RCE Endeavors 😅

February 19, 2017

Game Hacking (1/3): The Hard Way

Filed under: Game Hacking,Programming,Reverse Engineering — admin @ 3:41 PM

Introduction

Age of Mythology is a real-time strategy game in which a player hopes to build up their civilization and ultimately conquer his or her enemies. The standard mode of play has the player starting off in a map that is covered in black, signifying unknown and unexplored territory.


As the game progresses, the player explores the map and explored regions show signs of terrain, resources, enemy buildings, and are overlaid with a “fog of war” that signifies explored territory that the player does not have vision of anymore.


The goal of this post will be to develop a hack that provides a significant advantage to the player by revealing the entire map. This allows the player to see what enemies on the map are doing as well as where and when it is best to attack. This hack will be developed for the original version and then later parts of this article series will show how it applies to the newer extended edition which is currently found on Steam.

Here are the hashes for the main executable that will be reversed in this set of articles:

CRC32: 7F1AF498
MD5: 09876F130D02AE760A6B06CE6A9C92DB
SHA-1: AAAC9CD38B51BEB3D29930D13A87C191ABF9CAD4

Starting off

The goal is to develop something that reveals everything on the map to the player, giving the player full knowledge of what is going on in the game at all times. The good news is revealing and hiding the map is built-in functionality of the game. The game supports playing back recorded games, and the option to reveal and hide the map is part of this UI.

Clicking the “Fog of War” button toggles fully revealing the map and setting it back to the normal state, which only shows what the player has vision of or has explored. The plan is to find out where the handler for this button is and trace it through to where the logic for revealing the map is. Once that is found, it will simply be a matter of injecting a DLL into the game process to call the function for revealing the map. The tool most appropriate for something like this is Cheat Engine, which is a useful tool for browsing and manipulating memory, debugging, disassembling, and much more, with a specific focus on game hacking. This post will not go over usage of the tool — there are hundreds of resources out there that can cover usage targeted at various skill levels.

After starting Cheat Engine and attaching, it becomes a matter of finding out where the code that interacts with the button is located. The easiest way to find this is to assume some normal programming practices, specifically that an active button will have a value of 1 in memory somewhere and unactive will be 0. Then it becomes a matter of testing and patience. Searching in the process memory for a value of “1” (when the button was active) returned 337,597 results for me. If you’re following along at home then don’t expect identical numbers.

This is far too many to enumerate. Clicking the button again to set it in an unactive state and searching for 0 then returned 376 results — still too many.

Repeating this process a few more times eventually narrows it down to a much more manageable 21 addresses. 20 of these 21 were very close in range. 0x08FC71A4 seemed the odd address of the bunch. Inspecting it closer and forcing its value to 0 did in fact toggle successfully toggle the button. At this point the correct address was found and the other 20 could safely be ignored. The next step is to see what is writing to it.

At this point Cheat Engine will attach a debugger and monitor all writes to 0x08FC71A4. Clicking the button a few times gets the following instructions to pop up. These were the instructions that were found to have written to 0x08FC71A4.

The next step is to inspect these and begin setting breakpoints in order to better understand what is going on around these writes. Setting a breakpoint on the write instructions

and messing around with the game a bit reveals that this function is called for every button. Here, ECX is the pointer to the button, and presumably +0x1A4 holds an IsToggled property that gets set accordingly. This set happens on the second write instruction, where EDX will either be 0 for disabled or 1 for active. The code might look a bit complicated, but it is basically ensuring that the toggled state is a valid state and then setting the IsToggled property before calling a function and returning.

The destination address +0x14B670 is still code that is specific to all buttons. The goal is to begin slowly stepping through everything and finding areas of code that might be specific to the “Fog of War” button. There are a lot of different approaches here, but what I usually look for is:

  • Call destinations that are calculated via a register. This can signify a callback to be invoked after the state of the button has changed, something like an OnChanged/OnEnabled/OnDisabled or similar function.
  • Function parameters that are pointers to functions.
  • Function calls that take in arguments of 1 or 0.

Stepping into +0x14B670 gives the following (partial) assembly listing listed below. The assembly listings will have an absolute address instead of module base + offset address since they were a lot easier to copy from IDA than from Cheat Engine.

.text:0054B670                 mov     eax, large fs:0
.text:0054B676                 push    0FFFFFFFFh
.text:0054B678                 push    offset SEH_54B670
.text:0054B67D                 push    eax
.text:0054B67E                 mov     large fs:0, esp
.text:0054B685                 sub     esp, 8
.text:0054B688                 push    esi
.text:0054B689                 mov     esi, ecx
.text:0054B68B                 mov     eax, [esi+148h]
.text:0054B691                 push    edi
.text:0054B692                 mov     edi, [esi]
.text:0054B694                 push    eax
.text:0054B695                 push    esi
.text:0054B696                 lea     ecx, [esp+24h+var_10]
.text:0054B69A                 call    sub_4D7470
.text:0054B69F                 mov     ecx, [eax]
.text:0054B6A1                 push    ecx
.text:0054B6A2                 push    1
.text:0054B6A4                 mov     ecx, esi
.text:0054B6A6                 call    dword ptr [edi+54h]
.text:0054B6A9                 cmp     [esp+1Ch+arg_0], 0Dh
.text:0054B6AE                 jnz     loc_54B769
.text:0054B6B4                 lea     edi, [esi+154h]
...

The call to 0x004D7470 (red) was stepped into and found to return relatively quickly so it will not be shown here. The next call (blue) at +0x14B6A6 makes a call via a register. This is a good candidate to step into and observe closely. This function has two possible destinations that it can call:

...
.text:0054BF98                 push    0Ch
.text:0054BF9A                 call    dword ptr [eax+0CCh]
.text:0054BFA0
.text:0054BFA0 loc_54BFA0:                             ; CODE XREF: sub_54BF80+Fj
.text:0054BFA0                                         ; sub_54BF80+14j
.text:0054BFA0                 mov     ecx, [esp+0Ch+arg_8]
.text:0054BFA4                 push    ecx
.text:0054BFA5                 push    edi
.text:0054BFA6                 push    ebx
.text:0054BFA7                 mov     ecx, esi
.text:0054BFA9                 call    sub_4D4EF0
.text:0054BFAE                 pop     edi
...

The instruction at +0x14BF9A (red) never gets invoked when debugging and stepping through, so there’s no point in looking at it. That just leaves the next call at +0x14BFA9 (blue) to step into and look at. This functions turn out to be very large in size and has a lot of branching and potential call sites. With the aid of debugging, a lot of this logic can be skipped. After only tracing the code that is executed when the “Fog of War” button is toggled to reveal the map, there are only three call sites left.

