Imatinib is a instrumentation tool that uses the only inline patch hooking.
This tool is designed to be compiled in VC++ 6.0 by fixing header support issues.
Capstone does not support VC++ 6.0, and I modified some parts of Capstone to compile
my project in VC++ 6.0.
(i.e. removing stdint.h and modifying "long long" type to __int64 ...)
If you want to use the MSVC 2010 or 2013, say higher version of MSVC, you should restore
the changed parts of Capstone and WTL to the original or higher version.
Install VC++ 6.0 with Service Pack 6.0 and the platform SDK 2003 R2.
And take msvcp file if you are using Windows 8.x.
I can solves that the VC++ 6.0 is not operating on Windows 8.x.
- Please run by copying the msvcp.exe or msvcs.exe files in the following directory
- C:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98\Bin
Please start the msvcp.exe or msvcs.exe instead of msdev.exe.
Open the VC, choose the following menu.
- Tools->Options->Directories->Include Files.
Please set in the order as follows:
C:\PROGRAM FILES (X86)\MICROSOFT PLATFORM SDK FOR WINDOWS SERVER 2003 R2\INCLUDE
C:\PROGRAM FILES (X86)\MICROSOFT PLATFORM SDK FOR WINDOWS SERVER 2003 R2\INCLUDE\MFC
C:\PROGRAM FILES (X86)\MICROSOFT PLATFORM SDK FOR WINDOWS SERVER 2003 R2\INCLUDE\ATL
C:\Program Files (x86)\Microsoft Visual Studio\VC98\INCLUDE
C:\Program Files (x86)\Microsoft Visual Studio\VC98\MFC\INCLUDE
C:\Program Files (x86)\Microsoft Visual Studio\VC98\ATL\INCLUDE
Compile and run.
I'll push MSVC 2010 or 2013 edition in the near future on github.
The work is much easier. There is no need to us to particularly change.
I prefer the VC++ 6.0 in 32-bit hooking Because of the dependency problem..
It is first seen by opening the file IniFileHandlers.cpp.
The need to focus on the next part
- strcpy(DNA_Sequences[0], "wwlib.dll,5,0,3BC38946207473663918746E50FF15xxxxxxxx50FF7620E8xxxxxxxx3BC38985xxxxxxxx745468000200008D7E0C5756FFB5xxxxxxxx50FF15xxxxxxxx85C07439");
- This strcpy part has to be changed because you do not need.
- For example, look at the following:
.text:00401010 _main_0 proc near ; CODE XREF: _main�j
.text:00401010
.text:00401010 var_40 = byte ptr -40h
.text:00401010
.text:00401010 55 push ebp
.text:00401011 8B EC mov ebp, esp
.text:00401013 83 EC 40 sub esp, 40h
.text:00401016 53 push ebx
.text:00401017 56 push esi
.text:00401018 57 push edi
.text:00401019 8D 7D C0 lea edi, [ebp+var_40]
.text:0040101C B9 10 00 00 00 mov ecx, 10h
.text:00401021 B8 CC CC CC CC mov eax, 0CCCCCCCCh
.text:00401026 F3 AB rep stosd
.text:00401028 68 1C 20 42 00 push offset aHelloWorld ; "Hello World!\n"
.text:0040102D E8 2E 00 00 00 call _printf
- Binary String (or DNA Sequences)
55 8B EC 83 EC 40 53 56 57 8D 7D C0 B9 10 00 00 00 B8 CC CC CC CC F3 AB 68 xx xx xx xx E8 xx xx xx xx
558BEC83EC405356578D7DC0B910000000B8CCCCCCCCF3AB68xxxxxxxxE8xxxxxxxx
You already know that there is a need for masking of 0x68 and 0xE8 instructions.
(These instructions, the value of the operand is changed for relocation.)
If you want to trace from the main entry point, it may be specified as follows.
- strcpy(DNA_Sequences[0], "HelloWorld.exe,6,0,558BEC83EC405356578D7DC0B910000000B8CCCCCCCCF3AB68xxxxxxxxE8xxxxxxxx");
- strcpy's 0 is the number of offset value when searching sequence.
- strcpy's 6 is the push ebp and mov ebp, esp and sub esp, 40h instructions.
- This is because it has the first 5 bytes when all instruction was added.
- strcpy's HelloWorld.exe is the name of the binary target for the instrument. (or DLL name)
- You are in the DLL, it may be used as follows.
- strcpy(DNA_Sequences[0], "HelloWorld.dll,5,0,!HelloWorldFunc); // HelloWorldFunc is a export function name.
- strcpy(DNA_Sequences[0], "HelloWorld.dll,5,0,!10005); // 10005 is a ordinal number.
- strcpy(DNA_Sequences[0], "HelloWorld.dll,5,0,#0x10004321); // #0x10004321 is a address.
- Please use to your choice, It is both common EXE and DLL binaries.
To run this DLL tool, you are required loader.
There is a choice of setdll.exe and withdll.exe.
I personally recommend setdll.exe.
pintool requires always loader.
This tool, using the setdll.exe, there is no need loader.
If you want to instrument a huge program, After copying the winmm.dll to the target program directory,
Please insert the tool in the winmm.dll using the setdll.exe.
This method is efficient to reversing massive program.
In addition, IMATINIB had been further added to be able to easily use the detours library.
However, I had been to disable the function.
Detours Library is a simply utility functions.
Is it enough in this degree of explanation?
When the description is insufficient, please tell me.
# TEST VIDEO
https://youtu.be/aDTfpvD5FoI
Thank you..
by AmesianX.. ^^