Hooking Usermode Functions

[Super Sheep]

Right, this is a bit of pain lately. I'm hooking various functions located in the Paf and I can correctly replace the JAL's with the Syscalls to the function in my kernel module. However, when I try to call the original function (in Paf) it always crashes (obviously). I am however at loss as I do not want to create a usermode module and would rather keep it all in one kernel mode module.

Any help? If you need anymore information just ask.
Thanks a lot.

[angelo]

I need to make a PRX in the appropriate mode and then load it. This scenario was common for audio I believe.

Angelo

[Super Sheep]

Hmm, I'm trying to not load another module. Surely there is a way to execute a usermode function under kernel mode?

[moonlight]

Well, there is an exotic way to do that...

sceKernelSetDdrMemoryProtection((void *)0x08000000, 2*1024*1024, 0xF);

after that you would be able to redirect a user call to a kernel function replacing a jal by other jal, and the function will execute in user mode. Of course, if you call kernel functions inside that function, you may expect a crash...

[Super Sheep]

I'll give that a shot. I'll post back with results.

[Super Sheep]

It crashes when the patched function is first executed. Damn.

[angelo]

Just use a shim by using a user / kernel PRX and loadstart it. It may be your only way...

Angelo

[Super Sheep]

I'd rather not. I believe user memory is very limited in VSH. I'd rather keep away from it.

[Super Sheep]

Is there any other alternatives?

Code: Select all

#include <pspkernel.h>
#include <pspsysmem_kernel.h>
#include <pspsdk.h>

#include <systemctrl.h>
#include <string.h>

#include "debugutils.h"

PSP_MODULE_INFO&#40;"UserHook", 0x1000, 1, 0&#41;;

#define MAKE_CALL&#40;a, f&#41; _sw&#40;0x0C000000 | &#40;&#40;&#40;u32&#41;&#40;f&#41; >> 2&#41;  & 0x03ffffff&#41;, a&#41;;

int &#40;*scePafMemoryAlloc&#41;&#40;int, int&#41; = NULL;
STMOD_HANDLER previous = NULL;

int scePafMemoryAllocPatched&#40;int allignment, int size&#41;
&#123;
	return scePafMemoryAlloc&#40;allignment, size&#41;;
&#125;

int OnModuleStart&#40;SceModule2 *mod&#41;
&#123;
	char *modname = mod->modname;
	u32 text_addr = mod->text_addr;
	
	if &#40;strcmp&#40;modname, "vsh_module"&#41; == 0&#41;
	&#123;
		scePafMemoryAlloc = &#40;void *&#41;FindProc&#40;"scePaf_Module", "scePaf", 0x31AC0624&#41;;
		
		MAKE_CALL&#40;text_addr + 0xB3D8, scePafMemoryAllocPatched&#41;;
		
		sceKernelDcacheWritebackAll&#40;&#41;;
		sceKernelIcacheClearAll&#40;&#41;;
	&#125;
	
	if &#40;!previous&#41;
		return 0;
	
	return previous&#40;mod&#41;;
&#125;


int module_start&#40;SceSize args, void *argp&#41;
&#123;
	sceKernelSetDdrMemoryProtection&#40;&#40;void *&#41;0x08000000, 2*1024*1024, 0xF&#41;;  
	
	previous = sctrlHENSetStartModuleHandler&#40;OnModuleStart&#41;;	
	return 0;
&#125;

Thats my code, all updated for 5.00 but it crashes =/
Got any other suggestions? Moonlight? Anyone?

[adrahil]

I'd rather not. I believe user memory is very limited in VSH. I'd rather keep away from it.

Uhm....

if you search for a way to do it without another PRX, the way will be more complex and will take up more space than a dumb prx... Plus, there is plenty memory in VSH if you know where to look.

[TyRaNiD]

I am assuming you want to call the function then do something with the result rather than just hooking the entry to the function, this makes it harder.

You _could_ implement a trick using exception handlers to do it. Stick in a 'break' instruction in the delay slot of the j address; nop; import for the function in the module you want to hook then it will crash when the function is called. You could catch this and hand off to a function to handle your side of it, when you need to call the original you can either just tweak EPC to point to the actual function and return from the exception, which would not return back to you, or you change the saved RA register then when the function returns it crashes again at an appropriately selected address (so you can decode which function it was) and so an epilog for the function.

Of course it is just simpler to use a dumb user mode prx as adrahil has pointed out :)

[Super Sheep]

I'll just load a usermode prx in the volatile memspace and leech off the paf libc =P