[lorddoskias]

Hello,

I'm looking for a tutorial on inline function patching. I understand the main idea rewrite bytes ate the beginning of the function with some sort of JMP which would jump to an arbitrary address which contains some rootkit code and then executes the function which have been overwritten and jumps back to the original original function right after the memory overwrite. What I can't understand is actually is how to use the opcodes. So you have different types of jumps which take different amount of memory depending on whether they are far/near but is there a paper which documents the width of those instruction in regard to inline function patching - I'm guessing this is more related to shellcode, but still...


One more question - most system services start with mov edi, edi which is a 2-byte nop which can be used to place a near jmp which can jump 5 bytes before function start which gives you plenty of space to do a far jmp. This is easily detectable - having a jmp at the beginning of a function is a tell-tale sign but then why most malware actually overwrite the first 5-10 bytes of a function, having to care about what has been overwritten and whether they have split an instruction into 2 and run the risk of being detected when they can still run the risk of being detected but then dramatically reducing the chances of crashing the system?

[EP_X0FF]

One more question - most system services start with mov edi, edi which is a 2-byte nop which can be used to place a near jmp which can jump 5 bytes before function start which gives you plenty of space to do a far jmp. This is easily detectable - having a jmp at the beginning of a function is a tell-tale sign but then why most malware actually overwrite the first 5-10 bytes of a function, having to care about what has been overwritten and whether they have split an instruction into 2 and run the risk of being detected when they can still run the risk of being detected but then dramatically reducing the chances of crashing the system?

This is already used in malware, maybe since 2007 starting from rootkit Srisbi AFAIR.
SpyEye 1.3x uses this (short jmp forward on long jump, sort of hooking obfuscation). All hooking are easily detectable including this short to long jumps.
Initially this 2 byte nop was designed for hot-patching support.

[lorddoskias]

One more question - most system services start with mov edi, edi which is a 2-byte nop which can be used to place a near jmp which can jump 5 bytes before function start which gives you plenty of space to do a far jmp. This is easily detectable - having a jmp at the beginning of a function is a tell-tale sign but then why most malware actually overwrite the first 5-10 bytes of a function, having to care about what has been overwritten and whether they have split an instruction into 2 and run the risk of being detected when they can still run the risk of being detected but then dramatically reducing the chances of crashing the system?

This is already used in malware, maybe since 2007 starting from rootkit Srisbi AFAIR.
SpyEye 1.3x uses this (short jmp forward on long jump, sort of hooking obfuscation). All hooking are easily detectable including this short to long jumps.
Initially this 2 byte nop was designed for hot-patching support.

My point was that most rootkit make a short forward jump to a long jump but this inolves overwriting arbitrary memory content so you have to take care what you do. Whereas you can jump backwards because there is a 5 byte nop-sled before/after every function and you can comfortably place your code there.