OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: March 20, 2010 07:53 CDT by djnemo .

Hello...

can any one help how to hook C/C++ runtime library and STL, are they also in dll?
for example:
strcpy(), memcpy(), mmap() and ...

Thanks

cod		March 25, 2010 14:18.40 CDT
normally strcpy, memcpy and mmap are statically compiled into .exe, .dll. If your software import the functions from another library you can use an hook on IAT/EAT or inline.. otherwise you will have to identify the functions (via binary matching) or using debug symbols, metadata...

RabidCicada		March 26, 2010 11:48.29 CDT
djnemo, There is no universal solution for Hooking the C++ STL. The programming world is driven by contracts (API's) and as long as an implementation follows the contract (which specifies behavior) they (software developers/library developers) can do it however they want. In other words, everyones code for the C++ runtime can look different but do the same thing. That being said....You are going to see lots of different implementations of the C++ STL and language runtime. Each compiler generally has it's own implementation. These are provided in DLL's, .SO's, etc and are either linked to dynamically or statically. Static Linking means that the literal binary code for a particular thing has been included in your binary object. Dynamic linking means that your binary calls out to another binary that actually holds the code for the particular thing you linked against. To be specific...because the STL is pretty much all header files and all templates, your compiler creates the source code for each version of a templated function you use and then compiles this created source code all on the fly when you "compile". This means you will need to find the code in your own binary, then hook it. The C++ runtime is usually provided in a DLL or .SO and can be included statically or dynamically. If you compile against the runtime statically then you will have to find the code inside your own binary object(because the compiler puts it straight into your own code) and hook it. If compiled dynamically you will have many options to hook the code. Those options include hooking the IAT of your executable object, hooking the EAT of the C++ runtime executable object before the OS fully loads it, or doing hooking after the C++ runtime is loaded by patching the functions themselve(code caves + trampolines). Ultimately to hook it you need to FIND it then PATCH something in memory. Finding every implementations version of the C++ runtime code in memory will prove to be pragmatically impossible (IDA pro does it, but their only purpose is to identify code:) ). You will need to target a specific one or patch at the call site of the function call rather than patching the runtime itself.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit