Hooking Usermode Functions from inside a Kernel PRX

[Coldbird]

I've searched the forums for a whole day now collecting every little bit of information I could get, but the infos I could find were somewhat incomplete.

For the newest PRX of mine I need to hook the Adhoc Functions from the Adhoc, Adhocctl and Adhocmatching Module.

Those are Usermode Libraries, you guessed it.

I know that I got to kill the interrupts, patch the functions with some jumps, reenable the interrupts and invalidate the cache...

I tried changing the memory properties to allow the usermode libraries to call to my kernel hook function, but it freezes the PSP when I try to do so.

Thus I hope that someone with a bit more experience could provide me a working example code on how to do this?

[NoEffex]

From my experience, if you patch the syscalls(via sctrlHENFindFunction, sctrlHENPatchSyscall) they can do it flawlessly, without all the jabber.

[jean]

Syscalls are a way to call kernel stuff from user world. So -if i understood it well- there is no syscall table regarding user functions and hence you cannot patch a user function via syscall table because you won't find an entry for your user function. You must find the function address and substitute first instruction with a jump to your patch function (that has to be loaded in user space). Inside patch you can return as usual because return address gets modified only when issuing a call, and not a jump. I'm pretty sure this has already been covered somewhere around here.
Please, gurus, correct me if i'm wrong: this is an interesting topic to me.

[Torch]

There was a recent topic about this. hlide gave a detailed explanation with samples on hooking user mode calls.

[Coldbird]

I found the example posted by Hlide but I really couldn't make anything out of it. I did my own little patch of the functions for jumping to my own functions, and tried to change memory flags to allow linking to a kernel function of mine.

This didn't work. So I'd be glad if you could post a little example on loading a usermode PRX from inside my kernel PRX?

This would help me a great deal in solving this problem.

Thanks in advance.

[Torch]

That example is to hook user mode functions from another user module.

What you can do is have a small user module that hooks the required functions, and redirects them to your kernel module via syscalls that your kernel module exports.

[Coldbird]

I thank you all for your support up till now. I'm glad I could get as much information as I already got thanks to you all.

I never had to load a second prx till now, I suppose there's some kind of function I can use to make my Kernel Module load a second usermode prx?

If so, would you mind giving me a simple code example as to how I would go about doing that?

I really don't want to do it the dirty way by loading 2 modules via the M33 pluginlist or the flash-module list.

As always, thanks in advance.

[Torch]

Just sceKernelLoadModule. 1 for kernel partition, 2 for user.

[Coldbird]

Thanks a lot. Now lets get to puzzling this together!
I will report back once I've got results.

Thanks again.

[NoEffex]

Another thing you could do(99% sure) is be epicly ghetto about it and find an import syscall of whatever usermode thing you want to do, and just hook the desired function to that syscall, but then hook that syscall to your kernel mode function.

For example, in my case, I could hook your usermode function to some syscall that's never used(or just for some mode that you never use or don't plan on using), then hook that syscall to your kernel mode function.

just thinking in terms of memory conservation :).

[Torch]

User mode functions don't use syscalls....

Although he could just patch the functions to syscall into his kernel module, instead of hooking it with another user module.

[Coldbird]

Torch... that's... a brilliant idea! Why didn't I think of that possibility before?
I can already patch the function memory properly... the only thing left to do is create a usermode module and launch it side by side with mine.

But seriously. I would far more prefer doing it over syscalls directly into my kernel module.

You don't have a example ready to explain how I would go about doing that, what the opcode is that I got to patch into the function, etc.

@NoEffex: Wouldn't work... I mean... codewise it would - but they would never get called.
It's not like Syscalls are just slots for functions, it's a table where Kernel Mode Functions are referenced for Usermode functions to call.

Usermode functions dont need workarounds to be called in Userspace... thus no syscalls are used.

[jean]

User mode functions don't use syscalls....

Although he could just patch the functions to syscall into his kernel module, instead of hooking it with another user module.

Honestly: i never thought this way, that's interesting.... but there could be severe problems in the common case where one has to intercept the call, run his patch and then call the original code...anyway: sample code?

