apicall hook snprintf function and variants

[mr-tz]

Some decoding routines rely on string formatting routines such as snprintf. Example: 9dab...106c

[samrath-sudesh-acharya]

@mr-tz can I take up this issue and could you guide me to find the example you mentioned

[mr-tz]

Of course, unfortunately, I don't have the sample handy anymore, but we can easily create a test C program that uses snprintf etc. to test API hooks we create. Can you go ahead with that or do you want me to provide more details?

[samrath-sudesh-acharya]

Ok, I will make the test C program and start working on this

[samrath-sudesh-acharya]

@mr-tz Sorry for the delay. I was using this C code to test the hook

#include <stdio.h>
 
void print_string(char* buffer, int value) {
 
    snprintf(buffer, 100, "The value is: %d", value);
}
 
int main() {
    char buffer[100];
    int value = 42;
 
    print_string(buffer, value);
 
    printf("%s\n", buffer);
 
    return 0;
}

But the hook wasn't getting triggered. Is there something wrong I am doing ?

Here is my code

[mr-tz]

That looks good. Does vivisect recognize the snprintf call correctly? If not you could link it dynamically.

[samrath-sudesh-acharya]

Ok yes I will check on that

[samrath-sudesh-acharya]

@mr-tz Yes, vivisect doesn't recognize snprintf call and only seen in static strings. I will work on dynamically linking it.

[samrath-sudesh-acharya]

@mr-tz I have gone through the documentation of Vivisect and tried to play around with it. From how much I observe the the only way to find the snprintf call is to parse opcode from the basic block in the function and find out which set of operations is likely to doing a snprintf call.

I can't figure out how to find what set assembly-level code will likely resemble the call we are targeting. Could you guide me through or is my logic behind the implementation wrong?

[mr-tz]

Did you try dynamic linking?