Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-16 Thread Vincent Torri 
On Tue, Dec 15, 2015 at 2:00 PM, Vincent Torri  wrote:
> On Tue, Dec 15, 2015 at 12:05 PM, Jacek Caban  wrote:
>> Hi Vincent,
>>
>> On 12/15/15 7:20 AM, Vincent Torri wrote:
>>> Hello
>>>
>>> I am still working on Examine, my small valgrind-like memory leak
>>> detector (http://vtorri.github.io/examine/) and I have 2 questions.
>>>
>>> First, I recall that it works by doing DLL injection with
>>> CreateRemoteThread, and API hooking by patching the IAT.
>>>
>>> So Examine is working well, now, but I have 2 questions, about
>>> _strdup() and malloc() :
>>>
>>> 1) If I call malloc() in a program, it is detected by Examine. If I
>>> call _strdup(), malloc is not detected at all, while MSDN says that
>>> _strdup() "calls malloc to allocate storage space" (see
>>> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
>>> have an idea why malloc() is  not catched ?
>>
>> Both malloc and _strdup live in the same DLL (like msvcrt.dll or any
>> other msvcr*.dll version), so calls from _strdup to malloc don't use
>> import table, it's a direct call. You could have more luck by hot
>> patching malloc function itself, but I don't think it's the right solution.
>>
>> You may have more luck patching HeapAlloc (or even RtlAllocateHeap)
>> instead. At least in Wine, malloc ends up calling it.
>
> I've already patched HeapAlloc(), but malloc is already patched. I'll
> try to remove malloc() hook.

No luck. I have removed all the hooks except HeapAlloc. If I test
Examine with a program with only 1 malloc(), malloc is not detected.

Vincent Torri

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-16 Thread Vincent Torri 
On Tue, Dec 15, 2015 at 8:54 AM, LRN  wrote:
> On 15.12.2015 9:20, Vincent Torri wrote:
>> Hello
>>
>> I am still working on Examine, my small valgrind-like memory leak
>> detector (http://vtorri.github.io/examine/) and I have 2 questions.
>>
>> First, I recall that it works by doing DLL injection with
>> CreateRemoteThread, and API hooking by patching the IAT.
>>
>> So Examine is working well, now, but I have 2 questions, about
>> _strdup() and malloc() :
>>
>> 1) If I call malloc() in a program, it is detected by Examine. If I
>> call _strdup(), malloc is not detected at all, while MSDN says that
>> _strdup() "calls malloc to allocate storage space" (see
>> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
>> have an idea why malloc() is  not catched ?
>>
>> 2) So to fix 1), i've just patched the IAT to detect _strdup() (but
>> i'm not satisfied with this). Now if I call strdup(), _strdup() is not
>> detected. I thought first that strdup() was a macro, but it is
>> actually declared in string.h. Does someone know why strdup() is not
>> catched too ?
>
> One possibility is the strdup builtin that gcc has. Though i'm not sure
> what exactly does it do, aside from checking for argument not being a NULL
> pointer.

I'll check that , thank you

Vincent

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-15 Thread Jacek Caban 
Hi Vincent,

On 12/15/15 7:20 AM, Vincent Torri wrote:
> Hello
>
> I am still working on Examine, my small valgrind-like memory leak
> detector (http://vtorri.github.io/examine/) and I have 2 questions.
>
> First, I recall that it works by doing DLL injection with
> CreateRemoteThread, and API hooking by patching the IAT.
>
> So Examine is working well, now, but I have 2 questions, about
> _strdup() and malloc() :
>
> 1) If I call malloc() in a program, it is detected by Examine. If I
> call _strdup(), malloc is not detected at all, while MSDN says that
> _strdup() "calls malloc to allocate storage space" (see
> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
> have an idea why malloc() is  not catched ?

Both malloc and _strdup live in the same DLL (like msvcrt.dll or any 
other msvcr*.dll version), so calls from _strdup to malloc don't use 
import table, it's a direct call. You could have more luck by hot 
patching malloc function itself, but I don't think it's the right solution.

You may have more luck patching HeapAlloc (or even RtlAllocateHeap) 
instead. At least in Wine, malloc ends up calling it.

