added 2 more labs as gitmodules

kotae4 · kotae4 · commit db73bbf528f2 · 2022-05-19T02:07:06.000-04:00
* also improved hooking section
diff --git a/.gitmodules b/.gitmodules
@@ -4,3 +4,9 @@
 [submodule "Section 1 - Basics/example_projects/lab-reversing-structures"]
 	path = Section 1 - Basics/example_projects/lab-reversing-structures
 	url = https://github.com/kotae4/lab-reversing-structures
+[submodule "Practical Experience - Labs & POCs/lab-esp-and-aimbot"]
+	path = Practical Experience - Labs & POCs/lab-esp-and-aimbot
+	url = https://github.com/kotae4/lab-esp-and-aimbot
+[submodule "Section 2 - Hooking/example_projects/lab-hooking-testbed"]
+	path = Section 2 - Hooking/example_projects/lab-hooking-testbed
+	url = https://github.com/kotae4/lab-hooking-testbed
diff --git a/Practical Experience - Labs & POCs/lab-esp-and-aimbot b/Practical Experience - Labs & POCs/lab-esp-and-aimbot
@@ -0,0 +1 @@
+Subproject commit fde2eaf5d3ec86a604af12af995ec7a00c278186
diff --git a/README.md b/README.md
@@ -122,20 +122,20 @@ Example projects may be included in each section, but they are also linked to in
 	
 ### (Work-In-Progress) Example Projects / Labs ###
 
-1. Viewing data structures in memory and in a disassembler
-2. Basic manual mapper
-3. Aimbot + ESP quick rundown for assault cube
+- [x] Viewing data structures in memory and in a disassembler
+- [x] Basic manual mapper
+- [x] Aimbot + ESP quick rundown for assault cube
 	<ol type="a">
 	<li>internal and maybe external?</li>
 	</ol>
-4. Aimbot + ESP quick rundown for an old quake engine game
-5. Aimbot + ESP quick rundown for a ue4 game
+- [ ] Aimbot + ESP quick rundown for an old quake engine game
+- [ ] Aimbot + ESP quick rundown for a ue4 game
 	<ol type="a">
 	<li>GObjects + GNames = GG</li>
 	</ol>
-6. Aimbot + ESP quick rundown for a unity game
+- [ ] Aimbot + ESP quick rundown for a unity game
 	<ol type="a">
 	<li>mono backend vs il2cpp backend</li>
 	</ol>
-7. Aimbot + ESP quick rundown for a cryengine (5?) game
-8. Converting assault cube hack to kernel-mode
+- [ ] Aimbot + ESP quick rundown for a cryengine (5?) game
+- [ ] Converting assault cube hack to kernel-mode
diff --git a/Section 1 - Basics/README.md b/Section 1 - Basics/README.md
@@ -56,7 +56,7 @@ Good resources for learning more: Windows Internals book, Intel Software Develop
 This guide assumes you have prior programming experience dealing with pointers. Don't sweat it if you mess them up sometimes. Everyone does. I mess up pointer arithmetic at least once per project. You should be comfortable with this exercise: given an address (eg; 0x410000) read the first 4 bytes. Bonus points if you can read the first 4 bits.
 
 ## x86 Assembly ##
-CPUs read bytes. Bytes are the words of their language. But just like our words have meaning, so to must their bytes. That is where 'instruction sets' come in.  
+CPUs read bytes. Bytes are the words of their language. But just like our words have meaning, so too must their bytes. That is where 'instruction sets' come in.  
 The x86 instruction set is the most common instruction set used by consumer CPUs.  
 The x86 assembly *language* is a set of mnemonics that translate to x86-encoded instruction bytes.  
 The human-readable `mov eax, 1` will compile to bytes `B801000000` and that's what will be stored on disk and eventually parsed by the CPU if executed.  
diff --git a/Section 2 - Hooking/README.md b/Section 2 - Hooking/README.md
@@ -5,23 +5,25 @@ The art of making someone else's code execute your code instead.
 ## Inline Hooking ##
 
