December 2, 2014

Writing a Primitive Debugger: Part 2 (Breakpoints/Stepping)

Filed under: General x86,General x86-64,Programming,Reverse Engineering — admin @ 9:06 AM

For a debugger to be of any practical use, it needs the ability to pause, inspect, and resume a target process. This post will cover these topics by discussing what breakpoints are, how they are implemented by most debuggers on the x86 and x64 Windows platforms, and how to perform instruction level stepping.

A breakpoint can simply be defined as a place in a executing code that causes an intentional halt of execution. In the context of debuggers, this is useful because it allows the debugger to inspect the process at that moment in time when nothing is going on — when the process is effectively “broken”. Typical functionality that is seen in debuggers when the target is in a broken state is the ability to view and modify registers/memory, print a disassembly listing of the area surrounding the breakpoint, step into or step over assembly instructions or lines of source code, and other related diagnostic features. Breakpoints themselves can come in a few different varieties.

Hardware Interrupt Breakpoints
Hardware interrupt breakpoints are probably the most common and simple breakpoints to understand and to implement in a debugger. These are specific to the x86 and x64 architectures and are implemented by using a hardware-supported instruction specifically made to generate a software interrupt that is meant for debuggers. The opcode for this instruction is 0xCC and it matches to an INT 3 instruction. The way that most debuggers implement this is to replace the opcode at the desired address — that is, the breakpoint address — with the 0xCC opcode. When the code is called, the interrupt (EXCEPTION_BREAKPOINT) will be raised, which the debugger will handle and give the user the option to perform the debugging functionality mentioned above. When the user is finished inspecting the program state at that address and wishes to continue, the debugger will replace the original instruction back, make sure that the executing address (EIP or RIP registers, depending on the architecture) point to that original address, and continue execution.

However, an interesting problem comes up. When the original instruction is replaced back, the breakpoint will be lost. This may be alright if the breakpoint is meant to be hit only once, but that is very rarely the case. There needs to be a way to re-enable that breakpoint immediately afterwards. This is done by setting the EFlags (or RFlags for x64) register to set the processor into single-step mode. Fortunately, that is pretty easily accomplished by enabling the 8th bit, i.e. performing an OR with 0x100. When the EXCEPTION_BREAKPOINT exception is handled and execution resumes, there will be another exception, EXCEPTION_SINGLE_STEP, thrown on the next instruction executed. At this point, the debugger can re-enable the breakpoint on the previous instruction and resume execution.

On the Windows platform, it is easy to see all of this at work by inspecting the DebugBreak function. This function is meant to trigger a local (from within the same process) breakpoint. Below is the disassembly of the function, which shows it simply being what is described above. Those wondering about the mov edi, edi instruction can read more about hot-patchable images, specifically Raymond Chen’s post about the explanation.

752C3C5D 8B FF                mov         edi,edi  
752C3C5F CC                   int         3  
752C3C60 C3                   ret  

Hardware Debug Registers
The second breakpoint implementation technique is also specific to the x86 and x64 architectures and takes advantage of specific debug registers provided by the instruction set. These are the debug registers DR0, DR1, DR2, DR3, and DR7. The first four registers are used to hold the addresses that a hardware breakpoint will break on. Using these means that for the entire program, there can be at most four hardware breakpoints active. The DR7 register is used to control enablement of these registers, with bits 0, 2, 4, 6 corresponding to on/off for DR0, … , DR3. Additionally, bits 16-17, 20-21, 24-25, and 28-29 function as a bitmask for DR0, … , DR3 for when these breakpoints will trigger, with 00 being on execution, 01 on read, and 11 on write.

Setting these breakpoints on the Windows platform is a bit tricky. They must be set on the processes main thread. This involves getting the main thread, opening a handle to it with at least THREAD_GET_CONTEXT and THREAD_SET_CONTEXT privileges, and getting/setting the threads context with GetThreadContext/SetThreadContext with the newly added debug registers to reflect the changes. Take note that no executable code in memory is modified to set these breakpoints. It is not like the previous case where an opcode had to be replaced. These are breakpoints that set and unset by changing the contents of hardware registers. What will happen when these are set is that the process will raise an EXCEPTION_SINGLE_STEP exception upon hitting the instruction at the address, which the debugger will then process in a fashion nearly identical to the way it would in the previous section. Due to the small number limitation, these won’t be presented in the sample breakpoint code in this post, but may eventually be written about in the future for the sake of completeness. I have written about their usage for API hooking in a previous post (excuse the dead links in the beginning). The implementation for a debugger is very close to how it is presented there.

Software Breakpoints
This last class of breakpoints is performed entirely in software and is tied strongly to how the operating system functions. Another name for them is memory breakpoints. They combine some of the best features of interrupt breakpoints, namely the ability to have as many as you’d like, with the best features of hardware breakpoints, which is that nothing in the executing code needs to be overwritten. However, there is a major drawback: they add a significant slowdown to the execution of the code due to their implementation.

Instead of being implemented at the address level, these are implemented at the page level. How these work is that the address where a breakpoint will be set will have its page permissions changed to that of a guard page using VirtualProtectEx. When any instruction on the page will be accessed, there will be an EXCEPTION_GUARD_PAGE exception thrown. The debugger will handle this exception and check if the offending address is that of the breakpoint address. If so, the debugger can perform the usual handling/user prompt as with any other breakpoint. If not then the debugger must perform some extra steps.

According to the documentation, the guard page protection will be removed from the page after it is raised. This means that once the exception is handled and execution continues, any access afterwards will not generate an EXCEPTION_GUARD_PAGE exception. So in the case that the instruction accessed is not the desired breakpoint address, the breakpoint will be lost. To remedy this, the technique similar to the one presented in the hardware interrupt breakpoint section will be used. The processor will enter in to single-step mode and continue execution. On the next instruction, there will be an EXCEPTION_SINGLE_STEP exception raised. This will be handled by the debugger and the guard page property will be re-enabled on the page. This implementation also will not be covered in this post, but may be covered in the future. I have written about it before, also in the context of API hooking, here.


As mentioned above, enabling and disabling hardware interrupt breakpoints is simply a matter of overwriting opcodes with 0xCC (INT 3). In Windows, this is accomplished in a pretty straightforward manner with the usage of ReadProcessMemory and WriteProcessMemory.

const bool InterruptBreakpoint::EnableBreakpoint()
    SIZE_T ulBytes = 0;
    bool bSuccess = BOOLIFY(ReadProcessMemory(m_hProcess, (LPCVOID)m_dwAddress, &m_originalByte, sizeof(unsigned char), &ulBytes));
    if (bSuccess && ulBytes == sizeof(unsigned char))
        bSuccess = BOOLIFY(WriteProcessMemory(m_hProcess, (LPVOID)m_dwAddress, &m_breakpointOpcode, sizeof(unsigned char), &ulBytes));
        return bSuccess && (ulBytes == sizeof(unsigned char));
        fprintf(stderr, "Could not read from address %p. Error = %X\n", m_dwAddress, GetLastError());
    return false;

The original byte at the target address is read and stored and then overwritten with 0xCC. Nothing too shocking or out of the ordinary. Disabling the breakpoint is simply done by performing the opposite and writing back the original byte.

const bool InterruptBreakpoint::DisableBreakpoint()
    SIZE_T ulBytes = 0;
    const bool bSuccess = BOOLIFY(WriteProcessMemory(m_hProcess, (LPVOID)m_dwAddress, &m_originalByte, sizeof(unsigned char), &ulBytes));
    if (bSuccess && ulBytes == sizeof(unsigned char))
        return true;
    fprintf(stderr, "Could not write back original opcode to address %p. Error = %X\n", m_dwAddress, GetLastError());
    return false;

Now with the ability to enable/disable breakpoints, it is time to look at the handlers. As mentioned, upon accessing the instruction where the breakpoint resides, an EXCEPTION_BREAKPOINT exception will be raised. There are a few steps here that need to be done:

  1. Check if the breakpoint is in the breakpoint list. This is done because when the debugger first attaches, an EXCEPTION_BREAKPOINT will be raised from the debuggers attaching thread (see previous post). We don’t care about this exception, so just skip it and continue execution
  2. If it is in the breakpoint list, and therefore a breakpoint that the user explicitly set, it needs to be disabled. As mentionted before, this is to allow the original instruction to be executed.
  3. Open a handle to the thread and get the thread context. Change the execution pointer (EIP or RIP) to point to the breakpoint address and also enable single-step mode. Set the thread context to this newly modified context
  4. Save this breakpoint. This is to re-enable it during the EXCEPTION_SINGLE_STEP exception that will be raised immediately after continuing execution.
  5. Prompt the user to continue or perform single-steps. Wait for their response and continue execution afterwards depending on the choice.

Put into code, it looks like the following:

Register(DebugExceptions::eBreakpoint, [&](const DEBUG_EVENT &dbgEvent)
    auto &exceptionRecord = dbgEvent.u.Exception.ExceptionRecord;
    const DWORD_PTR dwExceptionAddress = (DWORD_PTR)exceptionRecord.ExceptionAddress;
    fprintf(stderr, "Received breakpoint at address %p.\n", dwExceptionAddress);  
    Breakpoint *pBreakpoint = m_pDebugger->FindBreakpoint(dwExceptionAddress);
    if (pBreakpoint != nullptr)
        if (pBreakpoint->Disable())
            CONTEXT ctx = { 0 };
            ctx.ContextFlags = CONTEXT_ALL;
            HANDLE hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, FALSE, dbgEvent.dwThreadId);
            if (hThread != NULL)
                (void)GetThreadContext(hThread, &ctx);
#ifdef _M_IX86
                ctx.Eip = (DWORD_PTR)dwExceptionAddress;
#elif defined _M_AMD64
                ctx.Rip = (DWORD_PTR)dwExceptionAddress;
#error "Unsupported architecture"
                ctx.EFlags |= 0x100;
                m_pDebugger->m_pLastBreakpoint = pBreakpoint;
                m_pDebugger->m_dwExecutingThreadId = dbgEvent.dwThreadId;
                (void)SetThreadContext(hThread, &ctx);
                fprintf(stderr, "Press c to continue or s to begin stepping.\n");
                fprintf(stderr, "Could not open handle to thread %p. Error = %X\n", dbgEvent.dwThreadId, GetLastError());
            fprintf(stderr, "Could not remove breakpoint at address %p.", dwExceptionAddress);

The handler for EXCEPTION_SINGLE_STEP exceptions serves two purposes: it is there to re-enable breakpoints that were just hit, and it is also there to allow the user to continue single-stepping execution of the program. As a result of this, there needs to be a flag declared that is set when the user wishes to enter single-step mode by themselves (instead of it being set through hitting a breakpoint). If the user is in single-step mode then show them a prompt and wait for a response to continue stepping or to continue execution entirely. Again, put into code, it looks like the following:

Register(DebugExceptions::eSingleStep, [&](const DEBUG_EVENT &dbgEvent)
    auto &exceptionRecord = dbgEvent.u.Exception.ExceptionRecord;
    const DWORD_PTR dwExceptionAddress = (DWORD_PTR)exceptionRecord.ExceptionAddress;
    fprintf(stderr, "Received single step at address %p\n", dwExceptionAddress);
    if (m_pDebugger->m_bIsStepping)
        fprintf(stderr, "Press s to continue stepping.\n");
        m_pDebugger->m_dwExecutingThreadId = dbgEvent.dwThreadId;
    if (!m_pDebugger->m_pLastBreakpoint->IsEnabled())

Debugger in action

With everything in place, the debugger is ready to be tested out. The easiest way is to write a sample program that will be attached to:

#include <stdio.h>
#include <Windows.h>
void TestFunction()
    printf("Hello, World!\n");
int main(int argc, char *argv[])
    printf("Test function address: %p\n", TestFunction);
    while (true)
    return 0;

On my machine, TestFunction resided at 0x13B1000. After attaching and setting a breakpoint on this address, the debugger was able to successfully step execution of the program or continue entirely.

