easyhook bugs for x64

Jun 18, 2009 at 6:48 AM

Hook MessageBoxA before

000000007744E5AC 48 83 EC 38      sub         rsp,38h
000000007744E5B0 83 3D 91 2B 02 00 00 cmp     dword ptr [77471148h],0
000000007744E5B7 74 2F            je          000000007744E5E8
000000007744E5B9 65 48 8B 04 25 30 00 00 00 mov         rax,qword ptr gs:[30h]
000000007744E5C2 4C 8B 50 48      mov         r10,qword ptr [rax+48h]
000000007744E5C6 33 C0            xor         eax,eax
000000007744E5C8 F0 4C 0F B1 15 47 47 02 00 lock cmpxchg qword ptr [77472D18h],r10
000000007744E5D1 4C 8B 15 38 47 02 00 mov         r10,qword ptr [77472D10h]
000000007744E5D8 B8 01 00 00 00   mov         eax,1
000000007744E5DD 4C 0F 44 D0      cmove       r10,rax
000000007744E5E1 4C 89 15 28 47 02 00 mov         qword ptr [77472D10h],r10
000000007744E5E8 83 4C 24 28 FF   or          dword ptr [rsp+28h],0FFFFFFFFh
000000007744E5ED 66 83 64 24 20 00 and         word ptr [rsp+20h],0
000000007744E5F3 E8 80 01 00 00   call        000000007744E778
000000007744E5F8 48 83 C4 38      add         rsp,38h
000000007744E5FC C3               ret             

Hook After

000000007744E5AC E9 E7 1C E5 FF   jmp         00000000772A0298
000000007744E5B1 3D 91 2B 02 00   cmp         eax,22B91h
000000007744E5B6 00 74 2F 65      add         byte ptr [rdi+rbp+65h],dh
000000007744E5BA 48 8B 04 25 30 00 00 00 mov         rax,qword ptr [30h]
000000007744E5C2 4C 8B 50 48      mov         r10,qword ptr [rax+48h]
000000007744E5C6 33 C0            xor         eax,eax
000000007744E5C8 F0 4C 0F B1 15 47 47 02 00 lock cmpxchg qword ptr [77472D18h],r10
000000007744E5D1 4C 8B 15 38 47 02 00 mov         r10,qword ptr [77472D10h]
000000007744E5D8 B8 01 00 00 00   mov         eax,1
000000007744E5DD 4C 0F 44 D0      cmove       r10,rax
000000007744E5E1 4C 89 15 28 47 02 00 mov         qword ptr [77472D10h],r10
000000007744E5E8 83 4C 24 28 FF   or          dword ptr [rsp+28h],0FFFFFFFFh
000000007744E5ED 66 83 64 24 20 00 and         word ptr [rsp+20h],0
000000007744E5F3 E8 80 01 00 00   call        000000007744E778
000000007744E5F8 48 83 C4 38      add         rsp,38h
000000007744E5FC C3               ret          

Hook after Templine

00000000772A0378 48 83 C4 60      add         rsp,60h
00000000772A037C 0F 10 5C 24 C0   movups      xmm3,xmmword ptr [rsp-40h]
00000000772A0381 0F 10 54 24 D0   movups      xmm2,xmmword ptr [rsp-30h]
00000000772A0386 0F 10 4C 24 E0   movups      xmm1,xmmword ptr [rsp-20h]
00000000772A038B 0F 10 44 24 F0   movups      xmm0,xmmword ptr [rsp-10h]
00000000772A0390 41 59            pop         r9  
00000000772A0392 41 58            pop         r8  
00000000772A0394 5A               pop         rdx 
00000000772A0395 59               pop         rcx 
00000000772A0396 FF 20            jmp         qword ptr [rax]
; old asm code
00000000772A0398 48 83 EC 38      sub         rsp,38h
00000000772A039C 83 3D 91 2B 02 00 00 cmp     dword ptr [772C2F34h],0
00000000772A03A3 E9 0F E2 1A 00   jmp         000000007744E5B7

red color is the bug, access address is changed.