 An inline hook is one in which a jmp to your hook function has been written over some instruction bytes in the target function (usually at the very top of the target function).  
-Because you're overwriting instruction bytes that may be executed at any time you'll need to first suspend all threads other than your own. Furthermore, because CPUs like to cache things, it's also a good idea to flush the instruction cache after you've written your jmp instruction. Lastly, remember that bytes in the .text section usually have only RX page protection, so you'll need to modify the page protection to RWX, write your jmp, then set the page protection back to its original value.
-Furthermore, you should be aware that not all jmp instructions are the same. There are near and far jmps which have the further modifier of relative, or absolute indirect, or absolute. If you're working with a 32 bit address space, a near relative jmp should be fine, but if not then you should make sure that the distance between your target function and hook function isn't greater than the max offset of a near relative jmp. This is one case where you'll definitely want to refer to the intel SDM to find the specifics of each jmp encoding.
+Because you're overwriting instruction bytes that may be executed at any time you'll need to first suspend all threads other than your own, and, if their instruction pointer is within the address range that you're overwriting you'll need to relocate them (you'll need to copy the original bytes somewhere and point it to those at the same relative offset). Furthermore, because CPUs like to cache things, it's also a good idea to flush the instruction cache after you've written your jmp instruction. Lastly, remember that bytes in the .text section usually have only RX page protection, so you'll need to modify the page protection to RWX, write your jmp, then set the page protection back to its original value.<br>
+Additionally, you should be aware that not all jmp instructions are the same. There are near and far jmps which have the further modifier of relative, or absolute indirect, or absolute. If you're working with a 32 bit address space, a near relative jmp should be fine, but if not then you should make sure that the distance between your target function and hook function isn't greater than the max offset of a near relative jmp. This is one case where you'll definitely want to refer to the intel SDM to find the specifics of each jmp encoding.
 
-### TO-DO ###
-Image of before and after control flow
+| ![inline-hook-with-trampoline](guide_images/inline-hook-with-trampoline.png) |
+|:--:|
+| <sub>Image: Before and after of an inline hook with trampoline function shown</sub> | 
 
 ## Trampolines ##
 
 Often you'll want to call the original function at some point in your hook function, but you'll find if you do that you'll eventually hit a stack overflow exception. Your hook calls your target which is hooked so execution winds back up in your hook which calls your target which... eventually, all those calls will exhaust the stack and generate that exception.  
 So you have two options: either unhook your target function, call it, then re-hook it, or simply write a 'trampoline' and call your trampoline.  
 A trampoline is simply a copy of the instructions that your hook overwrote in the target function followed by a jmp to the position in the target function just past your hook. This allows the full target function to execute without going into the infinite loop of jmp'ing to your hook.  
-Of course, because instructions are just encoded bytes, how can you know which bytes comprise a full instruction? Or rather, where does one instruction end and the next begin? This is where you'll need to employ a disassembly engine. Popular ones include `hde` and `capstone`. You'll feed the disassembly engine the bytes and it'll feed you the instructions. With that, you should have all you need to write your trampoline. Again, though, make sure you're using the write jmp encoding in your trampoline.  
+Of course, because instructions are just encoded bytes, how can you know which bytes comprise a full instruction? Or rather, where does one instruction end and the next begin? This is where you'll need to employ a disassembly engine. Popular ones include `hde` and `capstone`. You'll feed the disassembly engine the bytes and it'll feed you the instructions. With that, you should have all you need to write your trampoline. Again, though, make sure you're using the right jmp encoding in your trampoline.  
 
 Ah, this was written with inline hooks in mind but trampolines can be used for other types of hooks too. For example, if you have a hardware breakpoint set on the first instruction of the target function, your trampoline would need to have a copy of that instruction and then jmp to the second instruction of the target function. This will, again, allow you to call the original target function without it executing your hook function.
 
-### TO-DO ###
-Image of before and after control flow of an inline hook, including the trampoline
+| ![inline-hook-with-trampoline-controlflow](guide_images/inline-hook-with-trampoline-controlflow.png) |
+|:--:|
+| <sub>Image: Control flow of an inline hook with trampoline</sub> | 
 
 ## Virtual Method Table Hooking ##
 
diff --git a/Section 2 - Hooking/example_projects/lab-hooking-testbed b/Section 2 - Hooking/example_projects/lab-hooking-testbed
@@ -0,0 +1 @@
+Subproject commit c8923c7b5418255415bf1d358db5d9e9ff9f54f5
diff --git a/Section 2 - Hooking/guide_images/inline-hook-with-trampoline-controlflow.png b/Section 2 - Hooking/guide_images/inline-hook-with-trampoline-controlflow.png
diff --git a/Section 2 - Hooking/guide_images/inline-hook-with-trampoline.png b/Section 2 - Hooking/guide_images/inline-hook-with-trampoline.png