Target address: 0x13B1000
Received breakpoint at address 13B1000.
Press c to continue or s to begin stepping.
Received single step at address 13B1001
Press s to continue stepping.
Received single step at address 13B1003
Press s to continue stepping.
Received single step at address 13B1009
Press s to continue stepping.
Received single step at address 13B100A
Press s to continue stepping.

The stepped addresses successfully matched up with the disassembly.

013B1000 55                   push        ebp  
013B1001 8B EC                mov         ebp,esp  
013B1003 81 EC C0 00 00 00    sub         esp,0C0h  
013B1009 53                   push        ebx  
013B100A 56                   push        esi  

This was also tested on an x64 version (with a x64 build of the debugger) with equal success.

Article Roadmap
Future posts will be related on topics closely following the items below:

  • Basics
  • Adding/Removing Breakpoints, Single-stepping
  • Call Stack, Registers, Contexts
  • Symbols
  • Miscellaneous Features

The full source code relating to this can be found here. C++11 features were used, so MSVC 2012/2013 is most likely required.

November 27, 2014

Writing a Primitive Debugger: Part 1 (Basics)

Filed under: General x86,General x86-64,Programming,Reverse Engineering — admin @ 2:02 PM

As software developers (or reverse engineers), debuggers are an invaluable tool. They allow for runtime analysis and introspection/understanding of the program in order to find out how it works — or oftentimes doesn’t. This series of posts will go in to how they work and how to begin developing a primitive debugger targeting the Windows platform running on the x86 or x64 architectures.

In order to debug a process, a debugger must be able to attach to it. This means that there should be a way for the debugger to interact with the process in such a way that the debugger will have access to the processes address space, the ability to halt and continue execution, modify registers, and so on. Likewise, a debugger should be able to safety detach from a process and let it continue running when a debugging session is finished. On the Windows platform this is achieved by calling the DebugActiveProcess function and specifying the process identifier of the target. Alternatively, it can also be accomplished by calling CreateProcess with the DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS creation flags. This latter method will create a new process and attach to it rather than attaching to one already running on the system. Once attached, the debugger can specify a policy on whether to kill the process on detach with DebugSetProcessKillOnExit. Lastly, the process for detaching is a straightforward call to DebugActiveProcessStop. Putting all of these together produces code similar to the following:

const bool Debugger::Start()
    m_bIsActive = BOOLIFY(DebugActiveProcess(m_dwProcessId));
    if (m_bIsActive)
        const bool bIsSuccess = BOOLIFY(DebugSetProcessKillOnExit(m_bKillOnExit));
        if (!bIsSuccess)
            fprintf(stderr, "Could not set process kill on exit policy. Error = %X\n", GetLastError());
        return DebuggerLoop();
        fprintf(stderr, "Could not debug process %X. Error = %X\n", m_dwProcessId, GetLastError());
    return false;
const bool Debugger::Stop()
    m_bIsActive = BOOLIFY(DebugActiveProcessStop(m_dwProcessId));
    if (!m_bIsActive)
        fprintf(stderr, "Could not stop debugging process %X. Error = %X\n", m_dwProcessId, GetLastError());
    return m_bIsActive;

where m_dwProcessId and m_bKillOnExit are parameters provided through the Debugger constructor (see sample code). The BOOLIFY macro is also just a simple

#define BOOLIFY(x) !!(x)

definition to encourage type safety. At this point we have a simple debugger that can attach to and detach from a target process, but cannot handle any debug events. This is where the debugging loop comes in.

The Debugging Loop
The core component of any debugger is the debugging loop. This is the part responsible for waiting for a debug event, processing said event, and then waiting for the next event, hence the loop. On the Windows platform, this is pretty straightforward. It’s actually straightforward enough that Microsoft wrote up a short MSDN page on what needs to be done at this step. The steps involved are that (in a loop), the debugger calls WaitForDebugEvent which waits for a debug event from the process. These debug events are enumerated here and are commonly events related to process and thread creation/destruction, loading or unloading of DLLs, any exceptions raised, or debug strings output specifically for a debugger to see. Once this function returns, it will populate a DEBUG_EVENT structure with the information related to the particular debug event. At this point, it is the debuggers job to handle the event. After handling the event, the handlers must provide a continue status to ContinueDebugEvent, which is a code telling the thread that raised the event how to carry on execution after the event was handled. For most events, i.e. CREATE_PROCESS_DEBUG_EVENT, LOAD_DLL_DEBUG_EVENT, etc, you want to continue execution since these events do not reflect anything wrong with program behavior, but are events to notify the debugger of changing process state. This is done by choosing DBG_CONTINUE as the continue status. For the exceptional cases, such as exceptions which lead to undefined program behavior such as access violations, illegal instruction execution, divides by zero, etc, the process is nearing a point of no return. The debuggers job at this point is to gather and display information relating to the crash and in most cases terminate the process. This termination can happen inside the handler itself for these exceptions, or the debugger can choose to continue the debug event with the DBG_EXCEPTION_NOT_HANDLED continue status, meaning that the debugger is relinquishing responsibility of handling this exception properly. In almost all cases, this will lead to the program terminating on its own immediately afterwards. However, there are sometimes corner cases, particularly in malware, where the process will install its own runtime exception handler as an obfuscation technique and produce its own runtime exceptions to be handled within this handler to carry out some functionality. Continuing the exception in this case would not result in a crash since the process is able to handle its own exception after the debugger forwards it along the exception handler chain. Putting cases like those aside for now, a typical debugging loop may look like the following:

const bool Debugger::DebuggerLoop()
    DEBUG_EVENT dbgEvent = { 0 };
    DWORD dwContinueStatus = 0;
    bool bSuccess = false;
    while (m_bIsActive)
        bSuccess = BOOLIFY(WaitForDebugEvent(&dbgEvent, INFINITE));
        if (!bSuccess)
            fprintf(stderr, "WaitForDebugEvent returned failure. Error = %X\n", GetLastError());
            return false;
        m_pEventHandler->Notify((DebugEvents)dbgEvent.dwDebugEventCode, dbgEvent);
        dwContinueStatus = m_pEventHandler->ContinueStatus();
        bSuccess = BOOLIFY(ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, dwContinueStatus));
        if (!bSuccess)
            fprintf(stderr, "ContinueDebugEvent returned failure. Error = %X\n", GetLastError());
            return false;
    return true;

with m_pEventHandler being responsible for registering handlers and setting a continue status to be passed along to ContinueDebugEvent. The example code registers handlers for events/exceptions and outputs information relevant to each event/exception. The style below is followed for all events and exceptions:

Register(DebugEvents::eCreateThread, [&](const DEBUG_EVENT &dbgEvent)
    auto &info = dbgEvent.u.CreateThread;
    fprintf(stderr, "CREATE_THREAD_DEBUG_EVENT received.\n"
        "Handle: %X\n"
        "TLS base: %X\n"
        "Start address: %X\n",
        info.hThread, info.lpThreadLocalBase, info.lpStartAddress);
Register(DebugEvents::eCreateProcess, [&](const DEBUG_EVENT &dbgEvent)
    auto &info = dbgEvent.u.CreateProcessInfo;
    fprintf(stderr, "CREATE_PROCESS_DEBUG_EVENT received.\n"
        "Handle (image file): %X\n"
        "Handle (process): %X\n"
        "Handle (main thread): %X\n"
        "Image base address: %X\n"
        "Debug info file offset: %X\n"
        "Debug info size: %X\n"
        "TLS base: %X\n"
        "Start address: %X\n",
        info.hFile, info.hProcess, info.hThread, info.lpBaseOfImage,
        info.dwDebugInfoFileOffset, info.nDebugInfoSize, info.lpThreadLocalBase,
    m_hProcess = info.hProcess;

That should be all that is really needed to get  started on creating a basic debugger. This debugger features the ability attach/detach, handle debug events, and output information pertaining to these events. To test this out, we can create a simple program to generate an exception that will be caught by the debugger when it is attached.

#include <stdio.h>
#include <Windows.h>
int main(int argc, char *argv[])
    printf("Press enter to raise an exception.\n");
    if (IsDebuggerPresent())
        OutputDebugStringA("This should be seen by the debugger.\n");
        RaiseException(STATUS_ACCESS_VIOLATION, 0, 0, nullptr);
        printf("Process was not being debugged.\n");
    return 0;

Here is the output of the debugger upon attaching to the process and receiving the access violation:

Handle (image file): 4C
Handle (process): 48
Handle (main thread): 44
Image base address: EE0000
Debug info file offset: 0
Debug info size: 0
TLS base: 7F03F000
Start address: 0
Handle: 54
Base address: 77040000
Debug info file offset: 0
Debug info size: 0
Name: \\?\C:\Windows\SysWOW64\ntdll.dll
Handle: 5C
Base address: 76A00000
Debug info file offset: 0
Debug info size: 0
Name: \\?\C:\Windows\SysWOW64\kernel32.dll
Handle: 50
Base address: 765D0000
Debug info file offset: 0
Debug info size: 0
Name: \\?\C:\Windows\SysWOW64\KernelBase.dll
Handle: 60
Base address: F7F0000
Debug info file offset: 0
Debug info size: 0
Name: \\?\C:\Windows\SysWOW64\msvcr120d.dll
Handle: 64
TLS base: 7F03C000
Start address: 770EBCFC
Received exception event.
First chance exception: 1
Exception code: 80000003
Exception flags: 0
Exception address: 770670BC
Number parameters (associated with exception): 1
Received breakpoint
Thread 1B20 exited with code 0.
Debug string: This should be seen by the debugger.

