blob: dfde17e9f5160c0fe1e342c98a452463ba2d9251 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
# cdl86
```
________ __ ___ ____
/ ___/ _ \/ / ( _ )/ __/
/ /__/ // / /__/ _ / _ \
\___/____/____/\___/\___/
```
`cdl86` - `Compact Detours Library 86`
> **Demo Projects** <br>
> [`gsctool`](https://github.com/lunar-sh/gsctool)
> [`cs2rec`](https://github.com/FASTCUP/cs2rec)
# Abstract
`cdl86` is a tiny, single file, cross platform `detours` library written in `C` in less than `1K` lines.
[`https://journal.lunar.sh/2022/linux-detours.html`](https://journal.lunar.sh/2022/linux-detours.html)
It allows for the interception of `x86` and `x86_64` `C/C++` binary functions in memory following code injection.
Currently the following platforms are supported:
- `Linux`
- `MS Windows`
The library currently supports two types of function hooks:
* `JMP` patch - patches origin function with a `JMP` to detour.
* `INT3` patch - places software breakpoint (`SWBP`) at origin address.<br>
Handles `control flow` to `detour`.
> Note: This project makes use of an internal `x86` instruction length disassembly engine.
# API
```
struct cdl_jmp_patch cdl_jmp_attach(void **target, void *detour);
struct cdl_swbp_patch cdl_swbp_attach(void **target, void *detour);
void cdl_jmp_detach(struct cdl_jmp_patch *jmp_patch);
void cdl_swbp_detach(struct cdl_swbp_patch *swbp_patch);
void cdl_jmp_dbg(struct cdl_jmp_patch *jmp_patch);
void cdl_swbp_dbg(struct cdl_swbp_patch *swbp_patch);
```
The `API` is documented in more detail in the corresponding `header` and `source`
files.
# Example Usage
Assuming we have a function `add()` that is defined as follows:
```
int add(
__in int x,
__in int y
)
{
printf("Inside original function\n");
return x + y;
}
```
Assuming we want to hook this function with `cdl86` the first step
is to define a function pointer `typedef` and declare our `detour` function:
```
typedef int add_t(
__in int x,
__in int y
);
add_t* addo = NULL;
```
```
// define detour function
int add_detour(
__in int x,
__in int y
)
{
printf("Inside detour function\n");
return addo(5,5);
}
```
Then in our `main()` function we create a `cdl_jmp_patch` struct and assign
a value to `addo` (our function pointer to the original function):
```
struct cdl_jmp_patch jmp_patch = {};
addo = (add_t*)add;
```
Finally call `cdl_jmp_attach` as follows:
```
jmp_patch = cdl_jmp_attach((void**)&addo, add_detour);
```
The original function `add` has now been hooked!
To dump `debug` info from the `cdl_jmp_patch` struct use `cdl_jmp_dbg`.
# Info
The compiler used for this project is [`tcc`](https://github.com/lunar-sh/tcc).
Files:
<br/>
* `cdl.c` - `C` source file for `CDL`.
* `cdl.h` - `CDL` header file to include.
Folders:
* `/tests` - `CDL` test suite.
# Signature
```
+---------------------------------------+
| .-. .-. .-. |
| / \ / \ / \ |
| / \ / \ / \ / |
| \ / \ / \ / |
| "_" "_" "_" |
| |
| _ _ _ _ _ _ ___ ___ _ _ |
| | | | | | | \| | /_\ | _ \ / __| || | |
| | |_| |_| | .` |/ _ \| /_\__ \ __ | |
| |____\___/|_|\_/_/ \_\_|_(_)___/_||_| |
| |
| |
| Lunar RF Labs |
| https://lunar.sh |
| |
| Research Laboratories |
| Copyright (C) 2022-2025 |
| |
+---------------------------------------+
```
|
