Thread: Size of Function in MSVC

Tweet

I got this problem when i was making a little packer . The Idea is to Copy the Loader in Seprate Section and then Redirect the OEP to Section Containing Loader.
I write a very simple Loader using C and some basic inline Asm .. Now Prob is How to COpy a Function to a Section ..

Simple Answer is to make a Function Pointer and get function Address and copy the Function into Section

But Real Thing is how to get Size of Function ..

So Here i am Writing a the Sample Code i Written to Solve this ,May be Someone Find this useful

Code:

First Make a Function Pointer 

int (*LP)(void);

LP=&Loader ;         //Name of My function is "Loader"..Here We putthing function address into our function pointer LP
  
__asm
{
    push ebx          //Save registers
    push edx
    mov  ebx,LP     //Now Ebx = Function Address
	
	
//Here Important thing to Note is  When we get a Function  Address ...We Do not Get Pointer to Exact Code ..First We have A JUMP which Jumps
       to orginal code of function	(i am using MSVC ,IDE VS2010)
	
//   So we have to Understand the JUMP   to get Address of Actual Code 
// JUMP   INSTRUCTION   Actually Contains the Relative Address ...The Real JUMP Val is Calculated as  EIP (Current Instruction Address)+ Relative Address  in Jump+Size of JMP instruction 
	

										 

	 Example From Ollydbg 
                    					 
	 Instruction address       JUMP OPCODE        Equvalent Dissambly  
	       0129119A                  E9 71020000        JMP 01291410 
	                  
					  
   So How it Become JMP 01291410 ... 0129119A(insturction address)+0000271(Realtive Address in JUMP)+5 (Jump insturction size) 
	
	  *Relative Jump  address is in reverse Byte order....thats how Data is Stored in memory      
						   
	inc  ebx                    // SKIP OPCODE E9  NOW EBX Point to Relative address conatined in Jump
	mov  edx,[ebx]        //Get Relative Address in Jump
	add  ebx,edx          // EBX =Address of Jump Instruction + Relative Address in JUMP
        add  ebx,4             // To get Orginal Address of Function we have to add size of JUMP instruction that is 5..But We Incremented ebx in
	                               in starting ..So add 4 here
	
	
	mov LP,ebx         //Now We have Exact Address in LP
	pop edx            //POP Out Registers
	pop ebx
}

tt=(DWORD)LP;         

while(1)                 //Infinte Loop
{

	__asm
	{
		push ebx              //Save Registers Before using it
		push edx
                xor edx,edx         //Zero Out Registers
		xor ebx,ebx
		
		mov  edx,tt                  // Now Actual Address of Function in edx
		mov  ebx,[edx]            //Get  4 Bytes From address pointed by Edx into Ebx
		mov  opcode,ebx         //Move into Opcode
		pop edx                     //Restore orginal Values
        pop ebx
	}
	
	
	/*So how to Find End of Function ..Commonly Functions  ends with  instruction
	
    01291513   |.  8BE5               MOV ESP,EBP
    01291515   |.  5D                 POP EBP                                                   
    01291516   \.  C3                 RETN

   I Just Write the Opcodes in Reverse Byte Order and it make 0xC35DE58B
	
  *One May think  it can RETN X ...Loader Function Normally Needs No Argument...Also by default function uses "cdecl" calling covention 
    so no need  to wrroy  ...mostly it will be RETN   */
	
	
	if(opcode==0xC35DE58B)   	
	{
	                        
		count=count+4;        // When Match Ocurs the C3 will be at end due to reverse byte order ...so add  to counter to get exact loc of C3 
		break;                //out of Loop when Match Occurs
	}

	count=count+1;         // count No. of Bytes 
	tt=tt+1;              //Next Address
}

So At the End  Count Will contain Size of Function