Received exception event.
First chance exception: 1
Exception code: C0000005
Exception flags: 0
Exception address: 765E2F71
Number parameters (associated with exception): 0
Received access violation
Received exception event.
First chance exception: 0
Exception code: C0000005
Exception flags: 0
Exception address: 765E2F71
Number parameters (associated with exception): 0
Received access violation
Process 390 exited with code C0000005.

As you can see from the output, the debugger receives a CREATE_PROCESS_DEBUG_EVENT upon attaching. This event is always the first one triggered upon a debugger attaching and lets the debugger obtain a handle to the process that lets the debugger read/write from process memory, change the processes thread contexts, etc. It also may give information about any sort of debug information relevant to the process. Following that are the events related to any loaded DLLs in the process address space. Afterwards two interesting events come up. They are a CREATE_THREAD_DEBUG_EVENT and an exception with an exception code corresponding to EXCEPTION_BREAKPOINT. These are covered in the section below. Lastly, the debugger successfully displays the debug string provided by the process, and shows the access violation also being successfully received. Since the debugger sample code does not terminate the process, you can see the exception being raised multiple times. Initially it is raised as a first chance exception, but comes back around around as a second/last chance exception since the target process was not able to handle it. The process then terminates with a status code corresponding to EXCEPTION_ACCESS_VIOLATION.

What actually happens when a debugger is attached?
One current mystery about the debugger output may be where those CREATE_THREAD_DEBUG_EVENT, breakpoint, and EXIT_THREAD_DEBUG_EVENT events came from. These events are triggered as a result of the debugger attaching to the process. When the DebugActiveProcess is called, it forwards on to the NtDebugActiveProcess syscall. This syscall is responsible for setting up the process to be in a debugable state, which at the very least involves changing the BeingDebugged flag of the Process Environment Block for the target process — this is how the IsDebuggerPresent function works in the target process to check if it is being debugged. Afterwards, a thread will be created in the target process. This thread will have a start address that corresponds to an 0xCC (int 3) instruction, better known as a breakpoint on x86 and x64 architectures. This is why the debugger displays as having received a breakpoint. When execution is continued, this thread exits the process begins executing normally again.

Article Roadmap
Future posts will be related on topics closely following the items below:

  • Basics
  • Adding/Removing Breakpoints, Single-stepping
  • Call Stack, Registers, Contexts
  • Symbols
  • Miscellaneous Features

The full source code relating to this can be found here. C++11 features were used, so MSVC 2012/2013 is most likely required.

June 10, 2014

Monitoring APIs with RPC and Protocol Buffers

Filed under: General x86,General x86-64,Programming — admin @ 11:48 PM

This post will discuss API monitoring in a remote process through RPCs (via sockets) and Google’s Protocol Buffers encoding/message interchange format. The purpose is to use the example as a building block for a generic API monitoring client-server application, with the server being resident inside of a DLL that is injected into a remote process. Clients can connect and send messages to install/remove hooks and receive updates from the server when these desired APIs are called by the target application. In summary, the system will interact as follows:

  • A process that is the target of monitoring will be running on the system.
  • A DLL is injected into this process and a server socket is created and begins listening.
  • A separate client application will connect on the server port and begin issuing commands to the server to add/remove hooks.
  • The server will receive these commands and inform the client when the desired API is hit. The parameters will be passed back to the client and the server will wait for a response from the client to continue execution in order for the client to properly process the returned parameters.

Below is the example protocol that these components will interact through

package ApiMonitor.ProtoBuf;

message Call
    required uint32 uiHookId = 1;
    repeated uint64 uiParameter = 2;

message AddHook
    required uint32 uiHookId = 1;
    required string strDllName = 2;
    required string strFunctionName = 3;
    required uint32 uiNumParameters = 4;

message RemoveHook
    required uint32 uiHookId = 1;

message MonitorMessage
    optional AddHook mAddHook = 1;
    optional RemoveHook mRemoveHook = 2;
    optional Call mCall = 3;
    optional bool bIsContinue = 4;

Client/Server components will receive a MonitorMessage, which can contain an add hook message, remove hook message, call information message, or a boolean indicating that it is a continue message from the client. The server will operate on AddHook/RemoveHook by performing the appropriate actions, and will generate Call mesages containing the values of the parameters as they are retrieved from the stack as part of the added API hook. The client will generate AddHook/RemoveHook messages, or send a continue message to the server by sending a message with bIsContinue as true. The client will additionally operate on received Call messages from the server and, for this example, display the parameters of the hooked function. Special identifiers (uiHookId) will identify individual hooks for easy removal or dispatching of received call messages. The example code I provide only shows one hooked function, but the idea allows for it to be extended to any arbitrary number.

Adding a hook becomes pretty straightforward. From the client code:

ApiMonitor::ProtoBuf::MonitorMessage mOutgoingMessage;
mOutgoingMessage.mutable_maddhook()->set_strdllname("user32.dll", 10);
mOutgoingMessage.mutable_maddhook()->set_strfunctionname("MessageBoxA", 11);
(void)SendOutgoingMessage(sckConnect, &mOutgoingMessage);

with SendOutgoingMessage being responsible for serialization of the Protocol Buffer message. The message are sent in two parts, with the first containing the size of the incoming message buffer and the latter containing the bytes of the message itself. This functionality is used both in client and server.

const bool Send(SOCKET sckConnect, const char *pBuffer, int uiBufferLength)
    int iResult = send(sckConnect, (const char *)pBuffer, uiBufferLength, 0);
    if (iResult == SOCKET_ERROR)
        printf("send failed. Error = %X\n", WSAGetLastError());
        return false;
    return true;
const bool SendOutgoingMessage(SOCKET sckConnect, ApiMonitor::ProtoBuf::MonitorMessage *pMessage)
    const int iBuffSize = pMessage->ByteSize();
    char *pBuffer = (char *)malloc(iBuffSize * sizeof(char));
    pMessage->SerializePartialToArray(pBuffer, iBuffSize);
    bool bRet = Send(sckConnect, (const char *)&iBuffSize, sizeof(int));
    bRet &= Send(sckConnect, pBuffer, iBuffSize);
    return bRet;

On the server receiving end, the messages are read from the socket and the MonitorMessage is reconstructed. The fields are checked and the appropriate dispatch happens.

int iResult = 0;
    int iBuffSize = 0;
    iResult = recv(sckClient, (char *)&iBuffSize, sizeof(int), 0);
    char *pBuffer = (char *)malloc(iBuffSize * sizeof(char));
    iResult = recv(sckClient, pBuffer, iBuffSize, 0);
    ApiMonitor::ProtoBuf::MonitorMessage mReceivedMessage;
    mReceivedMessage.ParseFromArray(pBuffer, iBuffSize);
    if (mReceivedMessage.has_biscontinue())
    else if (mReceivedMessage.has_maddhook())
            mReceivedMessage.maddhook().uinumparameters(), &dwAddress);
    else if (mReceivedMessage.has_mremovehook())
        (void)RemoveHook(mReceivedMessage.mremovehook().uihookid(), dwAddress);
} while (iResult > 0);

If the message is a continue message then an event is signaled to allow the thread that invoked the target API to continue (this will be discussed further in a bit). Otherwise if the message is an add or remove hook message, the appropriate actions to add/remove it will be taken. The code for this won’t be shown here because the technique has been discussed several times before (see memory breakpoints or the previous usage of them). Additionally, the full source code for all of this is provided. Once the hook is installed and the target API is hit, it will trampoline to a hook function which will retrieve the parameters from the current execution context. The implementation is shown below

static void WINAPI HookFunction(CONTEXT *pContext)
    ApiMonitor::ProtoBuf::MonitorMessage mCallMessage;
#ifdef _M_IX86
    for(DWORD_PTR i = 0; i < dwHookNumParameters; ++i)
        DWORD_PTR dwParameter = *(DWORD_PTR *)(pContext->Esp + sizeof(DWORD_PTR) + (i * sizeof(DWORD_PTR)));
#elif defined _M_AMD64
#error "Unsupported platform"
    SendOutgoingMessage(sckOutgoing, &mCallMessage);
    WaitForSingleObject(hWaitEvent, INFINITE);

For x86, the parameters are retrieved directly from the stack. For x64, the four parameters are retrieved from registers as per the x64 ABI on Windows. If more parameters were to be retrieved for x64, there would have to be an additional field to specify the stack offset at which they start. The example keeps it simple and uses an API (MessageBoxA) with only four parameters. These values are added to a Call message and sent out back to the client. The thread then halts execution waiting for an event to be signaled. This is the event that is signaled via SetEvent(hWaitEvent); on the listening thread.
Going back to the client, the code for handling this Call message is shown below:

    ApiMonitor::ProtoBuf::MonitorMessage mIncomingMessage = ReceiveIncomingMessage(sckConnect);
    assert(mIncomingMessage.mcall().uihookid() == 0x123);
    HWND hWnd = (HWND)mIncomingMessage.mcall().uiparameter(0);
    DWORD_PTR dwTextAddress = (DWORD_PTR)mIncomingMessage.mcall().uiparameter(1);
    DWORD_PTR dwCaptionAddress = (DWORD_PTR)mIncomingMessage.mcall().uiparameter(2);
    UINT uiType = (UINT)mIncomingMessage.mcall().uiparameter(3);
    LPSTR lpTextBuffer[64] = { 0 };
    LPSTR lpTitleBuffer[64] = { 0 };
    DWORD dwProcessId = atoi(argv[1]);
    HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProcessId);
    SIZE_T dwBytesRead = 0;
    (void)ReadProcessMemory(hProcess, (LPCVOID)dwTextAddress, lpTextBuffer, sizeof(lpTextBuffer), &dwBytesRead);
    (void)ReadProcessMemory(hProcess, (LPCVOID)dwCaptionAddress, lpTitleBuffer, sizeof(lpTitleBuffer), &dwBytesRead);
        "HWND: %X\n"
        "Text: %s\n"
        "Title: %s\n"
        "Type: %X\n",
        hWnd, lpTextBuffer, lpTitleBuffer, uiType);
    (void)SendOutgoingMessage(sckConnect, &mOutgoingMessage);
} while (!GetAsyncKeyState(VK_F12));

The parameters are retrieved from the message. Two of these parameters are addresses, specifically the MessageBox text and caption. These need to be read from the process memory and are done via a ReadProcessMemory call. After these are retrieved and output, the client creates a Continue message and sends it back to the server to continue execution there. After monitoring is finished (via an F12 key press), the client sends a remove hook message with the following:

(void)SendOutgoingMessage(sckConnect, &mOutgoingMessage);

which removes the hook from the target process.

