Author: Hans Olav Norheim, hansnor@microsoft.com
Technical reviewers: Jim Cavalaris, Jimmy Cleary, Jim Radigan, Ashish Kishan Mansukhani, Alexey Yeltsov, Brian Gianforcaro, Jasraj Dange, Jon Jahren...
Updated Nov 09, 2020
Version 14.0
Blog Post
Hi Ronen_Ariely - Thanks for the feedback!
The C code we use to perform the patching (instruction overwriting) is not too complicated and does pretty much what is described above. It goes roughly like this:
- Load the patched image using LoadLibrary()
- Find the module base address of the image to be patched.
- Use the pre-computed function offset(s) within each image to acquire a void* to where the functions start.
- Deref the pointers and write JMP instructions directly to the memory address.
But it's only a small piece of the puzzle. The hardest part of hot patching is to prove that redirecting a function will do the right thing. For example, is it referencing other functions or globals, has it been inlined, are compiler optimizations going to cause trouble etc. This is what I briefly touch on in section 6, but this topic is so large that one could write a PhD thesis about it.
So I had to limit the scope to not turn the blog post into a book 🙂 Given that the scope of doing it safely is beyond what I can cover here, I didn't want to include examples of doing something that would almost certainly go wrong.
But it's great to know that there are folks out there that want more technical details. Maybe I'll do a follow-up post later.
- Hans