...
.text:004D504C                 cmp     esi, dword_A9D068
.text:004D5052                 jz      short loc_4D5087
.text:004D5054                 push    esi
.text:004D5055                 call    sub_424750
.text:004D505A                 mov     edi, eax
.text:004D505C                 add     esp, 4
.text:004D505F                 test    edi, edi
.text:004D5061                 jz      short loc_4D5070
.text:004D5063                 push    esi
.text:004D5064                 call    sub_4D58B0
.text:004D5069                 add     esp, 4
.text:004D506C                 test    edi, edi
.text:004D506E                 jnz     short loc_4D5079
.text:004D5070
.text:004D5070 loc_4D5070:                             ; CODE XREF: sub_4D4EF0+171j
.text:004D5070                 pop     edi
.text:004D5071                 pop     esi
.text:004D5072                 pop     ebp
.text:004D5073                 xor     al, al
.text:004D5075                 pop     ebx
.text:004D5076                 retn    0Ch
.text:004D5079 ; ---------------------------------------------------------------------------
.text:004D5079
.text:004D5079 loc_4D5079:                             ; CODE XREF: sub_4D4EF0+17Ej
.text:004D5079                 mov     eax, [esp+10h+arg_4]
.text:004D507D                 mov     edx, [edi]
.text:004D507F                 push    ebp
.text:004D5080                 push    eax
.text:004D5081                 push    ebx
.text:004D5082                 mov     ecx, edi
.text:004D5084                 call    dword ptr [edx+54h]
.text:004D5087
.text:004D5087 loc_4D5087:                             ; CODE XREF: sub_4D4EF0+157j
.text:004D5087                                         ; sub_4D4EF0+162j
.text:004D5087                 pop     edi
...

The call at +0xD5055 (red) leads down a dead-end path after a bit of tracing. The same goes for +0xD5064 (orange). If you step into them with the debugger and begin tracing through the code paths, these two functions have very similar behavior. However, there is nothing to indicate that they have anything to do with specific functionality of the “Fog of War” button in terms of interacting with the map. Setting a breakpoint on these two instructions will show that they are constantly being invoked from somewhere and that they only perform logic on the caller object. At this point, we are still in common code related to UI and button clicks, so it’s reasonably safe to rule out these two functions as having anything to do with revealing the map.

The last call site is at +0xD5084 (blue). Stepping into it leads to +0xD4EF0, which is again another large function.

.text:004D4EF0                 push    ebx
.text:004D4EF1                 mov     ebx, [esp+4+arg_0]
.text:004D4EF5                 push    ebp
.text:004D4EF6                 mov     ebp, [esp+8+arg_8]
.text:004D4EFA                 push    esi
.text:004D4EFB                 mov     esi, ecx
.text:004D4EFD                 mov     ecx, [esi+0B8h]
...

Toggling a breakpoint on it still shows it getting hit all of the time, so it still remains common handling code. If you step through it, you will actually see that it goes back to code found in the previous listing. The same two calls to 0x00424750 and 0x004D58B0 will be made. Then there will be a call to [EDX+0x54], except this time EDX will have a different value. On this second call, it will lead to the following function at +0xD0C70:

.text:004D0C70                 mov     ecx, [ecx+14Ch]
.text:004D0C76                 test    ecx, ecx
.text:004D0C78                 jz      short loc_4D0C91
.text:004D0C7A                 mov     edx, [esp+arg_8]
.text:004D0C7E                 mov     eax, [ecx]
.text:004D0C80                 push    edx
.text:004D0C81                 mov     edx, [esp+4+arg_4]
.text:004D0C85                 push    edx
.text:004D0C86                 mov     edx, [esp+8+arg_0]
.text:004D0C8A                 push    edx
.text:004D0C8B                 call    dword ptr [eax+30h]
.text:004D0C8E                 retn    0Ch
.text:004D0C91 ; ---------------------------------------------------------------------------
.text:004D0C91
.text:004D0C91 loc_4D0C91:                             ; CODE XREF: sub_4D0C70+8j
.text:004D0C91                 xor     al, al
.text:004D0C93                 retn    0Ch
.text:004D0C93 sub_4D0C70      endp

There’s only one real call site here so this function is pretty easy to analyze. Setting a breakpoint on it still reveals that it is getting hit from everywhere, so this is still common code. The call to [EAX+0x30] leads to +0x680D0. Repeating the breakpoint process yet again reveals that it is still getting hit from everywhere, so still nothing useful yet.

.text:004680D0                 push    0FFFFFFFFh
.text:004680D2                 push    offset SEH_4680D0
.text:004680D7                 mov     eax, large fs:0
.text:004680DD                 push    eax
.text:004680DE                 mov     large fs:0, esp
.text:004680E5                 sub     esp, 0F8h
.text:004680EB                 mov     eax, [esp+104h+arg_8]
.text:004680F2                 push    ebx
.text:004680F3                 push    ebp
.text:004680F4                 push    esi
.text:004680F5                 mov     esi, [esp+110h+arg_0]
.text:004680FC                 push    edi
.text:004680FD                 mov     ebp, ecx
.text:004680FF                 mov     ecx, [esp+114h+arg_4]
.text:00468106                 push    eax
.text:00468107                 push    ecx
.text:00468108                 push    esi
.text:00468109                 mov     ecx, ebp
.text:0046810B                 mov     [esp+120h+var_F0], ebp
.text:0046810F                 call    sub_4718B0
.text:00468114                 test    al, al
...

Finding the specific code

Stepping into the first call site at +0x6810F takes you to a function that contains a gigantic jump table (screenshot below). This could be a promising sign of hitting an area that is responsible for dispatching events or invoking callbacks.

Stepping through the code leads down to the following case:

.text:00471DB4 loc_471DB4:                             ; CODE XREF: sub_4718B0+4FDj
.text:00471DB4                                         ; DATA XREF: .text:off_471FA0o
.text:00471DB4                 push    edi             ; jumptable 00471DAD case 4
.text:00471DB5                 call    sub_54E7D0
.text:00471DBA                 mov     esi, eax
.text:00471DBC                 add     esp, 4
.text:00471DBF                 test    esi, esi
.text:00471DC1                 jz      loc_471F5F      ; jumptable 00471DAD case 3
.text:00471DC7                 push    edi
.text:00471DC8                 call    sub_4D58B0
.text:00471DCD                 add     esp, 4
.text:00471DD0                 test    esi, esi
.text:00471DD2                 jz      loc_471F5F      ; jumptable 00471DAD case 3
.text:00471DD8                 mov     edx, [esi+1A4h]
.text:00471DDE                 mov     ecx, [esp+50h+var_40]
.text:00471DE2                 cmp     edx, ebx
.text:00471DE4                 setz    al
.text:00471DE7                 push    eax
.text:00471DE8                 call    sub_58EA10
.text:00471DED                 mov     al, 1
.text:00471DEF                 jmp     loc_471F65
...