Taking a look at it in action, an example application which repeatedly calls MessageBoxA via

MessageBoxA(NULL, "Hello, World!", "Test", MB_ICONINFORMATION);

is available. Below is a screenshot of the client after the server DLL was injected into this process.rpchookThe full source code relating to this can be found here. The static libraries were compiled with VS 2013 and will need to be recompiled if other compilers are used.

May 4, 2014

An Experiment In Performing Remote Calls on x64

Filed under: General x86-64,Programming — admin @ 12:23 AM

Recently I was trying to do something more than just executing code in the context of a remote process: I wanted to call a function remotely, including supplying arguments, and have the program continue execution afterwards. What I will present in this post is what I have quickly come up with to achieve the task. There certainly are edge cases (discussed at the end) where the code will run into issues, but the general logic of it is

  • Suspend all threads in the target process. This is achieved in the code with a call to the NtSuspendProcess native API.
  • Allocate space in the process that will contain the x64 assembly code which will set up the parameters and stack to perform the call.
  • Save all registers that will be used in performing the call. The example code does not save flags, but a full implementation will want to do that as well.
  • Write in the parameters following the Windows x64 ABI (first four parameters in RCX, RDX, R8, and R9) respectively, with the rest on the stack. The caller will have to know and supply the stack offset to the other parameters.
  • Set up the trampoline to perform the call.
  • Resume the process via NtResumeProcess and let the call happen.
  • Save the result of the call and continue execution.

With that in mind, I present the example code. The code contained within this post has had the error handling taken out of it in order to save space, unlike the code in the attached zip archive at the bottom. The program will take in a process id as a decimal value and perform a remote call on it. The outline looks as follows:

int main(int argc, char *argv[])
    if (argc != 2)
        printf("Usage: %s ProcessId", argv[0]);
        return -1;
    DWORD dwProcessId = strtoul(argv[1], nullptr, 10);
    HANDLE hProcess = OpenProcess(DEFAULT_PROCESS_RIGHTS, FALSE, dwProcessId);
    (void)PerformRemoteMessageBoxCall(hProcess, dwProcessId);
    //(void)PerformRemoteCreateProcessACall(hProcess, dwProcessId);
    return 0;

GetNativeFunctions retrieves pointers to NtSuspendProcess and NtResumeProcess. This saves the work of doing a manual implementation of traversing the thread list and suspending/resuming everything as needed.

const bool GetNativeFunctions(void)
    HMODULE hModule = GetModuleHandle(L"ntdll.dll");
    NtSuspendProcessFnc = (pNtSuspendProcess)GetProcAddress(hModule, "NtSuspendProcess");
    NtResumeProcessFnc = (pNtResumeProcess)GetProcAddress(hModule, "NtResumeProcess");
    return (NtSuspendProcessFnc != nullptr) && (NtResumeProcessFnc != nullptr);

Before presenting the function that is responsible for setting up and performing the remote call, there are a few helper functions that need to be mentioned. The way that the call will be performed is by redirecting the instruction pointer (RIP in the case of x64) to the memory region that was allocated and has had the remote call code written into it. I chose the main thread to do this, which required writing a helper function to retrieve the main thread of a process. Since there is no marker for which thread is the main thread in a process, I chose to go by thread creation time and assume that the earliest created thread is the main thread. The list of threads is retrieved through a Toolhelp snapshot and this takes place while the process is suspended, so no threads will be created or die while this snapshot is taken and the earliest thread is found. The code for this is below:

const DWORD GetMainThreadId(const DWORD dwProcessId)
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessId);
    THREADENTRY32 threadEntry = { 0 };
    threadEntry.dwSize = sizeof(THREADENTRY32);
    (void)Thread32First(hSnapshot, &threadEntry);
    std::vector vecThreads;
        if (threadEntry.th32OwnerProcessID == dwProcessId)
    } while (Thread32Next(hSnapshot, &threadEntry));
    std::sort(vecThreads.begin(), vecThreads.end(),
        [](const DWORD dwFirstThreadId, const DWORD dwSecondThreadId)
            FILETIME ftCreationTimeFirst = { 0 };
            FILETIME ftCreationTimeSecond = { 0 };
            FILETIME ftUnused = { 0 };
            //Assuming these calls will succeed.
            HANDLE hThreadFirst = OpenThread(DEFAULT_THREAD_RIGHTS, FALSE, dwFirstThreadId);
            HANDLE hThreadSecond = OpenThread(DEFAULT_THREAD_RIGHTS, FALSE, dwSecondThreadId);
            (void)GetThreadTimes(hThreadFirst, &ftCreationTimeFirst, &ftUnused, &ftUnused, &ftUnused);
            (void)GetThreadTimes(hThreadSecond, &ftCreationTimeSecond, &ftUnused, &ftUnused, &ftUnused);
            LONG lResult = CompareFileTime(&ftCreationTimeFirst, &ftCreationTimeSecond);
            return lResult > 0;
    return vecThreads.front();

The next two helper functions are for retrieving the context of a thread, in this case the main thread, and for changing the instruction pointer. They are straightforward and shown here only for completeness.

const CONTEXT GetContext(const DWORD dwThreadId)
    CONTEXT ctx = { 0 };
    HANDLE hThread = OpenThread(DEFAULT_THREAD_RIGHTS, FALSE, dwThreadId);
    ctx.ContextFlags = CONTEXT_ALL;
    (void)GetThreadContext(hThread, &ctx);
    return ctx;
const bool SetInstructionPointer(const DWORD dwThreadId, const DWORD_PTR dwAddress, CONTEXT *pContext)
    pContext->Rip = dwAddress;
    HANDLE hThread = OpenThread(DEFAULT_THREAD_RIGHTS, FALSE, dwThreadId);
    (void)SetThreadContext(hThread, pContext);
    return true;

With all of these presented, the main PerformRemoteCall function can now be shown:

const bool PerformRemoteCall(const HANDLE hProcess, const DWORD dwProcessId, const DWORD_PTR dwAddress, const DWORD_PTR *pArguments,
    const ULONG ulArgumentCount, DWORD_PTR *dwOutReturnVirtualAddress = nullptr, const DWORD dwX64StackDisplacement = 0)
    NTSTATUS status = NtSuspendProcessFnc(hProcess);
    if (!NT_SUCCESS(status))
        printf("Could not suspend process. Last error = %X", GetLastError());
        return false;
    LPVOID lpFunctionBase = VirtualAllocEx(hProcess, nullptr, PAGE_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (lpFunctionBase == nullptr)
        printf("Could not allocate memory for function call in process. Last error = %X", GetLastError());
        return false;
    DWORD dwMainThreadId = GetMainThreadId(dwProcessId);
    CONTEXT ctx = GetContext(dwMainThreadId);
    size_t argumentsBaseIndex = 10;
    unsigned char remoteCallEntryBase[256] =
        0x40, 0x57,                                                 /*push rdi*/
        0x48, 0x83, 0xEC, 0x40,                                     /*sub rsp, 0x40*/
        0x48, 0x8B, 0xFC,                                           /*mov rdi, rsp*/
        0x50,                                                       /*push rax*/
        0x51,                                                       /*push rcx*/
        0x52,                                                       /*push rdx*/
        0x41, 0x50,                                                 /*push r8*/
        0x41, 0x51,                                                 /*push r9*/
    unsigned char remoteCallArgBase1stArg[] =
        0x48, 0xB9, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, /*mov rcx, 0xAAAAAAAAAAAAAAAA*/
    unsigned char remoteCallArgBase2ndArg[] =
        0x48, 0xBA, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, /*mov rdx, 0xBBBBBBBBBBBBBBBB*/
    unsigned char remoteCallArgBase3rdArg[] =
        0x49, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, /*mov r8, 0xCCCCCCCCCCCCCCCC*/
    unsigned char remoteCallArgBase4thArg[] =
        0x49, 0xB9, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD, /*mov r9, 0xDDDDDDDDDDDDDDDD*/
    unsigned char remoteCallArgBaseStack[] =
        0x48, 0xB8, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, /*mov rax, 0xBBBBBBBBBBBBBBBB*/
        0x48, 0x89, 0x44, 0x24, 0xFF                                /*mov qword ptr [rsp+0xFF], rax*/
    unsigned char remoteCallExitBase[] =
        0x48, 0xB8, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, /*mov rax, 0xBBBBBBBBBBBBBBBB*/
        0xFF, 0xD0,                                                 /*call rax*/
        0x53,                                                       /*push rbx*/
        0x48, 0xBB, 0xDD, 0xCC, 0xBB, 0xAA, 0xDD, 0xCC, 0xBB, 0xAA, /*mov rbx, 0xAABBCCDDAABBCCDD*/
        0x48, 0x81, 0xC3, 0x00, 0x04, 0x00, 0x00,                   /*add rbx, 0x400*/
        0x48, 0x89, 0x03,                                           /*mov [rbx], rax*/
        0x5B,                                                       /*pop rbx*/
        0x48, 0x83, 0xC4, 0x40,                                     /*add rsp, 0x40*/
        0x41, 0x59,                                                 /*pop r9*/
        0x41, 0x58,                                                 /*pop r8*/
        0x5A,                                                       /*pop rdx*/
        0x59,                                                       /*pop rcx*/
        0x58,                                                       /*pop rax*/
        0x5F,                                                       /*pop rdi*/
        0x68, 0xCC, 0xCC, 0xCC, 0xCC,                               /*push 0xCCCCCCCC*/
        0xC7, 0x44, 0x24, 0x04, 0xDD, 0xDD, 0xDD, 0xDD,             /*mov [rsp+4], 0xDDDDDDDD*/
        0xC3                                                        /*ret*/
    unsigned char *remoteCallRegisterArguments[] =
        remoteCallArgBase1stArg, remoteCallArgBase2ndArg, remoteCallArgBase3rdArg,
    size_t remoteCallRegisterArgumentsSize[] =
        sizeof(remoteCallArgBase1stArg), sizeof(remoteCallArgBase2ndArg),
        sizeof(remoteCallArgBase3rdArg), sizeof(remoteCallArgBase4thArg)
    DWORD_PTR dwOriginalAddress = ctx.Rip;
    DWORD_PTR dwAllocationBaseAddress = (DWORD_PTR)lpFunctionBase;
    DWORD dwLowAddress = dwOriginalAddress & 0xFFFFFFFF;
    DWORD dwHighAddress = (dwOriginalAddress == 0) ? 0 : ((dwOriginalAddress >> 32) & 0xFFFFFFFF);
    memset(&remoteCallEntryBase[argumentsBaseIndex], 0x90, sizeof(remoteCallEntryBase)-argumentsBaseIndex);
    memcpy(&remoteCallExitBase[2], &dwAddress, sizeof(DWORD_PTR));
    memcpy(&remoteCallExitBase[15], &dwAllocationBaseAddress, sizeof(DWORD_PTR));
    memcpy(&remoteCallExitBase[47], &dwLowAddress, sizeof(DWORD));
    memcpy(&remoteCallExitBase[55], &dwHighAddress, sizeof(DWORD));
        remoteCallExitBase, sizeof(remoteCallExitBase));
    if (ulArgumentCount >= 1)
        memcpy(&remoteCallArgBase1stArg[2], &pArguments[0], sizeof(DWORD_PTR));
    if (ulArgumentCount >= 2)
        memcpy(&remoteCallArgBase2ndArg[2], &pArguments[1], sizeof(DWORD_PTR));
    if (ulArgumentCount >= 3)
        memcpy(&remoteCallArgBase3rdArg[2], &pArguments[2], sizeof(DWORD_PTR));
    if (ulArgumentCount >= 4)
        memcpy(&remoteCallArgBase4thArg[2], &pArguments[3], sizeof(DWORD_PTR));
    for (unsigned long i = 0; i < min(4, ulArgumentCount); ++i)
        memcpy(&remoteCallEntryBase[argumentsBaseIndex], remoteCallRegisterArguments[i], remoteCallRegisterArgumentsSize[i]);
        argumentsBaseIndex += remoteCallRegisterArgumentsSize[i];
    unsigned char ucBaseDisplacement = dwX64StackDisplacement & 0xFF;
    for (unsigned long i = 4; i < ulArgumentCount; ++i)
        memcpy(&remoteCallArgBaseStack[2], &pArguments[i], sizeof(DWORD_PTR));
        memcpy(&remoteCallArgBaseStack[14], &ucBaseDisplacement, sizeof(unsigned char));
        memcpy(&remoteCallEntryBase[argumentsBaseIndex], remoteCallArgBaseStack, sizeof(remoteCallArgBaseStack));
        argumentsBaseIndex += sizeof(remoteCallArgBaseStack);
        ucBaseDisplacement += sizeof(DWORD_PTR);
    SIZE_T bytesWritten = 0;
    (void)WriteProcessMemory(hProcess, lpFunctionBase, remoteCallEntryBase, sizeof(remoteCallEntryBase), &bytesWritten);
    if (bytesWritten == 0 || bytesWritten != sizeof(remoteCallEntryBase))
        printf("Could not write remote function code into process. Last error = %X", GetLastError());
        return false;
    if (!SetInstructionPointer(dwMainThreadId, (DWORD_PTR)lpFunctionBase, &ctx))
        return false;
    if (dwOutReturnVirtualAddress != nullptr)
        *dwOutReturnVirtualAddress = (DWORD_PTR)lpFunctionBase + 0x400;
    status = NtResumeProcessFnc(hProcess);
    if (!NT_SUCCESS(status))
        printf("Could not resume process. Last error = %X", GetLastError());
        return false;
    return true;

