good way to capture calls
Does anyone know a good way to capture calls?
The target OS is Windows >= 2000 32 bit. But solutions covering other operating systems would be very welcome!
It should be an alternative to modifying the standard function prologues.
At the moment I am playing with the following attempt:
I am scanning the code for all instructions 0xE8 and add the address point to a table so that I can stop every time the instruction address point is contained in this table.
This is not really what I want and as you can imagine it is slow like hell. By scanning for 0xE8 instructions during runtime I got even worse results, even though I might be able to speed it up a little bit. Anyway, in my opinion there won't be much to improve, since I think this concept is wrong. Hence I am looking for another possibility.
Maybe there is no worthwhile solution anyway. If so I will just discard this idea and go back to using modified standard function prologues.
Thank you in advance for your help!
The target OS is Windows >= 2000 32 bit. But solutions covering other operating systems would be very welcome!
It should be an alternative to modifying the standard function prologues.
At the moment I am playing with the following attempt:
I am scanning the code for all instructions 0xE8 and add the address point to a table so that I can stop every time the instruction address point is contained in this table.
This is not really what I want and as you can imagine it is slow like hell. By scanning for 0xE8 instructions during runtime I got even worse results, even though I might be able to speed it up a little bit. Anyway, in my opinion there won't be much to improve, since I think this concept is wrong. Hence I am looking for another possibility.
Maybe there is no worthwhile solution anyway. If so I will just discard this idea and go back to using modified standard function prologues.
Thank you in advance for your help!
A way to detect when the CPU is executing or about to execute a certain opcode? I seriously doubt it. Why do you even need to do this?
Function hooking with detours or you could use the Win32 Debugging API
http://research.microsoft.com/en-us/projects/detours/
http://msdn.microsoft.com/en-us/library/ms679303%28VS.85%29.aspx
You could ReadProcessMemory starting at the text/code memory section of the process, Scan through finding all 0xE8 and replace (WriteProcessMemory) with 0xCC (INT3) which will break into debugger.
I think that's how it would work.
http://research.microsoft.com/en-us/projects/detours/
http://msdn.microsoft.com/en-us/library/ms679303%28VS.85%29.aspx
You could ReadProcessMemory starting at the text/code memory section of the process, Scan through finding all 0xE8 and replace (WriteProcessMemory) with 0xCC (INT3) which will break into debugger.
I think that's how it would work.
Last edited on
The opcode is the CALL statement.
Could you give us more information on why you want to do this? (That is, what do you wish to accomplish?) Since you have the source code, it would be easy enough to simply call your own modified versions of the standard library functions...
Could you give us more information on why you want to do this? (That is, what do you wish to accomplish?) Since you have the source code, it would be easy enough to simply call your own modified versions of the standard library functions...
Yes.
Or to be exact I want to execute some code before every occurrence of the mnemonic 'call'.
I need it to let my AI evaluate and modify dynamically created functions or even some day - I am yet far away from that - itself.
At the moment I add some code to the prologue of each created function: Push position on the stack, jump to code, execute code, get position from stack and jump back.
This works quite well, but I was looking for a solution where I can leave the function body intact, if there is any adequate possibility.
[edit]@mackabee As I have done it is a little bit more complex since I only want to detect the call statement not every occurrence of the same value. But that is not my problem. The Problem is to do this in an efficient way.[/edit]
[edit2]I do not have all the source code since it is a project for an AI responsible for the creation of some parts. I can not even predict what parts and how since a part is created pseudo-randomly. The AI is intended to "learn" then by trial and error.[/edit2]
Or to be exact I want to execute some code before every occurrence of the mnemonic 'call'.
I need it to let my AI evaluate and modify dynamically created functions or even some day - I am yet far away from that - itself.
At the moment I add some code to the prologue of each created function: Push position on the stack, jump to code, execute code, get position from stack and jump back.
This works quite well, but I was looking for a solution where I can leave the function body intact, if there is any adequate possibility.
[edit]@mackabee As I have done it is a little bit more complex since I only want to detect the call statement not every occurrence of the same value. But that is not my problem. The Problem is to do this in an efficient way.[/edit]
[edit2]I do not have all the source code since it is a project for an AI responsible for the creation of some parts. I can not even predict what parts and how since a part is created pseudo-randomly. The AI is intended to "learn" then by trial and error.[/edit2]
Last edited on
Then the Detours library is probably your best bet...
Sorry I can't be of more help.
Sorry I can't be of more help.
Wow, thank you!
As far as I can see there is no solution in this project for my problem, but I really like it.
Unbelievable that this comes from microsoft ;)
Some parts are really brilliant and it contains lots of useful ruses about window's internals for me.
This could have saved me weeks... and hopefully it will in the future. I am not yet through the source, but I'm absolutely positive that this will come in very handy.
Thanks a lot!
As far as I can see there is no solution in this project for my problem, but I really like it.
Unbelievable that this comes from microsoft ;)
Some parts are really brilliant and it contains lots of useful ruses about window's internals for me.
This could have saved me weeks... and hopefully it will in the future. I am not yet through the source, but I'm absolutely positive that this will come in very handy.
Thanks a lot!
Topic archived. No new replies allowed.