Setting a breakpoint on +0x71DB4 (pink) and continuing shows that nothing is constantly getting hit anymore. Clicking the “Fog of War” button shows +0x71DB4 getting hit. Finally, after tracing for a long time, there is a sign of being inside of code that is specific to the “Fog of War” button. The first call instruction is at+0x71DB5 (red). This function takes one parameter via EDI, and was always a constant value. Carefully stepping through it and observing the values of all of the parameters or referenced/loaded addresses, there was nothing that indicated a toggle value. Specifically, clicking to reveal and hide the map in game and then tracing through this function did not show anything different, so it was ruled out.  The instruction at +0x71DC8 (orange) calls address 0x004D58B0, which is one that was already investigated before. The same case happened with this function. It always took in the same value as the previous function and did not show anything that indicated writing in a toggle value or handling code based on a toggle value.

The next call is at +0x71DE8. This function also takes in one parameter and is also the last function called before the jump-table handling function exits. There is some really interesting logic in the teal block. A value is loaded from [ESI+0x1A4] then compared against EBX. The result of this comparison sets a byte in AL to 0 or 1 depending on the case. EAX, which will be 0 or 1, is then passed as an argument to the function at 0x0058EA10. Toggling the button in the game and stepping through shows that EBX always contains the value of 1 and EDX contains a 0 or 1 depending on whether the map is being hidden or revealed. An assumption can begin to be made that this is the function used to reveal and hide the map. The assembly listing for 0x0058EA10 is shown below:

.text:0058EA10 sub_58EA10      proc near               ; CODE XREF: sub_4718B0+538p
.text:0058EA10                                         ; sub_58DF30+919p ...
.text:0058EA10
.text:0058EA10 arg_0           = dword ptr  4
.text:0058EA10
.text:0058EA10                 push    ebx
.text:0058EA11                 mov     ebx, [esp+4+arg_0]
.text:0058EA15                 mov     [ecx+53h], bl
.text:0058EA18                 mov     eax, dword_A9D244
.text:0058EA1D                 mov     ecx, [eax+140h]
.text:0058EA23                 test    ecx, ecx
.text:0058EA25                 jz      short loc_58EA43
.text:0058EA27                 push    1
.text:0058EA29                 push    ebx
.text:0058EA2A                 call    sub_5316B0
.text:0058EA2F                 mov     ecx, dword_A9D244
.text:0058EA35                 mov     ecx, [ecx+140h]
.text:0058EA3B                 push    1
.text:0058EA3D                 push    ebx
.text:0058EA3E                 call    sub_5316D0
.text:0058EA43
.text:0058EA43 loc_58EA43:                             ; CODE XREF: sub_58EA10+15j
.text:0058EA43                 pop     ebx
.text:0058EA44                 retn    4
.text:0058EA44 sub_58EA10      endp

It forwards the value of 0 or 1 to two more functions, which both take two parameters. The first parameter is the 0 or 1 toggle and the second one is always a hard-coded 1 value. Looking at these two functions shows that they write the 0 or 1 value to an object and then call a function

.text:005316B0 ; =============== S U B R O U T I N E =======================================
.text:005316B0
.text:005316B0
.text:005316B0                 public sub_5316B0
.text:005316B0 sub_5316B0      proc near               ; CODE XREF: sub_442070+1684p
.text:005316B0                                         ; sub_4C91E0+14Cp ...
.text:005316B0
.text:005316B0 arg_0           = byte ptr  4
.text:005316B0 arg_4           = dword ptr  8
.text:005316B0
.text:005316B0                 mov     edx, [esp+arg_4]
.text:005316B4                 mov     al, [esp+arg_0]
.text:005316B8                 push    edx
.text:005316B9                 push    1
.text:005316BB                 mov     [ecx+40Eh], al
.text:005316C1                 call    sub_5316F0
.text:005316C6                 retn    8
.text:005316C6 sub_5316B0      endp
.text:005316C6
.text:005316C6 ; ---------------------------------------------------------------------------
.text:005316C9                 align 10h
.text:005316D0
.text:005316D0 ; =============== S U B R O U T I N E =======================================
.text:005316D0
.text:005316D0
.text:005316D0 sub_5316D0      proc near               ; CODE XREF: sub_442070+1698p
.text:005316D0                                         ; sub_4C91E0+137p ...
.text:005316D0
.text:005316D0 arg_0           = byte ptr  4
.text:005316D0 arg_4           = dword ptr  8
.text:005316D0
.text:005316D0                 mov     edx, [esp+arg_4]
.text:005316D4                 mov     al, [esp+arg_0]
.text:005316D8                 push    edx
.text:005316D9                 push    1
.text:005316DB                 mov     [ecx+40Fh], al
.text:005316E1                 call    sub_5316F0
.text:005316E6                 retn    8
.text:005316E6 sub_5316D0      endp

Patching
mov al, [esp+arg_0]
to
mov al, 0
nop
nop

now leaves the mini-map revealed regardless of whether the “Fog of War” button is set to be enabled or disabled. The code to reveal and hide the map has now been found.

Developing the hack

At this point, it is possible to develop a hack to reveal the map — it should simply be a matter of invoking 0x0058EA10 with true/false depending on how we want to the map to look. There is one slight problem however: there is a write to [ECX+0x53] at 0x0058EA15. This means that we would need to pass in an object with a writable field at +0x53, which would serve as the “this” parameter that is typically passed in via ECX with the __thiscall calling convention. ECX is re-written further along in the function after being loaded from a constant address, so this seems to be a safe approach. The hacky code for this is found below:

#include <Windows.h>
 
struct DummyObj
{
    char Junk[0x53];
};
DummyObj dummy = { 0 };
 
using pToggleMapFnc = void (__thiscall *)(void *pDummyObj, bool bHideAll);
 
int APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
    case DLL_PROCESS_ATTACH:
    {
        (void)DisableThreadLibraryCalls(hModule);
 
        pToggleMapFnc ToggleMap = (pToggleMapFnc)0x0058EA10;
 
        while (!GetAsyncKeyState('0'))
        {
            if (GetAsyncKeyState('7'))
            {
                ToggleMap(&dummy, true);
            }
            else if (GetAsyncKeyState('8'))
            {
                ToggleMap(&dummy, false);
            }
 
            Sleep(10);
        }
 
        break;
    }
 
    case DLL_PROCESS_DETACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
        break;
    }
 
    return TRUE;
}

After injecting the DLL into the game process, the map can be toggled to a fully revealed state or a hidden state via the ‘7’ and ‘8’ keys.