The function is rather involved but works as follows

  • The process is suspended. Memory is then allocated inside of it which will hold the function that will be generated at run-time to call the target function.
  • The thread context is retrieved in order to modify the instruction pointer later.
  • A local stack frame is set up and the registers RAX, RCX, RDX, R8, and R9 are saved. The latter four are saved because they will be used as parameters, and RAX is saved because it will hold the address of the function to remotely call.
  • The values of the first four parameters are moved in to their corresponding register, (first = RCX, second = RDX, third = R8, fourth = R9).
  • Additional values are stored on the stack. Depending on the passed in stack displacement, they will be stored in the following format (0xFF will be replaced by the displacement).
mov qword ptr [rsp+0xFF], rax
  • At the exit point of this local function stack frame, the target address is moved into the RAX register and called. Its return value is then moved into [RBX], which is the memory location that will store the result of the function call. In the example code, RBX is set to the base address of the allocated memory + 0x400 bytes.
  • The function epilogue happens and the stack is fixed up as well as the saved registers being restored.
  • A trampoline is set up to return execution to where it was prior to all of this happening.
  • All of this gets written in to the process and the instruction pointer gets set to the start of this region.
  • The process is resumed and the call is allowed to happen

It is simple to set up wrappers around this function and begin performing remote calls. Here are examples of MessageBoxA and CreateProcessA

const bool PerformRemoteMessageBoxCall(const HANDLE hProcess, const DWORD dwProcessId)
    HMODULE hUser32Dll = GetModuleHandle(L"user32.dll");
    const DWORD_PTR dwMessageBox = (DWORD_PTR)GetProcAddress(GetModuleHandle(L"user32.dll"), "MessageBoxA");
    const char strCaption[] = "Remote Title";
    const char strTitle[] = "Caption for remote MessageBoxA call";
    LPVOID lpMemory = VirtualAllocEx(hProcess, nullptr, PAGE_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    SIZE_T bytesWritten = 0;
    (void)WriteProcessMemory(hProcess, lpMemory, strCaption, sizeof(strCaption), &bytesWritten);
    DWORD_PTR dwTitleAddress = (DWORD_PTR)lpMemory + bytesWritten;
    (void)WriteProcessMemory(hProcess, (LPVOID)dwTitleAddress, strTitle, sizeof(strTitle), &bytesWritten);
    DWORD_PTR dwArguments[] =
    return PerformRemoteCall(hProcess, dwProcessId, dwMessageBox, &dwArguments[0], 4);
const bool PerformRemoteCreateProcessACall(const HANDLE hProcess, const DWORD dwProcessId)
    HMODULE hKernel32Dll = GetModuleHandle(L"kernel32.dll");
    const DWORD_PTR dwCreateProcessA = (DWORD_PTR)GetProcAddress(hKernel32Dll, "CreateProcessA");
    const char strProcessPath[] = "C://Windows//system32//notepad.exe";
    LPVOID lpMemory = VirtualAllocEx(hProcess, nullptr, PAGE_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    SIZE_T bytesWritten = 0;
    (void)WriteProcessMemory(hProcess, lpMemory, strProcessPath, sizeof(strProcessPath), &bytesWritten);
    STARTUPINFO startupInfo = { 0 };
    startupInfo.cb = sizeof(STARTUPINFO);
    DWORD_PTR dwStartupStructAddress = (DWORD_PTR)lpMemory + bytesWritten;
    (void)WriteProcessMemory(hProcess, (LPVOID)dwStartupStructAddress, &startupInfo, sizeof(STARTUPINFO), &bytesWritten);
    DWORD_PTR dwArguments[] =
        dwStartupStructAddress + bytesWritten
    return PerformRemoteCall(hProcess, dwProcessId, dwCreateProcessA, &dwArguments[0],
        sizeof(dwArguments) / sizeof(dwArguments[0]), nullptr, 0x20);

At run-time here is what the generated assembly code will look like for these functions.


00000000001C0000 40 57                push        rdi  
00000000001C0002 48 83 EC 40          sub         rsp,40h  
00000000001C0006 48 8B FC             mov         rdi,rsp  
00000000001C0009 50                   push        rax  
00000000001C000A 48 B9 00 00 00 00 00 00 00 00 mov         rcx,0  
00000000001C0014 48 BA 0D 00 1B 00 00 00 00 00 mov         rdx,1B000Dh  
00000000001C001E 49 B8 00 00 1B 00 00 00 00 00 mov         r8,1B0000h  
00000000001C0028 49 B9 30 00 00 00 00 00 00 00 mov         r9,30h  
00000000001C0032 90                   nop  
00000000001C0033 90                   nop
... tons more NOPs ...
00000000001C00C4 48 B8 38 31 DE 56 F8 7F 00 00 mov         rax,7FF856DE3138h  
00000000001C00CE FF D0                call        rax  
00000000001C00D0 53                   push        rbx  
00000000001C00D1 48 BB 00 00 1C 00 00 00 00 00 mov         rbx,1C0000h  
00000000001C00DB 48 81 C3 00 04 00 00 add         rbx,400h  
00000000001C00E2 48 89 03             mov         qword ptr [rbx],rax  
00000000001C00E5 5B                   pop         rbx  
00000000001C00E6 48 83 C4 40          add         rsp,40h  
00000000001C00EA 41 59                pop         r9  
00000000001C00EC 41 58                pop         r8  
00000000001C00EE 5A                   pop         rdx  
00000000001C00EF 59                   pop         rcx  
00000000001C00F0 58                   pop         rax  
00000000001C00F1 5F                   pop         rdi  
00000000001C00F2 68 AD 39 00 40       push        400039ADh  
00000000001C00F7 C7 44 24 04 01 00 00 00 mov         dword ptr [rsp+4],1  
00000000001C00FF C3                   ret


00000000004F0000 40 57                push        rdi  
00000000004F0002 48 83 EC 40          sub         rsp,40h  
00000000004F0006 48 8B FC             mov         rdi,rsp  
00000000004F0009 50                   push        rax  
00000000004F000A 48 B9 00 00 1D 00 00 00 00 00 mov         rcx,1D0000h  
00000000004F0014 48 BA 00 00 00 00 00 00 00 00 mov         rdx,0  
00000000004F001E 49 B8 00 00 00 00 00 00 00 00 mov         r8,0  
00000000004F0028 49 B9 00 00 00 00 00 00 00 00 mov         r9,0  
00000000004F0032 48 B8 00 00 00 00 00 00 00 00 mov         rax,0  
00000000004F003C 48 89 44 24 20       mov         qword ptr [rsp+20h],rax  
00000000004F0041 48 B8 00 00 00 00 00 00 00 00 mov         rax,0  
00000000004F004B 48 89 44 24 28       mov         qword ptr [rsp+28h],rax  
00000000004F0050 48 B8 00 00 00 00 00 00 00 00 mov         rax,0  
00000000004F005A 48 89 44 24 30       mov         qword ptr [rsp+30h],rax  
00000000004F005F 48 B8 00 00 00 00 00 00 00 00 mov         rax,0  
00000000004F0069 48 89 44 24 38       mov         qword ptr [rsp+38h],rax  
00000000004F006E 48 B8 23 00 1D 00 00 00 00 00 mov         rax,1D0023h  
00000000004F0078 48 89 44 24 40       mov         qword ptr [rsp+40h],rax  
00000000004F007D 48 B8 8B 00 1D 00 00 00 00 00 mov         rax,1D008Bh  
00000000004F0087 48 89 44 24 48       mov         qword ptr [rsp+48h],rax  
00000000004F008C 90                   nop  
00000000004F008D 90                   nop  
... tons more NOPs ...
00000000004F00C4 48 B8 A0 8A 61 55 F8 7F 00 00 mov         rax,7FF855618AA0h  
00000000004F00CE FF D0                call        rax  
00000000004F00D0 53                   push        rbx  
00000000004F00D1 48 BB 00 00 4F 00 00 00 00 00 mov         rbx,4F0000h  
00000000004F00DB 48 81 C3 00 04 00 00 add         rbx,400h  
00000000004F00E2 48 89 03             mov         qword ptr [rbx],rax  
00000000004F00E5 5B                   pop         rbx  
00000000004F00E6 48 83 C4 40          add         rsp,40h  
00000000004F00EA 41 59                pop         r9  
00000000004F00EC 41 58                pop         r8  
00000000004F00EE 5A                   pop         rdx  
00000000004F00EF 59                   pop         rcx  
00000000004F00F0 58                   pop         rax  
00000000004F00F1 5F                   pop         rdi  
00000000004F00F2 68 AD 39 00 40       push        400039ADh  
00000000004F00F7 C7 44 24 04 01 00 00 00 mov         dword ptr [rsp+4],1  
00000000004F00FF C3                   ret

When will this not work?

