How would one go about hooking the net modules? It's easy with the kernel modules that are loaded at startup, but with the net modules I'm at a loss because they're loaded during runtime.
Basically, what my code currently does is wait until the inet module is loaded and then hooks various syscalls, but it seems that it doesn't even regard those as used. Then, it directs those syscalls to send data over a usbhostfs-based app (Tested and works just fine), but that's not the problem.
What I don't understand is how the syscalls are used during runtime modules like the net modules, since they obviously don't use the syscalls that the M33 systemctrl can hook.
Hooking net modules
Hooking net modules
Programming with:
Geany + Latest PSPSDK from svn
Geany + Latest PSPSDK from svn
Because they don't use syscalls at all. They are user mode modules. You have to patch the functions in the net modules memory space to jump into your own code.
Depending on the function, it might be possible to hook it from kernel mode code. Look at Coldbird's sample. If not, you need a user mode hooking module which won't play nice with games.
Depending on the function, it might be possible to hook it from kernel mode code. Look at Coldbird's sample. If not, you need a user mode hooking module which won't play nice with games.
Thanks, I'm fairly certain that's exactly what I needed.
They are exports and as such I can get their addresses via systemctrl, which is what his sample appears to do.
Coldbird, if you're reading this, thanks.
Alright, it appears to work, except for one thing.
I'm assuming when it attempts to call to the kernel stuff it goes KABOOM!
If it matters, the code is here.
It crashes while attempting to call to the hook (The syscall), because it matches up with the 3 patch down in Coldbird's code (When it generates the syscall, that one).
Take 0x084E7A04-0x084E79FC=0x08=MIPS_SYSCALL(sceKernelQuerySystemCall(function)).
Could it be that I'm not exporting my things right? (They're exported in attempted user mode, but iono).
EDIT: Nevermind.
Added a usermode field to exports.exp and it works great now. Thanks again.
They are exports and as such I can get their addresses via systemctrl, which is what his sample appears to do.
Coldbird, if you're reading this, thanks.
Alright, it appears to work, except for one thing.
I'm assuming when it attempts to call to the kernel stuff it goes KABOOM!
Code: Select all
Exception - Coprocessor unusable
Thread ID - 0x055A4967
Th Name - SceNetDhcpClient
Module ID - 0x051A1F61
Mod Name - sceNetInet_Library
EPC - 0x084E7A04
Cause - 0x2000002C
BadVAddr - 0x6D88C4F6
Status - 0x00088613
zr:0x00000000 at:0xDEADBEEF v0:0x0000005C v1:0x00000000
a0:0x0000000A a1:0x09FEE800 a2:0x0000024C a3:0x00000000
t0:0xDEADBEEF t1:0x0000005C t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x00000010 s1:0x09FEE800 s2:0x0000005C s3:0x09FEEA50
s4:0x00000001 s5:0x0000000A s6:0x055A4967 s7:0x00000000
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FEEB00 k1:0x00000000
gp:0x08578530 sp:0x09FEE7BC fp:0x00000004 ra:0x084E2C54
It crashes while attempting to call to the hook (The syscall), because it matches up with the 3 patch down in Coldbird's code (When it generates the syscall, that one).
Code: Select all
LKMsg: 50: Tue Dec 8 19:03:49 2009: hookJump: Set Jump Hook on 084E79FC to 8825516C (Module: sceNetInet_Library, Library: sceNetInet, NID: CDA85C99)
Could it be that I'm not exporting my things right? (They're exported in attempted user mode, but iono).
EDIT: Nevermind.
Added a usermode field to exports.exp and it works great now. Thanks again.
Programming with:
Geany + Latest PSPSDK from svn
Geany + Latest PSPSDK from svn
Might not be the best spot to write that but~
My hooking sample, while still being the best sample out so far, isn't up 2 date anymore...
1. it relies on the m33 sdk... which isn't really a good idea, especially with gen firmwares taking over the place right now... it does work linking it in but i really think this shouldnt be done anymore.
2. the jump hooking method is outdated aswell, or better said - bug infested.
I figured out what was the reason several functions didn't hook properly and fixed it in a new version of my sample which I didn't release so far.
The problem is that the old sample doesn't check whether a delay slot has been destroyed in the hooking process or not...
The new one does check for this case, and avoids it properly.
I intend to update my old hook sample topic with the new sample once I finished my newest project (the first tool out making use of the hooking code).
If you need a more relyable way for hooking immediately though, feel free to contact me via MSN.
As I've said before though, no problem, I like to help even though I'm not yet on par with people like Torch.
My hooking sample, while still being the best sample out so far, isn't up 2 date anymore...
1. it relies on the m33 sdk... which isn't really a good idea, especially with gen firmwares taking over the place right now... it does work linking it in but i really think this shouldnt be done anymore.
2. the jump hooking method is outdated aswell, or better said - bug infested.
I figured out what was the reason several functions didn't hook properly and fixed it in a new version of my sample which I didn't release so far.
The problem is that the old sample doesn't check whether a delay slot has been destroyed in the hooking process or not...
The new one does check for this case, and avoids it properly.
I intend to update my old hook sample topic with the new sample once I finished my newest project (the first tool out making use of the hooking code).
If you need a more relyable way for hooking immediately though, feel free to contact me via MSN.
As I've said before though, no problem, I like to help even though I'm not yet on par with people like Torch.
Been gone for some time. Now I'm back. Someone mind getting me up-2-date?