Conclusion

This concludes developing a map hack for the game. This approach was very involved and complicated and the next post will show how to greatly simplify everything by taking advantage of useful information that the developers left in the executable. Reading through this might give the impression that everything followed a linear path from start to finish, but there was a lot omitted for the sake of brevity in terms of dead-end code paths. Including those and their explanations would have likely made this post the length of a typical dissertation. While initially developing the hack, I stepped through these various code paths many dozens of times while scribbling notes and as to what might be relevant. The end result of this post is all of the useful information aggregated together into a coherent and semi-linear guide.

Thanks for reading and follow on Twitter for more updates

December 23, 2015

Heap Tracking

Filed under: General x86,General x86-64,Programming,Reverse Engineering — admin @ 2:47 PM

This post will cover the topic of finding and inspecting differences in a process heap over time. It will cover two techniques: a non-invasive one that iterates and copies heap entries from a separate process, and an invasive one that uses dynamic binary instrumentation to track all heap writes. Heap tracking is useful if you want to monitor large scale changes in an application over time. For example, looking at the state of the heap and potentially what data structures were modified after pressing a button or performing some complex action.

Non-invasive Heap Diffing

The non-invasive technique relies on remotely reading every allocated heap block in a target process and copying the bytes to the inspecting process. Once this iteration is done, a snapshot of the heap will be created and can then be accurately diffed against another snapshot at a later point in time to see how the heap state changed. This traversal is accomplished with the HeapList32First/HeapList32Next and Heap32First/Heap32Next functions from the Toolhelp API. The traversal code is shown below:

const Heap EnumerateProcessHeap(const DWORD processId, const HANDLE processHandle)
{
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPHEAPLIST, processId);
    if (snapshot == INVALID_HANDLE_VALUE)
    {
        fprintf(stderr, "Could not create toolhelp snapshot. "
            "Error = 0x%X\n", GetLastError());
        exit(-1);
    }
 
    Heap processHeapInfo;
 
    (void)NtSuspendProcess(processHandle);
 
    size_t reserveSize = 4096;
    std::unique_ptr<unsigned char[]> heapBuffer(new unsigned char[reserveSize]);
 
    HEAPLIST32 heapList = { 0 };
    heapList.dwSize = sizeof(HEAPLIST32);
    if (Heap32ListFirst(snapshot, &heapList))
    {
        do
        {
            HEAPENTRY32 heapEntry = { 0 };
            heapEntry.dwSize = sizeof(HEAPENTRY32);
 
            if (Heap32First(&heapEntry, processId, heapList.th32HeapID))
            {
                do
                {
                    if (IsReadable(processHandle, heapEntry.dwAddress, heapEntry.dwSize))
                    {
                        ReadHeapData(processHandle, heapEntry.dwAddress, heapEntry.dwSize,
                            processHeapInfo, heapBuffer, reserveSize);
                    }
 
                    heapEntry.dwSize = sizeof(HEAPENTRY32);
                } while (Heap32Next(&heapEntry));
            }
 
            heapList.dwSize = sizeof(HEAPLIST32);
        } while (Heap32ListNext(snapshot, &heapList));
    }
 
    (void)NtResumeProcess(processHandle);
 
    (void)CloseHandle(snapshot);
 
    return processHeapInfo;
}

For every heap list and subsequent heap entry, the heap block is read and its byte contents stored in an address -> byte pair. The remote read is just a call around ReadProcessMemory

void ReadHeapData(const HANDLE processHandle, const DWORD_PTR heapAddress, const size_t size, Heap &heapInfo,
    std::unique_ptr<unsigned char[]> &heapBuffer, size_t &reserveSize)
{
    if (size > reserveSize)
    {
        heapBuffer = std::unique_ptr<unsigned char[]>(new unsigned char[size]);
        reserveSize = size;
    }
 
    SIZE_T bytesRead = 0;
    const BOOL success = ReadProcessMemory(processHandle, (LPCVOID)heapAddress, heapBuffer.get(), size, &bytesRead);
 
    if (success == 0)
    {
        fprintf(stderr, "Could not read process memory at 0x%p "
            "Error = 0x%X\n", (void *)heapAddress, GetLastError());
        return;
    }
    if (bytesRead != size)
    {
        fprintf(stderr, "Could not read process all memory at 0x%p "
            "Error = 0x%X\n", (void *)heapAddress, GetLastError());
        return;
    }
 
    for (size_t i = 0; i < size; ++i)
    {
        heapInfo.emplace_hint(std::end(heapInfo), std::make_pair((heapAddress + i), heapBuffer[i]));
    }
}

At this point a snapshot of the heap is created. A screenshot of an example run shows the address -> byte pairs below.heapdiff

The next part is to take another snapshot at a later point in time and begin diffing the heaps. Diffing the heaps involves three scenarios: when a heap entry at the same address has changed, when an entry was removed (in first snapshot but not in second), and when a new allocation was made (in second heap snapshot but not in first). The code is pretty straightforward and performs a search and compare in the first heap against the second heap.

const HeapDiff GetHeapDiffs(const Heap &firstHeap, Heap &secondHeap)
{
    HeapDiff heapDiff;
 
    for (auto &heapEntry : firstHeap)
    {
        auto &secondHeapEntry = std::find_if(std::begin(secondHeap), std::end(secondHeap),
            [&](const std::pair<DWORD_PTR, unsigned char> &entry) -> bool
        {
            return entry.first == heapEntry.first;
        });
 
        if (secondHeapEntry != std::end(secondHeap))
        {
            if (heapEntry.second != secondHeapEntry->second)
            {
                //Entries in both heaps but are different
                heapDiff.emplace_hint(std::end(heapDiff),
                    heapEntry.first, std::make_pair(heapEntry.second, secondHeapEntry->second));
            }
            secondHeap.erase(secondHeapEntry);
        }
        else
        {
            //Entries in first heap and not in second heap
            heapDiff.emplace_hint(std::end(heapDiff),
                heapEntry.first, std::make_pair(heapEntry.second, heapEntry.second));
        }
    }
 