There are certainly cases where the above code to perform remote calls will not work:

  • The function uses an unusual calling convention, i.e. doesn’t clean up its own stack on x64.
  • The main thread is sleeping, blocked, or in a yielding state.

The full source relating to this can be found here.

May 2, 2014

Messing with MSN Internet Games (2/2)

Filed under: Game Hacking,General x86-64,Reverse Engineering — admin @ 2:35 PM

The not-too-long-awaited followup continues. This post will outline some of the internals of how the common network code residing in zgmprxy.dll works. This DLL is shared across Internet Checkers, Internet Backgammon, and Internet Spades to carry out all of the network functionality. Fortunately, or rather unfortunately from a challenge perspective, Microsoft has provided debugging symbols for zgmprxy.dll. This removes some of the challenge in finding interesting functions, but does still allow for some decent reverse engineering knowledge to actually understand how everything is working.

Starting Point

The obvious starting point for this is to load and look through the zgmproxy.pdb file provided through the Microsoft Symbol Server. There are tons of good functions to look through, but for the sake of brevity, I will be focusing on four of them here.


Understanding how name decorations work allows for a recovery of a large amount of information, such as parameter number any types, function name and class membership information, calling convention (__thiscall for this case obviously, although I treat it as __stdcall with the “this” pointer as the first parameter in the example code), etc.

The Plan

The plan here does not change too much from what happened in the previous post:

  • Get into the address space of the target executable. Nothing here changes from last post.
  • Get the addresses of the above functions. This becomes very simple with the debug/symbol APIs provided by the WinAPI.
  • Install hooks at desired places on the functions.
  • Save off the CStadiumSocket instance so we can call functions in it at our own leisure. As an example for this post, it will be to send custom chat messages instead of the pre-selected ones offered by the games.

DllMain does not change drastically from the last revision.

int APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
            freopen("CONOUT$", "w", stdout);
            printf("DLL loaded.\n");
            pExceptionHandler = AddVectoredExceptionHandler(TRUE, VectoredHandler);
                if(CreateThread(NULL, 0, DlgThread, hModule, 0, NULL) == NULL)
                    printf("Could not create dialog thread. Last error = %X\n", GetLastError());
                printf("Could not set initial breakpoints.\n");
            printf("CStadiumSocket::BeginConnect: %016X\n"
                "CStadiumSocket::SendData: %016X\n"
                "CStadiumSocket::DecryptSocketData: %016X\n"
                "CStadiumSocket::Disconnect: %016X\n",
                BeginConnectFnc, SendDataFnc, DecryptSocketDataFnc, DisconnectFnc);
        //Clean up here usually
    return TRUE;

There are four functions now as well as a new thread which will hold a dialog to enter custom chat (discussed later). Memory breakpoints are still used and nothing has changed about how they are added. GetFunctions() has drastically changed in this revision. Instead of finding the target functions through GetProcAddress, the injected DLL can load up symbols at runtime and find the four desired functions through the use of the SymGetSymFromName64 function.

const bool GetFunctions(void)
    if(SymInitialize(GetCurrentProcess(), "", TRUE))
        IMAGEHLP_SYMBOL64 imageHelp = { 0 };
        imageHelp.SizeOfStruct = sizeof(IMAGEHLP_SYMBOL64);
        (void)SymGetSymFromName64(GetCurrentProcess(), "CStadiumSocket::BeginConnect", &imageHelp);
        BeginConnectFnc = (pBeginConnect)imageHelp.Address;
        (void)SymGetSymFromName64(GetCurrentProcess(), "CStadiumSocket::SendData", &imageHelp);
        SendDataFnc = (pSendData)imageHelp.Address;
        (void)SymGetSymFromName64(GetCurrentProcess(), "CStadiumSocket::DecryptSocketData", &imageHelp);
        DecryptSocketDataFnc = (pDecryptSocketData)imageHelp.Address;  
        (void)SymGetSymFromName64(GetCurrentProcess(), "CStadiumSocket::Disconnect", &imageHelp);
        DisconnectFnc = (pDisconnect)imageHelp.Address;
        printf("Could not initialize symbols. Last error = %X", GetLastError());
    return ((BeginConnectFnc != NULL) && (SendDataFnc != NULL)
        && (DecryptSocketDataFnc != NULL) && (DisconnectFnc != NULL));

Here symbols will be loaded with undecorated names and the target functions will be retrieved. The zgmprxy.pdb file must reside in one of the directories that SymInitialize checks, namely in one of the following:

    The current working directory of the application
    The _NT_SYMBOL_PATH environment variable
    The _NT_ALTERNATE_SYMBOL_PATH environment variable

That is really all there is in terms of large changes from last post, so it’s time to begin actually reversing these four functions.


As the function name implies, this is called to begin a connection with the matchmaking service and game. The control flow graph looks pretty straightforward, as is the functionality of BeginConnect.

msncfgFrom a cursory inspection, the function appears to be a wrapper around QueueUserWorkItem. It takes a URL and port number as input, and is responsible for initializing and formatting them in a way before launching an asynchronous task. My x64 -> C interpretation yields something similar to the following (x64 code in comment form, my C translation below). Allocation sizes were retrieved during a trace and don’t necessarily fully reflect the logic:

int CStadiumSocket::BeginConnect(wchar_t *pUrl, unsigned long ulPortNumber)
//.text:000007FF34FB24C7                 mov     rcx, r12        ; size_t
//.text:000007FF34FB24CA                 call    ??_U@YAPEAX_K@Z ; operator new[](unsigned __int64)
//.text:000007FF34FB24CF                 mov     rsi, rax
//.text:000007FF34FB24D2                 cmp     rax, rbx
//.text:000007FF34FB24D5                 jnz     short loc_7FF34FB24E1
    wchar_t *strPortNum = new wchar_t[32];
    if(strPortNum == NULL)
        return 0x800404DB;
//.text:000007FF34FB24E1                 mov     r8, r12         ; size_t
//.text:000007FF34FB24E4                 xor     edx, edx        ; int
//.text:000007FF34FB24E6                 mov     rcx, rax        ; void *
//.text:000007FF34FB24E9                 call    memset
    memset(pBuffer, 0, 32 * sizeof(wchar_t));
//.text:000007FF34FB24EE                 lea     r12, [rbp+3Ch]
//.text:000007FF34FB24F2                 mov     r11d, 401h
//.text:000007FF34FB24F8                 mov     rax, r12
//.text:000007FF34FB24FB                 sub     rdi, r12
//.text:000007FF34FB24FE loc_7FF34FB24FE:                        ; CODE XREF: CStadiumSocket::BeginConnect(ushort * const,ulong)+77j
//.text:000007FF34FB24FE                 cmp     r11, rbx
//.text:000007FF34FB2501                 jz      short loc_7FF34FB251E
//.text:000007FF34FB2503                 movzx   ecx, word ptr [rdi+rax]
//.text:000007FF34FB2507                 cmp     cx, bx
//.text:000007FF34FB250A                 jz      short loc_7FF34FB2519
//.text:000007FF34FB250C                 mov     [rax], cx
//.text:000007FF34FB250F                 add     rax, 2
//.text:000007FF34FB2513                 sub     r11, 1
//.text:000007FF34FB2517                 jnz     short loc_7FF34FB24FE
//.text:000007FF34FB2519 loc_7FF34FB2519:                        ; CODE XREF: CStadiumSocket::BeginConnect(ushort * const,ulong)+6Aj
//.text:000007FF34FB2519                 cmp     r11, rbx
//.text:000007FF34FB251C                 jnz     short loc_7FF34FB2522
//.text:000007FF34FB251E loc_7FF34FB251E:                        ; CODE XREF: CStadiumSocket::BeginConnect(ushort * const,ulong)+61j
//.text:000007FF34FB251E                 sub     rax, 2 
    for(unsigned int i = 0; i < 1025; ++i)
        m_pBuffer[i] = pUrl[i];
        if(pBuffer[i] == 0)
//.text:000007FF34FB2522                 mov     r9d, 0Ah        ; int
//.text:000007FF34FB2528                 mov     rdx, rsi        ; wchar_t *
//.text:000007FF34FB252B                 mov     ecx, r13d       ; int
//.text:000007FF34FB252E                 lea     r8d, [r9+16h]   ; size_t
//.text:000007FF34FB2532                 mov     [rax], bx
//.text:000007FF34FB2535                 call    _itow_s
    (void)_itow_s(ulPortNumber, strPortNum, 32, 10);
//.text:000007FF34FB253A                 mov     [rbp+38h], r13d
//.text:000007FF34FB253E                 mov     r13d, 30h
//.text:000007FF34FB2544                 lea     rcx, [rsp+68h+var_48] ; void *
//.text:000007FF34FB2549                 mov     r8, r13         ; size_t
//.text:000007FF34FB254C                 xor     edx, edx        ; int
//.text:000007FF34FB254E                 mov     [rbp+85Ch], ebx
//.text:000007FF34FB2554                 call    memset
    char partialContextBuffer[48];
    memset(str, 0, sizeof(str));
//.text:000007FF34FB2559                 lea     ecx, [r13+28h]  ; size_t
//.text:000007FF34FB255D                 mov     [rsp+68h+var_44], ebx
//.text:000007FF34FB2561                 mov     [rsp+68h+var_40], 1
//.text:000007FF34FB2569                 call    ??2@YAPEAX_K@Z  ; operator new(unsigned __int64)
//.text:000007FF34FB256E                 mov     rdi, rax
//.text:000007FF34FB2571                 cmp     rax, rbx
//.text:000007FF34FB2574                 jz      short loc_7FF34FB257E
//.text:000007FF34FB2576                 mov     dword ptr [rax], 1
//.text:000007FF34FB257C                 jmp     short loc_7FF34FB2581
    char *pContextBuffer = new char[88]; 
    if(pContextBuffer == NULL)
        return 0x800404DB;
//.text:000007FF34FB2586                 lea     rcx, [rdi+18h]  ; void *
//.text:000007FF34FB258A                 lea     rdx, [rsp+68h+var_48] ; void *
//.text:000007FF34FB258F                 mov     r8, r13         ; size_t
//.text:000007FF34FB2592                 mov     [rdi+8], r12
//.text:000007FF34FB2596                 mov     [rdi+10h], rsi
//.text:000007FF34FB259A                 call    memmove
    *(pContextBuffer) = 1; //At 000007FF34FB2576
    *(pContextBuffer + 8) = &m_pBuffer;
    *(pContextBuffer + 16) = &strPortNum;
    memmove(&pContextBuffer[24], partialContextBuffer, 48);
//.text:000007FF34FB259F                 lea     r11, [rbp+0A80h]
//.text:000007FF34FB25A6                 lea     rax, [rbp+18h]
//.text:000007FF34FB25AA                 lea     rcx, ?AsyncGetAddrInfoW@CStadiumSocket@@SAKPEAX@Z ; Function
//.text:000007FF34FB25B1                 xor     r8d, r8d        ; Flags
//.text:000007FF34FB25B4                 mov     rdx, rdi        ; Context
//.text:000007FF34FB25B7                 mov     [rdi+48h], r11
//.text:000007FF34FB25BB                 mov     [rdi+50h], rax
//.text:000007FF34FB25BF                 call    cs:__imp_QueueUserWorkItem
//.text:000007FF34FB25C5                 cmp     eax, ebx
//.text:000007FF34FB25C7                 jnz     short loc_7FF34FB25D5
//.text:000007FF34FB25C9                 mov     ebx, 800404BFh
//.text:000007FF34FB25CE                 jmp     short loc_7FF34FB25D5
    if(QueueUserWorkItem(&AsyncGetAddrInfo, pContextBuffer, 0) == FALSE)
        return 0x800404BF;
//From success case
    return 0;


