 27 2a 2f 7f 00 00 dest holder
[+] Info: m_trampoline: 0x0000000005e94030
[+] Info: m_trampolineSz: 0x0064
[+] Info: Trampoline:
5e94030 [2]: 41 57 push r15
5e94032 [2]: 41 56 push r14
5e94034 [1]: 53 push rbx
5e94035 [4]: 48 83 ec 30 sub rsp, 0x30
5e94039 [6]: ff 25 49 00 00 00 jmp qword ptr ds:[0x0000000005E94088] -> 7f2f2a275939
[+] Info: Hook instructions:
7f2f2a275930 [6]: ff 25 ca 56 eb 31 jmp [7f2f5c12b000] ->7f2ed44e8ad8
7f2f5c12b000 [8]: d8 8a 4e d4 2e 7f 00 00 dest holder
[+] Info: Hook size: 9
[+] Info: Prologue offset: 6
After "rehooking" the detour will work fine but calling the tram function will crash the process. The Trampoline (with m_trampoline) is in a completely diffrent location and it's instructions wont ever get called.
0x5e94030 is somewhere close the entry process/executable. The function i hook is in an libary allocated far away from that address.
I would love to know why this happends. Sometimes "rehooking" the function works fine but most of the time it will crash the process. I Never actively encountered this error on the first hook. After using dlclose and dlopen again (to uninject and inject my custom code again) the hook will work fine again.