    for (auto &newEntries : secondHeap)
    {
        //Entries in second heap and not in first heap
        heapDiff.emplace_hint(std::end(heapDiff),
            newEntries.first, std::make_pair(newEntries.second, newEntries.second));
    }
 
    return heapDiff;
}

A screenshot post-diff is shown below:

heapdiff1

Looking at the above example, you can see that the bytes at heap address 0x003F0200 changed from 0x2B to 0x57, among many others. The last step is to merge contiguous blocks to make things more simple. The code is omitted here, but a final screenshot is shown below showing the final structure of the heap diff.heapdiff2The diff can be inspected for anything deemed interesting and can aid in reverse engineering an application. For example, to see where text is drawn in a text editor, you can write some text in the editor and take a snapshot

heapdiff3Prior to taking a second snapshot, change some of the text around and inspect the heap differences. For this example, some AA‘s were changed to BB.heapdiff4The heap contents beginning at 0x0079201C contained the text and were noted as changing from A -> B. Attaching a debugger and setting a breakpoint on-write at 0x0079201C showed an access from 0x00402CA5, which is a rep movs instruction responsible for copying the text to draw into the buffer.heapdiff5heapdiff6
The usefulness of this technique is obviously predicated on the desired data to reside in the process heap.

Invasive Heap Diffing

The technique described above is useful because it does not disturb the process state, aside from suspending and resuming it. The inspecting process has no access to the address space of the target process and performs all of its actions remotely. This next technique uses Intel’s Pin dynamic binary instrumentation platform to instrument a target process and monitor only heap writes. This means that, unlike the previous technique, the entire state of the heap does not need to be tracked. Pin allows for tracking of memory writes in a process, among many other things. Pin is injected as a DLL into a process, so all code written within it will have access to the process address space. That means that instead of traversing heap lists and heap entries, the HeapWalk function can be used directly to get all valid heap addresses.

In the example, all current heap addresses are kept in a std::set container. These are retrieved when the DLL is loaded in the process and instrumentation beings:

void WalkHeaps(WinApi::HANDLE *heaps, const size_t size)
{
    using namespace WinApi;
 
    fprintf(stderr, "Walking %i heaps.\n", size);
 
    for(size_t i = 0; i < size; ++i)
    {
        if(HeapLock(heaps[i]) == FALSE)
        {
            fprintf(stderr, "Could not lock heap 0x%X"
                "Error = 0x%X\n", heaps[i], GetLastError());
            continue;
        }
 
        PROCESS_HEAP_ENTRY heapEntry = { 0 };
        heapEntry.lpData = NULL;
        while(HeapWalk(heaps[i], &heapEntry) != FALSE)
        {
            for(size_t j = 0; j < heapEntry.cbData; ++j)
            {
                heapAddresses.insert(std::end(heapAddresses),
                    (DWORD_PTR)heapEntry.lpData + j);
            }
        }
 
        fprintf(stderr, "HeapWalk finished with 0x%X\n", GetLastError());
 
        if(HeapUnlock(heaps[i]) == FALSE)
        {
            fprintf(stderr, "Could not unlock heap 0x%X"
                "Error = 0x%X\n", heaps[i], GetLastError());
        }
    }
 
    size_t numHeapAddresses = heapAddresses.size();
    fprintf(stderr, "Found %i (0x%X) heap addresses.\n",
        numHeapAddresses, numHeapAddresses);
 
}

An instrumentation function is then added, which is called on every instruction execution:

INS_AddInstrumentFunction(OnInstruction, 0);

The OnInstruction function checks to see if it is a memory write. If it is then a call to our inspection function is added and subsequently invoked. This function checks if the address that is being written to is in the heap and logs it if that is the case.

VOID OnMemoryWriteBefore(VOID *ip, VOID *addr)
{
    if(IsInHeap(addr))
    {
        fprintf(trace, "Heap entry 0x%p has been modified.\n", addr);
    }
}

Testing this is pretty simple; create a simple application that allocates some data on the heap and performs constant writes to it:

int main(int argc, char *argv[])
{
    int *heapData = new int;
    *heapData = 0;
 
    fprintf(stdout, "Heap address: 0x%p", heapData);
 
    while(true)
    {
        *heapData = (*heapData + 1) % INT_MAX;
        Sleep(500);
    }
 
    return 0;
}

Running the instrumentation against the a compiled version of the code above produces the following output, showing successful instrumentation and heap tracking.heapdiff9

Heap entry 0x007B4B58 has been modified.
Heap entry 0x007B4B6C has been modified.
Heap entry 0x007B4B70 has been modified.
Heap entry 0x007B4B68 has been modified.
Heap entry 0x007B27C8 has been modified.
Heap entry 0x007B27C8 has been modified.
Heap entry 0x007B27C8 has been modified.
Heap entry 0x007B27C8 has been modified.
Heap entry 0x007B27C8 has been modified.
...

The Pin framework provides a lot more functionality than what is covered in the example code provided. The code can further be expanded to disassemble and interpret the writing address and get the current heap value and the value that will be written as in the first example.

Final Notes

This post presented a couple of techniques for finding differences in process heaps. The example code shows basic examples, but has some issues in terms of scaling; a 100MB heap diff takes about 15 minutes with the current implementation due to the large number of lookups. The code should serve as a good starting point to build on if the target application allocates a large amount of heap space.

Code

The Visual Studio 2015 project for this example can be found here. The source code is viewable on Github here. Thanks for reading and follow on Twitter for more updates.

April 13, 2015

Reverse Engineering Vectored Exception Handlers: Implementation (3/3)

Filed under: General x86,General x86-64,Programming,Reverse Engineering — admin @ 8:33 AM

Here an implementation of AddVectoredExceptionHandler as it was reverse engineered.