Cheers,
Jacek

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-15 Thread LRN 
On 15.12.2015 14:05, Jacek Caban wrote:
> Hi Vincent,
> 
> On 12/15/15 7:20 AM, Vincent Torri wrote:
>> Hello
>>
>> I am still working on Examine, my small valgrind-like memory leak
>> detector (http://vtorri.github.io/examine/) and I have 2 questions.
>>
>> First, I recall that it works by doing DLL injection with
>> CreateRemoteThread, and API hooking by patching the IAT.
>>
>> So Examine is working well, now, but I have 2 questions, about
>> _strdup() and malloc() :
>>
>> 1) If I call malloc() in a program, it is detected by Examine. If I
>> call _strdup(), malloc is not detected at all, while MSDN says that
>> _strdup() "calls malloc to allocate storage space" (see
>> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
>> have an idea why malloc() is  not catched ?
> 
> You could have more luck by hot
> patching malloc function itself, but I don't think it's the right solution.

AFAIK, gcc sanitizer does exactly that. Except that it was not ported to
W32/gcc (it works only on POSIX/gcc or W32/MSVC).

-- 
O< ascii ribbon - stop html email! - www.asciiribbon.org



signature.asc
Description: OpenPGP digital signature
--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-15 Thread Vincent Torri 
On Tue, Dec 15, 2015 at 12:05 PM, Jacek Caban  wrote:
> Hi Vincent,
>
> On 12/15/15 7:20 AM, Vincent Torri wrote:
>> Hello
>>
>> I am still working on Examine, my small valgrind-like memory leak
>> detector (http://vtorri.github.io/examine/) and I have 2 questions.
>>
>> First, I recall that it works by doing DLL injection with
>> CreateRemoteThread, and API hooking by patching the IAT.
>>
>> So Examine is working well, now, but I have 2 questions, about
>> _strdup() and malloc() :
>>
>> 1) If I call malloc() in a program, it is detected by Examine. If I
>> call _strdup(), malloc is not detected at all, while MSDN says that
>> _strdup() "calls malloc to allocate storage space" (see
>> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
>> have an idea why malloc() is  not catched ?
>
> Both malloc and _strdup live in the same DLL (like msvcrt.dll or any
> other msvcr*.dll version), so calls from _strdup to malloc don't use
> import table, it's a direct call. You could have more luck by hot
> patching malloc function itself, but I don't think it's the right solution.
>
> You may have more luck patching HeapAlloc (or even RtlAllocateHeap)
> instead. At least in Wine, malloc ends up calling it.

I've already patched HeapAlloc(), but malloc is already patched. I'll
try to remove malloc() hook.

Vincent

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

[Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-14 Thread Vincent Torri 
Hello

I am still working on Examine, my small valgrind-like memory leak
detector (http://vtorri.github.io/examine/) and I have 2 questions.

First, I recall that it works by doing DLL injection with
CreateRemoteThread, and API hooking by patching the IAT.

So Examine is working well, now, but I have 2 questions, about
_strdup() and malloc() :

1) If I call malloc() in a program, it is detected by Examine. If I
call _strdup(), malloc is not detected at all, while MSDN says that
_strdup() "calls malloc to allocate storage space" (see
https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
have an idea why malloc() is  not catched ?

2) So to fix 1), i've just patched the IAT to detect _strdup() (but
i'm not satisfied with this). Now if I call strdup(), _strdup() is not
detected. I thought first that strdup() was a macro, but it is
actually declared in string.h. Does someone know why strdup() is not
catched too ?

thank you

Vincent Torri

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] patching IAT and _strdup() and malloc() functions

2015-12-14 Thread LRN 
On 15.12.2015 9:20, Vincent Torri wrote:
> Hello
> 
> I am still working on Examine, my small valgrind-like memory leak
> detector (http://vtorri.github.io/examine/) and I have 2 questions.
> 
> First, I recall that it works by doing DLL injection with
> CreateRemoteThread, and API hooking by patching the IAT.
> 
> So Examine is working well, now, but I have 2 questions, about
> _strdup() and malloc() :
> 
> 1) If I call malloc() in a program, it is detected by Examine. If I
> call _strdup(), malloc is not detected at all, while MSDN says that
> _strdup() "calls malloc to allocate storage space" (see
> https://msdn.microsoft.com/en-us/library/y471khhc.aspx). Does someone
> have an idea why malloc() is  not catched ?
> 
> 2) So to fix 1), i've just patched the IAT to detect _strdup() (but
> i'm not satisfied with this). Now if I call strdup(), _strdup() is not
> detected. I thought first that strdup() was a macro, but it is
> actually declared in string.h. Does someone know why strdup() is not
> catched too ?

One possibility is the strdup builtin that gcc has. Though i'm not sure
what exactly does it do, aside from checking for argument not being a NULL
pointer.

-- 
O< ascii ribbon - stop html email! - www.asciiribbon.org



signature.asc
Description: OpenPGP digital signature
--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public