Are there any C++ hooking libraries that also allows a function to be called right before the return statement? I would like to get some values from two registers after the function has executed, without having to hook all the places where this function is called.

Sure, set hook at the beginning of function like you would normally do. Your hook code should call original function and then process return values.

Since you didn't specify which API hook lib you're using, here's an example for Detours: https://reverseengineering.stackexchange.com/a/2470

 

But what if the function doesn't return any values, then I guess this wouldn't work? The function accesses properties on different objects, and I just know that the registers eax and edi contains the pointers that I need, right before the return.

I was primarily looking at MinHook and PolyHook, but I wasn't sure if I could achieve exactly what I needed with those.

 

#Edit: I was gonna try with PolyHook but I can't seem to set it up. I downloaded the github repository, added a reference to the "PolyHook.hpp" file and the "capstone.lib" library, but I get ~30 errors like this when I use any PolyHook class:

Quote

Error    LNK2005    "public: virtual bool __thiscall PLH::X86Detour::Hook(void)" (?Hook@X86Detour@PLH@@UAE_NXZ) already defined in dllmain.obj  

And I'm sure I've not defined any of it anywhere twice, do you know why I would get this?

Edited November 28, 20177 yr by JQueue

On a related note. I am now trying to hook the function with the MinHook library, but I've come across a problem. The program ends up crashing after executing my hooked function, unless I only use inline-asm, which I assume is because of stack-corruption or something alike. I'd need to use C++, so how exactly can I also execute my own function, without changing or deleting any of the values that were set for the normal function?

Just use a regular assembly hook, and write the memory manually.

For the desired effect (post-execution hooking), just hook the function at the start, push all the parameters onto the stack (again), call the function, and you'll return at the end of your call, which is at the end of the function. Then you can check the parameters.

Code would be something like this (notice, I just wrote this up real quick and didn't have much time, so there might've been som miscalculating):

 

uint32_t function_ptr = 0xDEADBEEF;

void __declspec(naked) end_hook 
{
    __asm
    {
        pushad
        
        /* Push all the arguments to the stack (again) 
        
        call dword ptr [function_ptr]
        
        /* Compare registers */
        
        popad
        ret (...)
    }
}

Edited November 29, 20177 yr by VirtualPuppet

Back when i enjoyed gamehacking i often hooked return address on the stack. I still do this with some protectors when inline patching.