PVOID RtlAddVectoredExceptionHandler(ULONG FirstHandler, PVECTORED_EXCEPTION_HANDLER VectoredHandler, int Unknown)
{
    PPEB pPeb = GetPEB();
 
    VECTORED_HANDLER_ENTRY *pVecNewEntry =
        (VECTORED_HANDLER_ENTRY *)HeapAlloc((HANDLE)pPeb->ProcessHeap, 0, sizeof(VECTORED_HANDLER_ENTRY));
    if(pVecNewEntry == nullptr)
    {
        return nullptr;
    }
    pVecNewEntry->dwAlwaysOne = 1;
 
    PVOID pEncodedHandler = EncodePointer(VectoredHandler);
    VECTORED_HANDLER_LIST *pVecHandlerBase = (VECTORED_HANDLER_LIST *)(VectorHandlerListBase);
 
    AcquireSRWLockExclusive(&pVecHandlerBase->srwLock);
 
    pVecNewEntry->pVectoredHandler = (PVECTORED_EXCEPTION_HANDLER)pEncodedHandler;
 
    //If the list is empty then set the CrossProcessFlags fields
    if(pVecHandlerBase->pFirstHandler == (VECTORED_HANDLER_ENTRY *)&pVecHandlerBase->pFirstHandler)
    {
        InterlockedBitTestAndSet((LONG *)&pPeb->CrossProcessFlags, 2);
    }
 
    if(FirstHandler)
    {
        //Insert new node at the head of the VEH list
        pVecNewEntry->pNext = pVecHandlerBase->pFirstHandler;
        pVecNewEntry->pPrev = (VECTORED_HANDLER_ENTRY *)&pVecHandlerBase->pFirstHandler;
        pVecHandlerBase->pFirstHandler->pPrev = pVecNewEntry;
        pVecHandlerBase->pFirstHandler = pVecNewEntry;
    }
    else
    {
        //Insert new node at the end of the VEH list
        pVecNewEntry->pNext = (VECTORED_HANDLER_ENTRY *)&pVecHandlerBase->pFirstHandler;
        pVecNewEntry->pPrev = pVecHandlerBase->pLastHandler;
        pVecHandlerBase->pLastHandler->pNext = pVecNewEntry;
        pVecHandlerBase->pLastHandler = pVecNewEntry;
    }
 
    ReleaseSRWLockExclusive(&pVecHandlerBase->srwLock);
 
    return (PVOID)pVecNewEntry;
}

You can download the full Visual Studio 2013 project here. Follow on Twitter for more updates.

April 11, 2015

Reverse Engineering Vectored Exception Handlers: Functionality (2/3)

Filed under: General x86,General x86-64,Programming,Reverse Engineering — admin @ 11:00 AM

This post will continue where the first one left off and explain the operations happening on the doubly linked list of exception handlers. To understand anything in this post, you should read the first one.

Finding the Link Relationships

Given the information from part one, there are two structures at work here: _LdrpVectorHandlerList, which is a non-exported named symbol, and _LdrpVectorHandlerEntry, which is the name given to the struct allocated in _RtlpAddVectoredHandler. Each of these structures has two pointers within them that get moved around.

771E3686 cmp dword ptr [ebp+8],0
771E368A je _RtlpAddVectoredHandler@12+13DF3h (771F7414h)
--------> Jump resolved below
----771F7414 mov eax,dword ptr [edi+4]
----771F7417 mov dword ptr [esi],edi
----771F7419 mov dword ptr [esi+4],eax
----771F741C mov dword ptr [eax],es
----771F741E mov dword ptr [edi+4],esi
----771F7421 jmp _RtlpAddVectoredHandler@12+7Bh (771E369Ch)
771E3690 mov eax,dword ptr [edi]
771E3692 mov dword ptr [esi],eax
771E3694 mov dword ptr [esi+4],edi
771E3697 mov dword ptr [eax+4],esi
771E369A mov dword ptr [edi],esi
vec4

The best way to find out what is happening is to dynamically trace adding exception handlers. For example, what goes on in the code when three exception handlers are added in series?Each one will be added to the head of the list, so that if an exception occurs then the call order will be VectoredHandler3 -> VectoredHandler2 -> VectoredHandler1 -> Unhandled exception. For the case of a handler being inserted at the head of the list, the following instructions will be executed:

771E3690 mov eax,dword ptr [edi]
771E3692 mov dword ptr [esi],eax
771E3694 mov dword ptr [esi+4],edi
771E3697 mov dword ptr [eax+4],esi
771E369A mov dword ptr [edi],esi

The easiest way to see what is going on is to make a table of the runs. Here let X, Y, Z be the different memory addresses of ESI. Let Base be the base address of _LdrpVectorHandlerList, relative to EAX and EDI. I’ve also reproduced the structures and the mappings of registers to fields below.

typedef struct _LdrpVectorHandlerEntry
{
    _LdrpVectorHandlerEntry *pLink1; +0x0 [ESI]
    _LdrpVectorHandlerEntry *pLink2; +0x4 [ESI+0x4]
    DWORD dwAlwaysOne; +0x8
    PVECTORED_EXCEPTION_HANDLER pVectoredHandler; +0xC
} VECTORED_HANDLER_ENTRY, *PVECTORED_HANDLER_ENTRY;

typedef struct _LdrpVectorHandlerList
{
    SRWLOCK srwLock; +0x0
    VECTORED_HANDLER_ENTRY *pLink1; +0x4 [EDI]
    VECTORED_HANDLER_ENTRY *pLink2; +0x8
} VECTORED_HANDLER_LIST, *PVECTORED_HANDLER_LIST; +0xC

First run

[X][X+4][*(Base+4)][Base]
0x772847280x77284728XX

Second run

[Y][Y+4][*(Base+4)][Base]
X0x77284728YY

Third run

[Z][Z+4][*(Base+4)][Base]
Y0x77284728ZZ

Looking at the results of these three adds, you can begin to see a relationship.

[X] = [ESI] Always holds the address of the previous handler

[X+4] = [ESI+0x4] Always holds the address of the base of the table

[*(Base+4)] = [EAX+0x4] Always holds the address of the new handler

[Base] = [EDI] Always holds the address of the new handler

Given that this operation is to insert at the head of the list, it is possible to draw some conclusions. Since [ESI] always contains the address of the previous topmost handler, it can be assumed to be a pointer to the next handler in the chain. [ESI+0x4] can be assumed to be a pointer to the previous handler in the chain, which in the case of inserting a head node, is set as the base of the exception list. Now the struct definition can be completed.

typedef struct _LdrpVectorHandlerEntry { _LdrpVectorHandlerEntry *pNext; _LdrpVectorHandlerEntry *pPrev; DWORD dwAlwaysOne; PVECTORED_EXCEPTION_HANDLER pVectoredHandler; } VECTORED_HANDLER_ENTRY, *PVECTORED_HANDLER_ENTRY;

[EAX+0x4] is a bit more difficult to discern. EAX holds the value of the address of the second field in _LdrpVectorHandlerList. This is dereferenced and the second item in the dereferenced struct is set to the address of the new handler. What is happening here is that the pPrev field of the current topmost handler prior to inserting a new one is set to the address of the new handler, thus keeping the list chain intact. This may not seem obvious from looking at the assembly but is what is occurring when actually stepping through the instructions with a debugger. Lastly, EDI, which is the first member of _LdrpVectorHandlerList is set to hold the address of the new handler.

