OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract Caveat Emptor: This article was not written to read like a novel. It is a to-the-point technical dump describing the inner workings of Microsoft's cold and hot patching process. The majority of the symbolic names listed below have been derived from NTDLL and NTOSKRNL. Please post any questions you may have directly (for the benefit of others) to this article and the author will gladly respond. The article may be updated in the future to include some of these answers inline.

A companion download including examples and appropriate header files is available for download: MSPatching.zip.

Full Article ...

Printer Friendly ...

Article Comments

Opcode	Posted: Thursday, April 27 2006 08:43.22 CDT
Awesome article! Thanks!!!

JxT	Posted: Saturday, May 6 2006 03:38.03 CDT
This is a good write up, thanks for sharing!

r1ck	Posted: Thursday, August 17 2006 16:07.29 CDT
I'm a win32 ignorant, but why not to cold-patch directly the PE code and relocate all jumps? What happens with loaded processes? the file will be locked and will not be editable.

EliCZ	Posted: Friday, August 18 2006 01:45.52 CDT
Cold-patched image has the faulty functions redirected to PE coldpatch section, all jumps do not have to be relocated (why?). Existing processes are hot-patched. The other thing is why not to perform specific and most used hotpatch (5x nop + mov ezz, ezz -> long + short jump) in one 7-byte hook instead in two (5-byte + 2-byte) hooks.

r1ck	Posted: Friday, August 18 2006 13:49.09 CDT
Hot-patch is not persistent, is only in memory. The running processes cannot be cold-patched, isn't it? when you are cold-patching, if you replace a 2 bytes instruction by a 4 bytes instruction all code will be moved and the non-relative jumps will need to be recalculated.

mugg	Posted: Tuesday, January 23 2007 01:26.44 CST
Got an example of Microsoft using the 'hot-patch' functionality? Any kernel mode hot patches?

EliCZ	Posted: Wednesday, January 24 2007 09:04.35 CST
819696, 823182, 888113, 893086, 899588, 901190 for x86. Right now none for x64, IA64; none for kernel mode.

h4x0r

Posted: Monday, May 14 2007 18:44.09 CDT

heh, so microsoft actually got hot-paching done while gnu hippies just kept theoretizing about it http://www.uwsg.iu.edu/hypermail/linux/kernel/0509.2/1164.html.

i haven't yet dug much into it, just read the article and source... msdn documentation of the actual process is rather superficial, so there are few things puzzling me:

1) why is cold patching done in such a tedious way? why not just replace entire PE binaries the usual way it's done? the only explanation seems to be in order to keep in sync with hot-patched memory image, for cases the binary gets paged out of physical memory?

2) you mention that userspace hot-patching is possible with non-driver privs - being under impression that NT is clever enough and patches the actual shared pages, wouldn't that result injecting code into privileged process sharing the same .dll? again, this is under (possibly wrong) assumption that ExApplyCodePatch verifies process, not the actual file. it may be quite possible that ntdll just OpenProcess' and does the usual stuff, but that wouldn't be microsoft..

and lastly, if this api is present in vista, together with their kernel patchguard, it'll be anecdotal couple - provided there are no signing constraints ;-)

disassembly of relevant apis is definitively in order.

ps: great to see some .cz scene oldschoolers still playing with new stuff nowadays, if you ever come over pilsen, gimme a ring ;)

-sd

lain32	Posted: Sunday, November 30 2008 04:32.20 CST
Good!!

xpoy

Posted: Monday, May 2 2011 10:45.37 CDT

a list of RTL_PATCH_HEADER structures in TargetModule.LDR_DATA_TABLE_ENTRY.PatchInformation is traversed and bytes at HOTPATCH_HOOK_DESCRIPTOR.CodeOffset are compared with the prepared branch instruction.

Shall this be:
a list of RTL_PATCH_HEADER structures in TargetModule.LDR_DATA_TABLE_ENTRY.PatchInformation is traversed and bytes at RTL_PATCH_HEADER.CodeInfo.CodeDescriptors[].CodeOffset are compared with the prepared branch instruction.

?

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit