Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking on unsupported RIP-addressing? #21

Open
Convery opened this issue Nov 21, 2019 · 11 comments
Open

Breaking on unsupported RIP-addressing? #21

Convery opened this issue Nov 21, 2019 · 11 comments
Labels
pinned

Comments

@Convery
Copy link

Convery commented Nov 21, 2019
edited
Loading

mhook/mhook-lib/mhook.cpp

Lines 1004 to 1013 in 2238938

else if ( (pins->OperandCount >= 1) && (pins->Operands[0].Flags & OP_IPREL) )
{
// unsupported rip-addressing
ODPRINTF((L"mhooks: DisassembleAndSkip: found unsupported OP_IPREL on operand %d", 0));
// dump instruction bytes to the debug output
for (DWORD i=0; i<pins->Length; i++)
{
ODPRINTF((L"mhooks: DisassembleAndSkip: instr byte %2.2d: 0x%2.2x", i, pLoc[i]));
}
break;

In this, and the following two cases, the break can (and does in my tests) cause the hook installation to fail. I have personally removed them on my end and it works well. But what's the reasoning for breaking here?
@SergiusTheBest
Copy link
Member

What API are you trying to hook? Can you post its prologue from disasm?

@Convery
Copy link
Author

Convery commented Nov 21, 2019
edited
Loading

Looks like this and fails with found unsupported OP_IPREL on operand 1 on 0000000063812C84.

0000000063812C80  sub         rsp,28h  
0000000063812C84  mov         r9d,dword ptr [6382A770h]  
0000000063812C8B  test        r9d,r9d  
0000000063812C8E  je          0000000063812CA1  
0000000063812C90  xor         edx,edx  
0000000063812C92  mov         ecx,r9d  
0000000063812C95  call        00000000638126C0

@stale
Copy link

stale bot commented Jan 10, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jan 10, 2020
@stale
Copy link

stale bot commented Mar 1, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Mar 1, 2020
@stale
Copy link

stale bot commented Apr 22, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Apr 22, 2020
@stale
Copy link

stale bot commented Jun 11, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jun 11, 2020
@stale
Copy link

stale bot commented Jul 31, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jul 31, 2020
@stale
Copy link

stale bot commented Sep 19, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 19, 2020
@stale
Copy link

stale bot commented Nov 13, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Nov 13, 2020
@razuit
Copy link

razuit commented Dec 10, 2022

In case it helps anyone: DeleteFileW on Windows 11 21H2 experiences this issue as well:

mhooks: DisassembleAndSkip: found unsupported OP_IPREL on operand 0
mhooks: DisassembleAndSkip: instr byte 00: 0xe8
mhooks: DisassembleAndSkip: instr byte 01: 0x2f
mhooks: DisassembleAndSkip: instr byte 02: 0x00
mhooks: DisassembleAndSkip: instr byte 03: 0x00
mhooks: DisassembleAndSkip: instr byte 04: 0x00

Here is the disassembly of DeleteFileW (mhook breaks on second line):

KERNELBASE!DeleteFileW:
00007ffb`0dada600 4883ec28        sub     rsp,28h
00007ffb`0dada604 e82f000000      call    KERNELBASE!InternalDeleteFileW (00007ffb`0dada638)

@SergiusTheBest
Copy link
Member

@razuit Thanks!

vm2mv added a commit to vm2mv/mhook that referenced this issue Oct 10, 2023
@vm2mv
disable "unsupported rip-addressing" case, see issue apriorit#21
79a0fff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@razuit @Convery @SergiusTheBest