Now for the other case: inserting at the back of the vectored exception list. In that scenario, the following instructions will be executed:

771F7414 mov eax,dword ptr [edi+4]
771F7417 mov dword ptr [esi],edi
771F7419 mov dword ptr [esi+4],eax
771F741C mov dword ptr [eax],esi
771F741E mov dword ptr [edi+4],esi
771F7421 jmp _RtlpAddVectoredHandler@12+7Bh (771E369Ch)

This is a slight variation on the first case. The best way to see what is going on is to step through the assembly code again. Here X, Y, and Z will map to [ESI] like last time. Here Base will be [EDI+0x4], the third member of _LdrpVectorHandlerList — unlike [EDI] in the previous segment, which was the second member. [Base+0x4] will be [EDI + 0x4].

First run

[X][X+4][Base][*(Base+4)]
0x772847280x77284728XX

Second run

[Y][Y+4][Base][*(Base+4)]
0x77284728XYY

Third run

[Z][Z+4][Base][*(Base+4)]
0x77284728YZZ

Again,

[X] = [ESI]  Always holds the address of the base of the table

[X+4] = [ESI+0x4] Holds the address of the previous handler

[Base] = [EAX] Holds the address to the new handler

[*(Base +4)] = [EDI+0x4] Holds the address of the new handler

Here, the mappings that were established for [X] and [X+4] as pNext and pPrev still make sense. For a node inserted at the back of the exception list, pNext will point to the base of the table (end), and pPrev will point to the address of the previous handler. Here [Base] is the third member of _LdrpVectorHandlerList. Given what is known from the previous run and this one, it is possible to draw a conclusion that the two pointers in _LdrpVectorHandlerList are pointers to the first and last exception handlers. The definition of _LdrpVectorHandlerList can now be completed.

typedef struct _LdrpVectorHandlerList { SRWLOCK srwLock; VECTORED_HANDLER_ENTRY *pFirstHandler; VECTORED_HANDLER_ENTRY *pLastHandler; } VECTORED_HANDLER_LIST, *PVECTORED_HANDLER_LIST;

That wraps up the implementation details of vectored exception handlers. The full C implementation will be provided in the next post. Follow on Twitter for more updates.

Follow me

April 8, 2015

Reverse Engineering Vectored Exception Handlers: Structures (1/3)

Filed under: General x86,General x86-64,Programming,Reverse Engineering — admin @ 5:02 PM

This series of posts will cover the details of reverse engineering the AddVectoredExceptionHandler function, a Windows API function responsible for registering a special type of exception handler at runtime. The series will be split in to three parts: first identifying key structures that are used, second understanding the implementation, and lastly re-implementing the reverse engineered assembly to working C code. This reverse engineered implementation will behave identically with the original function, and presumably under the same compiler options, would produce a very close assembly listing. The reverse engineering was done on Windows 7, so there will be slight differences in assembly listings if you are following along on a different version. The re-implementation code (part 3) was tested on Windows 7 and 8.1 on x86 and x64, so the high-level details should not change.

Starting out

The goal is to see how AddVectoredExceptionHandler works. This means tracing it through from an example program over in to kernel32.dll, where the implementation resides. Naturally, the best way to go about doing this is with a debugger. The Visual Studio debugger will be the debugger of choice for this series since we’ll be debugging our own code.

vec1

Stepping in to the disassembly shows that AddVectoredExceptionHandler calls _RtlAddVectoredExceptionHandler, which in turn is a wrapper for _RtlpAddVectoredHandler. The assembly listing for _RtlAddVectoredExceptionHandler is shown below:

_RtlAddVectoredExceptionHandler@8:
771F742B  mov         edi,edi  
771F742D  push        ebp  
771F742E  mov         ebp,esp  
771F7430  push        0  
771F7432  push        dword ptr [ebp+0Ch]  
771F7435  push        dword ptr [ebp+8]  
771F7438  call        _RtlpAddVectoredHandler@12 (771E3621h)  
771F743D  pop         ebp  
771F743E  ret         8

This  code simply pushes an extra constant parameter and invokes _RtlpAddVectoredHandler(FirstHandler, VectoredHandler, 0). The actual details reside in _RtlpAddVectoredHandler, reproduced in its entirety, below:

_RtlpAddVectoredHandler@12:
771E3621  mov         edi,edi  
771E3623  push        ebp  
771E3624  mov         ebp,esp  
771E3626  mov         eax,dword ptr fs:[00000018h]  
771E362C  mov         eax,dword ptr [eax+30h]  
771E362F  push        esi  
771E3630  push        10h  
771E3632  push        0  
771E3634  push        dword ptr [eax+18h]  
771E3637  call        _RtlAllocateHeap@12 (771AE026h)  
771E363C  mov         esi,eax  
771E363E  test        esi,esi  
771E3640  je          _RtlpAddVectoredHandler@12+83h (771E36A4h)  
771E3642  push        ebx  
771E3643  push        edi  
771E3644  push        dword ptr [ebp+0Ch]  
771E3647  mov         dword ptr [esi+8],1  
771E364E  call        _RtlEncodePointer@4 (771C0FCBh)  
771E3653  mov         ebx,dword ptr [ebp+10h]  
771E3656  imul        ebx,ebx,0Ch  
771E3659  add         ebx,77284724h  
771E365F  push        ebx  
771E3660  mov         dword ptr [esi+0Ch],eax  
771E3663  lea         edi,[ebx+4]  
771E3666  call        _RtlAcquireSRWLockExclusive@4 (771B29F1h)  
771E366B  cmp         dword ptr [edi],edi  
771E366D  jne         _RtlpAddVectoredHandler@12+65h (771E3686h)  
771E366F  mov         ecx,dword ptr fs:[18h]  
771E3676  mov         eax,dword ptr [ebp+10h]  
771E3679  mov         ecx,dword ptr [ecx+30h]  
771E367C  add         eax,2  
771E367F  add         ecx,28h  
771E3682  lock bts    dword ptr [ecx],eax  
771E3686  cmp         dword ptr [ebp+8],0  
771E368A  je          _RtlpAddVectoredHandler@12+13DF3h (771F7414h)  
    ----> Jump resolved below
    771F7414  mov         eax,dword ptr [edi+4]  
    771F7417  mov         dword ptr [esi],edi  
    771F7419  mov         dword ptr [esi+4],eax  
    771F741C  mov         dword ptr [eax],esi  
    771F741E  mov         dword ptr [edi+4],esi  
    771F7421  jmp         _RtlpAddVectoredHandler@12+7Bh (771E369Ch)  
771E3690  mov         eax,dword ptr [edi]  
771E3692  mov         dword ptr [esi],eax  
771E3694  mov         dword ptr [esi+4],edi  
771E3697  mov         dword ptr [eax+4],esi  
771E369A  mov         dword ptr [edi],esi  
771E369C  push        ebx  
771E369D  call        _RtlReleaseSRWLockExclusive@4 (771B29ABh)  
771E36A2  pop         edi  
771E36A3  pop         ebx  
771E36A4  mov         eax,esi  
771E36A6  pop         esi  
771E36A7  pop         ebp  
771E36A8  ret         0Ch