The next function to look at is the SendData function. This function formats the data to send and invokes OnASyncDataWrite to write it out. The function creates a buffer of max length 0x4010 (16400) bytes, copies in the message buffer, and appends a few fields to the end. There is some handling code in the event that the message is of a handshake type, or if it is a message that is to be queued up. Below is a mostly complete translation of the assembly.

int CStadiumSocket::SendData(char *pBuffer, unsigned int uiLength, bool bIsHandshake, bool bLastHandshake)
//.text : 000007FF34FB350C                 cmp     dword ptr[rcx + 0A88h], 0
//.text : 000007FF34FB3513                 mov     rax, [rcx + 840h]
//.text : 000007FF34FB351A                 mov     r13, rdx
//.text : 000007FF34FB351D                 mov     rax, [rax + 10h]
//.text : 000007FF34FB3521                 lea     rdx, aTrue; "true"
//.text : 000007FF34FB3528                 mov     rdi, rcx
//.text : 000007FF34FB352B                 mov[rsp + 58h + var_20], rax
//.text : 000007FF34FB3530                 lea     r11, aFalse; "false"
//.text : 000007FF34FB3537                 mov     ebp, r8d
//.text : 000007FF34FB353A                 mov     r10, r11
//.text : 000007FF34FB353D                 mov     rcx, r11
//.text : 000007FF34FB3540                 mov     r12d, r9d
//.text : 000007FF34FB3543                 cmovnz  r10, rdx
//.text : 000007FF34FB3547                 cmp[rsp + 58h + arg_20], 0
//.text : 000007FF34FB354F                 cmovnz  rcx, rdx
//.text : 000007FF34FB3553                 test    r9d, r9d
//.text : 000007FF34FB3556                 mov[rsp + 58h + var_28], r10
//.text : 000007FF34FB355B                 mov[rsp + 58h + var_30], rcx
//.text : 000007FF34FB3560                 cmovnz  r11, rdx
//.text : 000007FF34FB3564                 mov     r9d, r8d
//.text : 000007FF34FB3567                 lea     rcx, aCstadiumsoc_15; "CStadiumSocket::SendData:\n    BUFFER:  "...
//.text : 000007FF34FB356E                 mov     r8, r13
//.text : 000007FF34FB3571                 mov     edx, ebp
//.text : 000007FF34FB3573                 mov[rsp + 58h + var_38], r11
//.text : 000007FF34FB3578                 call ? SafeDbgLog@@YAXPEBGZZ; SafeDbgLog(ushort const *, ...)
    QueueNode *pQueueNode = m_msgQueue;
    char *strIsHandshake = (bIsHandshake == 0) ? "true" : "false";
    char *strPostHandshake = (m_bPostHandshake == 0) ? "true" : "false";
    char *strLastHandshake = (bLastHandshake == 0) ? "true" : "false";
    SafeDbgLog("CStadiumSocket::SendData:    BUFFER:    \"%*.S\"    LENGTH:    %u    HANDSHAKE: %s    LAST HS:   %s    POST HS:   %s    Queue:     %u",
        uiLength, pBuffer, uiLength, strIsHandshake, strLastHandshake, strPostHandshake, pQueueNode.Count);
//.text : 000007FF34FB357D                 mov     ecx, 4010h; size_t
//.text : 000007FF34FB3582                 call ? ? 2@YAPEAX_K@Z; operator new(unsigned __int64)
//.text : 000007FF34FB3587                 mov     rsi, rax
//.text : 000007FF34FB358A                 mov[rsp + 58h + arg_0], rax
//.text : 000007FF34FB358F                 test    rax, rax
//.text : 000007FF34FB3592                 jz      loc_7FF34FB36B3
//.text : 000007FF34FB3598                 mov     ebx, 4000h
//.text : 000007FF34FB359D                 xor     edx, edx; int
//.text : 000007FF34FB359F                 mov     rcx, rax; void *
//.text : 000007FF34FB35A2                 mov     r8, rbx; size_t
//.text : 000007FF34FB35A5                 call    memset
//.text : 000007FF34FB35AA                 cmp     ebp, ebx
//.text : 000007FF34FB35AC                 mov     rdx, r13; void *
//.text : 000007FF34FB35AF                 cmovb   rbx, rbp
//.text : 000007FF34FB35B3                 mov     rcx, rsi; void *
//.text : 000007FF34FB35B6                 mov     r8, rbx; size_t
//.text : 000007FF34FB35B9                 call    memmove
//.text : 000007FF34FB35BE                 and     dword ptr[rsi + 4000h], 0
//.text : 000007FF34FB35C5                 mov[rsi + 4004h], ebp
//.text : 000007FF34FB35CB                 mov[rsi + 4008h], r12d
//.text : 000007FF34FB35D2                 and     dword ptr[rsi + 400Ch], 0
    char *pFullBuffer = new char[0x4010];
    if(pFullBuffer == NULL)
        return 0;
    memset(pFullBuffer, 0, 0x4000);
    uiLength = (uiLength < 0x4000) ? uiLength : 0x4000;
    memmove(pFullBuffer, pBuffer, uiLength);
    pFullBuffer[0x4000] = 0;
    pFullBuffer[0x4004] = uiLength;
    pFullBuffer[0x4008] = bPostHandshake;
    pFullBuffer[0x400C] = 0;
//.text : 000007FF34FB35D9                 test    r12d, r12d
//.text : 000007FF34FB35DC                 jz      short loc_7FF34FB3658
//.text : 000007FF34FB35DE                 mov     rax, [rdi + 840h]
//.text : 000007FF34FB35E5                 mov     rbx, [rax]
//.text : 000007FF34FB35E8                 test    rbx, rbx
//.text : 000007FF34FB35EB
//.text : 000007FF34FB35EB loc_7FF34FB35EB : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 119j
//.text : 000007FF34FB35EB                 jz      short loc_7FF34FB364F
//.text : 000007FF34FB364F loc_7FF34FB364F : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) : loc_7FF34FB35EBj
//.text : 000007FF34FB364F                 lea     rcx, aCstadiumsoc_18; "CStadiumSocket::SendData: AddTail in se"...
//.text : 000007FF34FB3656                 jmp     short loc_7FF34FB365F
//.text : 000007FF34FB3658; -------------------------------------------------------------------------- -
//.text : 000007FF34FB3658
//.text : 000007FF34FB3658 loc_7FF34FB3658 : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + E8j
//.text : 000007FF34FB3658                 lea     rcx, aCstadiumsock_9; "CStadiumSocket::SendData: AddTail\n\n"
//.text : 000007FF34FB365F
//.text : 000007FF34FB365F loc_7FF34FB365F : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 162j
//.text : 000007FF34FB365F                 call ? SafeDbgLog@@YAXPEBGZZ; SafeDbgLog(ushort const *, ...)
    bool bAddTail = (!bPostHandshake || pQueueNode->Prev == NULL);
        SafeDbgLog("CStadiumSocket::SendData: AddTail\n\n");
    else if(pQueueNode->Prev == NULL)
        SafeDbgLog("CStadiumSocket::SendData: AddTail in search.");
//.text : 000007FF34FB3664                 mov     rbx, [rdi + 840h]
//.text : 000007FF34FB366B                 lea     rdx, [rsp + 58h + arg_0]
//.text : 000007FF34FB3670                 mov     r8, [rbx + 8]
//.text : 000007FF34FB3674                 xor     r9d, r9d
//.text : 000007FF34FB3677                 mov     rcx, rbx
//.text : 000007FF34FB367A                 call ? NewNode@ 
//.text : 000007FF34FB367F                 mov     rcx, [rbx + 8]
//.text : 000007FF34FB3683                 test    rcx, rcx
//.text : 000007FF34FB3686                 jz      short loc_7FF34FB368D
//.text : 000007FF34FB3688 loc_7FF34FB3688 : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 149j
//.text : 000007FF34FB3688                 mov[rcx], rax
//.text : 000007FF34FB368B                 jmp     short loc_7FF34FB3690
//.text : 000007FF34FB368D; -------------------------------------------------------------------------- -
//.text : 000007FF34FB368D
//.text : 000007FF34FB368D loc_7FF34FB368D : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 192j
//.text : 000007FF34FB368D
        QueueNode *pNewNode = ATL::CAtlList::NewNode(pQueueNode->Top, pQueueNode->Prev, pQueueNode->Next);
        if(pQueueNode->Next == NULL)
            pQueueNode->Next = pNewNode;
            pQueueNode = pNewNode;
//.text : 000007FF34FB3690                 cmp[rsp + 58h + arg_20], 0
//.text : 000007FF34FB3698                 mov[rbx + 8], rax
//.text : 000007FF34FB369C                 mov     ebx, 1
//.text : 000007FF34FB36A1                 jz      short loc_7FF34FB36A9
//.text : 000007FF34FB36A3                 mov[rdi + 0A88h], ebx
//.text : 000007FF34FB36A9
//.text : 000007FF34FB36A9 loc_7FF34FB36A9 : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 1ADj
//.text : 000007FF34FB36A9                 mov     rcx, rdi
//.text : 000007FF34FB36AC                 call ? OnAsyncDataWrite@CStadiumSocket@@AEAAXXZ; CStadiumSocket::OnAsyncDataWrite(void)
        pQueueNode->Next = pQueueNode;
        m_bPostHandshake = bLastHandshake;
//.text : 000007FF34FB35EB                 jz      short loc_7FF34FB364F
//.text : 000007FF34FB35ED                 test    rbx, rbx
//.text : 000007FF34FB35F0                 jz      short loc_7FF34FB3644
//.text : 000007FF34FB35F2                 mov     rcx, [rbx + 10h]
//.text : 000007FF34FB35F6                 mov     rax, [rbx]
//.text : 000007FF34FB35F9                 test    rcx, rcx
//.text : 000007FF34FB35FC                 jz      short loc_7FF34FB3607
//.text : 000007FF34FB35FE                 cmp     dword ptr[rcx + 4008h], 0
//.text : 000007FF34FB3605                 jz      short loc_7FF34FB360F
//.text : 000007FF34FB3607
//.text : 000007FF34FB3607 loc_7FF34FB3607 : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 108j
//.text : 000007FF34FB3607                 mov     rbx, rax
//.text : 000007FF34FB360A                 test    rax, rax
//.text : 000007FF34FB360D                 jmp     short loc_7FF34FB35EB
//.text : 000007FF34FB360F; -------------------------------------------------------------------------- -
//.text : 000007FF34FB360F
//.text : 000007FF34FB360F loc_7FF34FB360F : ; CODE XREF : CStadiumSocket::SendData(char *, uint, int, int) + 111j
//.text : 000007FF34FB360F                 lea     rcx, aCstadiumsoc_28; "CStadiumSocket::SendData: InsertBefore "...
//.text : 000007FF34FB3616                 call ? SafeDbgLog@@YAXPEBGZZ; SafeDbgLog(ushort const *, ...)
    else if(bPostHandshake)
        pQueueNode *pNodePtr = pQueueNode;
        while(pNodePtr->Next != NULL)
            pNodePtr = pNodePtr->Next;
            if(pNodePtr.pData[0x4008] == 0)
        SafeDbgLog("CStadiumSocket::SendData: InsertBefore in search.");
//.text : 000007FF34FB361B                 mov     rsi, [rdi + 840h]
//.text : 000007FF34FB3622                 mov     r8, [rbx + 8]
//.text : 000007FF34FB3626                 lea     rdx, [rsp + 58h + arg_0]
//.text : 000007FF34FB362B                 mov     rcx, rsi
//.text : 000007FF34FB362E                 mov     r9, rbx
//.text : 000007FF34FB3631                 call ? NewNode@ 
//.text : 000007FF34FB3636                 mov     rcx, [rbx + 8]
//.text : 000007FF34FB363A                 test    rcx, rcx
//.text : 000007FF34FB363D                 jnz     short loc_7FF34FB3688
//.text : 000007FF34FB363F                 mov     [rsi], rax
//.text : 000007FF34FB3642                 jmp     short loc_7FF34FB3690
        QueueNode *pNewNode = ATL::CAtlList::NewNode(pQueueNode->Top, pQueueNode->Prev, pQueueNode->Next);
        //Follows same insertion logic, except for ->Prev. Sets handshake flag again.

The logic looks rather complicated, but it the overall picture is that this function is responsible for scheduling of messages leaving the network and tags them with their type (handshake or not). It allocates and writes the buffer to send out and inserts it in to the message queue, which is read by OnASyncDataWrite and sent out after adding the encryption layer. Hooking this function will allow for the filtering of messages leaving the client for purposes of logging, fuzzing/modification, or other suitable purposes.


This function is responsible for decrypting socket data after it comes in over the network from the server. In the case that the client is sending packets, CStadiumSocket::SendData is called, which in turn calls CStadiumSocket::OnASyncDataWrite; correspondingly the reverse happens in the receive case, and a CStadiumSocket::OnASyncDataRead function calls CStadiumSocket::DecryptSocketData. The internal works of this function are not necessarily important, and I will omit my x64 -> C conversion notes. The important part is to get a pointer to the buffer that has been decrypted. Doing so will allow for monitoring of messages coming from the server and like the SendData case, allows for logging or fuzzing of incoming messages to test client robustness. Doing some runtime tracing of this function, I found a good spot to pull the decrypted data from:

//.text : 000007FF34FB3D20                 movsxd  rcx, dword ptr[rdi + 400Ch]
.text : 000007FF34FB3D27                 mov     r8d, [r12]; size_t
.text : 000007FF34FB3D2B                 mov     rdx, [r12 + 8]; void *
.text : 000007FF34FB3D30                 add     rcx, rdi; void *
.text : 000007FF34FB3D33                 call    memmove

After the call to memmove, RDX will contain the decrypted buffer, with R8 containing the size. This seems like the perfect place to set the hook, at CStadiumSocket::DecryptSocketData + 0x1C3.


The last function to look at. What happens here is also not necessarily important for our needs; looking through the assembly, it send out a “goodbye” message, what internally is referred to as a SEC_HANDSHAKE by the application, and shuts down send operations on the socket. Messages are still received and written out to the debug log (in the event that debug logging is enabled), and the socket is fully shut down and cleaned up after nothing is left to receive. This function is only hooked if we plan on doing something across multiple games in the same program instance, e.g. we resign a game and start a new one without restarting the application. Seeing this function called allows us to know that the CStadiumSocket instance captured by CStadiumSocket::BeginConnect is no longer valid for use.

Wrapping Up

Having all of this done and analyzed, changing the vectored exception handler to hook these functions (or in the middle of a function in the case of CStadiumSocket::DecryptSocketData) is just as simple as it was in the last post:

    if(pExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION)
        pExceptionInfo->ContextRecord->EFlags |= 0x100;
        DWORD_PTR dwExceptionAddress = (DWORD_PTR)pExceptionInfo->ExceptionRecord->ExceptionAddress;
        CONTEXT *pContext = pExceptionInfo->ContextRecord;
        if(dwExceptionAddress == (DWORD_PTR)BeginConnectFnc)
            pThisPtr = (void *)pContext->Rcx;
            printf("Starting connection. CStadiumSocket instance is at: %016X\n", pThisPtr);
        else if(dwExceptionAddress == (DWORD_PTR)SendDataFnc)
            DWORD_PTR *pdwParametersBase = (DWORD_PTR *)(pContext->Rsp + 0x28);
            SendDataHook((void *)pContext->Rcx, (char *)pContext->Rdx, (unsigned int)pContext->R8, (int)pContext->R9, (int)(*(pdwParametersBase)));
        else if(dwExceptionAddress == (DWORD_PTR)DecryptSocketDataFnc + 0x1C3)
            DecryptSocketDataHook((char *)pContext->Rdx, (unsigned int)pContext->R8);
        else if(dwExceptionAddress == (DWORD_PTR)DisconnectFnc)
            printf("Closing connection. CStadiumSocket instance is being set to NULL\n");
            pThisPtr = NULL;
    if(pExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP)

To have some fun, the injected DLL can create a dialog box for chat input and send it over to the server. The game server expects a numeric value corresponding to the allowed chat in the scrollbox, but does not do any checking on it. This allows for any arbitrary message to be sent over to the server and the player on the other side will see it. The only caveat is that spaces (0x20) characters must be converted to %20. The code is as follows

INT_PTR CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
    case WM_COMMAND:
            case ID_SEND:
                //Possible condition here where Disconnect is called while custom chat message is being sent.
                if(pThisPtr != NULL)
                    char strSendBuffer[512] = { 0 };
                    char strBuffer[256] = { 0 };
                    GetDlgItemTextA(hwndDlg, IDC_CHATTEXT, strBuffer, sizeof(strBuffer) - 1);
					//Extremely unsafe example code, careful...
					for (unsigned int i = 0; i < strlen(strBuffer); ++i)
						if (strBuffer[i] == ' ')
							memmove(&strBuffer[i + 3], &strBuffer[i + 1], strlen(&strBuffer[i]));
							strBuffer[i] = '%';
							strBuffer[i + 1] = '2';
							strBuffer[i + 2] = '0';
                    _snprintf(strSendBuffer, sizeof(strSendBuffer) - 1,
                        "CALL Chat sChatText=%s&sFontFace=MS%%20Shell%%20Dlg&arfFontFlags=0&eFontColor=12345&eFontCharSet=1\r\n",
                    SendDataFnc(pThisPtr, strSendBuffer, (unsigned int)strlen(strSendBuffer), 0, 1);
        return FALSE;
    return TRUE;
    return (DWORD)DialogBox((HINSTANCE)hModule, MAKEINTRESOURCE(DLG_MAIN), NULL, DialogProc);

Here is an example of it at work:

Additional Final Words

Some other fun things to mess with:

  • Logging can be enabled by patching out
.text : 000007FF34FAB6FA                 cmp     cs : ? m_loggingEnabled@@3_NA, 0; bool m_loggingEnabled
.text : 000007FF34FAB701                 jz      short loc_7FF34FAB77E

and creating a “LoggingEnabled” expandable string registry key at HKEY_CURRENT_USER/Software/Microsoft/zone.com. The logs provide tons of debug output about the internal state changes of the application, e.g.

[Time: 05-01-2014 21:48:59.253]
    m_pFullState:    0x00000000
  • The values in the ZS_PublicELO and ZS_PrivateELO tags can be modified to be much higher values. If you do this on two clients you are guaranteed a match against yourself, unless someone else is also doing this.
  • The games have some cases where they do not perform full santization of game state, so making impossible moves is sometimes allowed.

The full source code relating to this can be found here.

