Kerberos API Tracing
c1de0x <c1de0x gmail com> |
Monday, May 14 2007 12:28.20 CDT |
Hi all,
I'm looking into API tracing, and heard about kerberos (Rustem Fasihov) in this thread: https://www.openrce.org/forums/posts/274.
As I've been grappling with my own hooking engine for a couple of days, I couldn't resist looking under the hood.
I discovered that at it's core, kerberos seems to use 5-byte hotpatch hooks, which isn't surprising, as it's the mechanism I was using and also - to some degree - that favored by Detours.
What is interesting is that there don't seem to be any 'trampoline' functions. In other words, in both my solution and Detours, it is necessary to generate a 'jump function' (which acts as the target of the 5-byte JMP patch) for each API being hooked. The 'jump'/'trampoline' function typically has the address of the instruction immediately following the patch hard-coded into a JMP so that execution can continue.
It seems that kerberos takes a different approach though, all patches, for all hooked functions, jump to the same method, which begins:
pushf
spin:
cmp g_inHookSemaphore, 1
jz spin
mov g_inHookSemaphore, 1
popf
pop data1
pop data2
pushf
pusha
...
Comments
 camus |
Posted: Tuesday, May 15 2007 13:16.42 CDT |
|
Are you sure about that? It's hard to believe :S Here you have an active wait: wich is a processor consuming operation. And this is a race condition: Aren't they? |
|
 jms |
Posted: Wednesday, May 16 2007 12:08.44 CDT |
|
Well it could be that this function trying to determine whether it can use that semaphore, and if not it spinlocks. The next instruction appears to then set the semaphore as locked and continue the instructions, then the next thread comes in it will spin again. Then again, what do I know? |
|
 anonymouse |
Posted: Wednesday, May 16 2007 13:10.31 CDT |
|
g_whatever is a name that was given by you ? supposedly looking if some other thread is executing the hook it seems coz when the function finishes it sets the global dword to 0 before exiting |
|