Decoding the Assembly

Don’t mind the gratuitous highlighting above; it is there to highlight individual pieces of the function and make it more manageable to understand. The function begins by performing a call to RtlAllocateHeap, highlighted in orange. The three parameters provided are [EAX+18], 0, and 16 (0x10). EAX is initially loaded with the address of the TIB structure (light pink). From this structure, the PEB structure is then retrieved. The member at [PEB+0x18], which is documented as ProcessHeap is then given to RtlAllocateHeap. Everything here seems to make sense so far.

Next, in green, comes a call to RtlEncodePointer, which is the implementation of EncodePointer. The address of the vectored handler, at [EBP+0xC] is given as the argument here. This function, as its name implies, is responsible for encoding the provided pointer. It does this by performing an XOR with a cookie value generated at runtime.

From earlier, it should be noticed that the requested allocation size provided to RtlAllocateHeap was 16 bytes (0x10). The next few instructions give some information about how this returned memory is accessed. The instructions in black move two values into this memory region, one at 0x8 and one at 0xC. Given this information, it is safe to assume that what is being allocated is a 16 byte struct. The third field at +0x8 is always set to 1 in this function, and the fourth at +0xC is set to hold the encoded handler address. It’s possible to write out a basic definition for this struct at this point:

struct MysteryStruct
{
    DWORD dwUnknown1; +0x0
    DWORD dwUnknown2; +0x4
    DWORD dwAlwaysOne; +0x8
    PVECTORED_EXCEPTION_HANDLER pVectoredHandler; +0xC
};

This definition will be revisited and completed later.

The next block of code, in teal, performs some arithmetic operations. It loads [EBP+0x10], which was shown to be always 0 (from _RtlAddVectoredExceptionHandler) into EBX. This value is multipled by 12 (0xC), which still yields a zero. Then the value 0x77284724 is added to it. Checking what resides at this address in a debugger shows something interesting:

_LdrpVectorHandlerList:
77284724 01 00                add         dword ptr [eax],eax  
77284726 00 00                add         byte ptr [eax],al  
77284728 28 47 28             sub         byte ptr [edi+28h],al  
7728472B 77 28                ja          _RtlpProcessHeapsListBuffer+15h (77284755h)  
7728472D 47                   inc         edi  
7728472E 28 77 00             sub         byte ptr [edi],dh  
...

It turns out that 0x77284724 is the address of the symbol _LdrpVectorHandlerList. The non-sense assembly instructions there are simply mnemonic representations of _LdrpVectorHandlerList‘s  data members. The base of this structure is used as an argument for _RtlAcquireSRWLockExclusive, which is the implementation of AcquireSRWLockExclusive. This function takes a PSRWLOCK argument. Given this, it is immediately possible to deduce that the first member of _LdrpVectorHandlerList is an SRWLOCK structure. More about this structure will be revealed later.

The code in bright pink begins by loading the second field in the _LdrpVectorHandlerList structure in to EDI. This value is then dereferenced and compared to its own address — basically a check if a pointer is pointing to itself. If that is the case then the rest of the pink block will be executed. The code once again retrieves the PEB structure similar to light pink. Expect this time, [PEB+0x28] will be the value that ends up being used. Additionally, it loads [EBP+0x10] (always 0) into EAX, and adds 2 to it. There it an atomic bit test and set instruction that is carried out between [PEB+0x28] and 2. [PEB+0x28] has been documented as “CrossProcessFlags” and is a bit of a mystery in the context of this function.

Lastly, the block in red is where the actual interesting code happens. It begins by checking to see if the first parameter to the function, the flag saying whether the handler is to be the first or last in the chain, is zero. In either case, there are a lot of pointers moving around from looking at the instructions. One would guess that from implementing an exception handler list that there would be pointers to next/previous nodes. Lets begin investigating the case where an exception handler will be added to front of the chain (FirstHandler parameter does not equal 0). Starting at 0x771E3690, [EDI] is moved into EAX. From earlier, [EDI] holds the second member of the _LdrpVectorHandlerList structure. This is then moved in to [ESI], which is the first member of the structure allocated with RtlAllocateHeap (MysteryStruct above). Then EDI (not dereferenced) is moved in to [ESI+0x4].

This completes finding references to the allocated structure. RtlAllocateHeap had a request for 16 bytes, and 16 bytes have now been used/written to. ESI is then moved in to [EAX+4] and [EDI], which relate to two pointers in _LdrpVectorHandlerList. The part where the handler is added to the back over the list won’t be covered in this post, since it’s basically the same thing except for which pointers get rearranged.

Finalizing Structure Definitions

Going through the code revealed two main structures at work here. There is the 16 byte structure that was allocated in the beginning and the _LdrpVectorHandlerList structure. The MysteryStruct from earlier can be better defined now. I’ve renamed it as _LdrpVectorHandlerEntry to be consistent with the known _LdrpVectorHandlerList symbol.

typedef struct _LdrpVectorHandlerEntry
{
    _LdrpVectorHandlerEntry *pLink1; +0x0
    _LdrpVectorHandlerEntry *pLink2; +0x4
    DWORD dwAlwaysOne; +0x8
    PVECTORED_EXCEPTION_HANDLER pVectoredHandler; +0xC
} VECTORED_HANDLER_ENTRY, *PVECTORED_HANDLER_ENTRY;

Also, from studying the pointer swapping operations between the new entry and the list, it is possible to define _LdrpVectorHandlerList a bit more clearly as well:

typedef struct _LdrpVectorHandlerList
{
    SRWLOCK srwLock; +0x0
    VECTORED_HANDLER_ENTRY *pLink1; +0x4
    VECTORED_HANDLER_ENTRY *pLink2; +0x8
} VECTORED_HANDLER_LIST, *PVECTORED_HANDLER_LIST; +0xC

The types in these structures have been defined. The next part of this series will cover how the links behave. Follow on Twitter for more updates.

« Newer PostsOlder Posts »

Powered by WordPress