[Coldbird]

I cant give a full sample code but I do get his idea... and in fact - even calling the original function wouldn't be problematic...

I'm still waiting for the code sample on how to ASM patch to call my own syscall...

But in theory it would work like this...

1. backup the first instructions of user function code
2. patch the syscall as first instruction over the user function code
3. patch a extra return? no idea if syscall works like a jump or call... but i suppose it's more like a call - so i included this return.
4. wait for your function to be called...
5. temporarly patch back original instructions.
6. call the usermode function and save result
7. patch the syscall and return once more.
8. return from your function

So calling the original function really isn't much of a problem if you ask me. You just got to store the original instructions of each hooked function somewhere.

Anyway - I'm waiting for a sample code.

Edit: Trying to work out a sample code for this... could someone give me a hint how to figure out my own Syscall Export NIDs from inside the module?

Edit #2: Didn't work out the way I hoped. Even after patching a Syscall in it crashes... I suppose I did it the wrong way...

Suppose I will be waiting for a sample afterall.

[NoEffex]

Torch... that's... a brilliant idea! Why didn't I think of that possibility before?
I can already patch the function memory properly... the only thing left to do is create a usermode module and launch it side by side with mine.

But seriously. I would far more prefer doing it over syscalls directly into my kernel module.

You don't have a example ready to explain how I would go about doing that, what the opcode is that I got to patch into the function, etc.

@NoEffex: Wouldn't work... I mean... codewise it would - but they would never get called.
It's not like Syscalls are just slots for functions, it's a table where Kernel Mode Functions are referenced for Usermode functions to call.

Usermode functions dont need workarounds to be called in Userspace... thus no syscalls are used.

You can call them via your function, say there is a syscall table laid out in the ram, and there is a syscall for a function you're not using. Hook your function to that syscall(jr ra->syscall, that thing) after hooking the syscall.

I've done it on multiple occasions, I don't think I'm explaining myself well enough.

I'll post some pseudo-code soon enough.

EDIT: http://pastebin.com/m247d2d5

[Coldbird]

I think I understand you now. You wish to patch the Syscall to link to your own function... then do a call-patch to that Syscall in the Usermode function.

But really this isn't useful at all for my needs, because I need to hook a lot of functions... about 50 or so.

Anyone else got a idea?

[Coldbird]

Sorry for bumping a old topic of mine, but a answer to this problem still hasn't been found...

I intend to hook Usermode Functions via ASM Patching to Syscall into one of my Kernel Exports...

But how do I figure out the Syscall Num from the Syscall Table?

[Torch]

I was trying to find the same info and from what I've understood so far, finding the syscall NUM is supposedly impossible in the randomized tables without getting into the nitty gritty of loadcore and stuff. We'll probably need hooks in there with a prior module and then see what its being assigned to or something when the target module is loaded, but thats waay beyond my abilities.

[hlide]

I found the example posted by Hlide but I really couldn't make anything out of it. I did my own little patch of the functions for jumping to my own functions, and tried to change memory flags to allow linking to a kernel function of mine.

This didn't work. So I'd be glad if you could post a little example on loading a usermode PRX from inside my kernel PRX?

This would help me a great deal in solving this problem.

Thanks in advance.

oh oh which one ? I tend to post some code without testing it for the general idea. But it seems I tested one which works.

[Coldbird]

I was trying to find the same info and from what I've understood so far, finding the syscall NUM is supposedly impossible in the randomized tables without getting into the nitty gritty of loadcore and stuff. We'll probably need hooks in there with a prior module and then see what its being assigned to or something when the target module is loaded, but thats waay beyond my abilities.

Oh Torch, you're so wrong...
I found a way to figure out the Syscall Num... just fine for every function.
It needs a bit of manual stubbing though... namely stubbing of the Function sceKernelQuerySystemCall.

I figured out the 5.0 NID for it by comparing the 3.0 Libraries with the 5.0 ones immediately... and will post a working "User to Kernel" hook sample code...

I just need a bit of help from your side... just a tiny bit. ;)