JQueue Posted November 28, 2017 Posted November 28, 2017 Are there any C++ hooking libraries that also allows a function to be called right before the return statement? I would like to get some values from two registers after the function has executed, without having to hook all the places where this function is called.
kao Posted November 28, 2017 Posted November 28, 2017 Sure, set hook at the beginning of function like you would normally do. Your hook code should call original function and then process return values. Since you didn't specify which API hook lib you're using, here's an example for Detours: https://reverseengineering.stackexchange.com/a/2470 3
JQueue Posted November 28, 2017 Author Posted November 28, 2017 (edited) But what if the function doesn't return any values, then I guess this wouldn't work? The function accesses properties on different objects, and I just know that the registers eax and edi contains the pointers that I need, right before the return. I was primarily looking at MinHook and PolyHook, but I wasn't sure if I could achieve exactly what I needed with those. #Edit: I was gonna try with PolyHook but I can't seem to set it up. I downloaded the github repository, added a reference to the "PolyHook.hpp" file and the "capstone.lib" library, but I get ~30 errors like this when I use any PolyHook class: Quote Error LNK2005 "public: virtual bool __thiscall PLH::X86Detour::Hook(void)" (?Hook@X86Detour@PLH@@UAE_NXZ) already defined in dllmain.obj And I'm sure I've not defined any of it anywhere twice, do you know why I would get this? Edited November 28, 2017 by JQueue
JQueue Posted November 28, 2017 Author Posted November 28, 2017 On a related note. I am now trying to hook the function with the MinHook library, but I've come across a problem. The program ends up crashing after executing my hooked function, unless I only use inline-asm, which I assume is because of stack-corruption or something alike. I'd need to use C++, so how exactly can I also execute my own function, without changing or deleting any of the values that were set for the normal function?
VirtualPuppet Posted November 29, 2017 Posted November 29, 2017 (edited) Just use a regular assembly hook, and write the memory manually. For the desired effect (post-execution hooking), just hook the function at the start, push all the parameters onto the stack (again), call the function, and you'll return at the end of your call, which is at the end of the function. Then you can check the parameters. Code would be something like this (notice, I just wrote this up real quick and didn't have much time, so there might've been som miscalculating): uint32_t function_ptr = 0xDEADBEEF; void __declspec(naked) end_hook { __asm { pushad /* Push all the arguments to the stack (again) call dword ptr [function_ptr] /* Compare registers */ popad ret (...) } } Edited November 29, 2017 by VirtualPuppet 1
JohnWho Posted December 1, 2017 Posted December 1, 2017 Back when i enjoyed gamehacking i often hooked return address on the stack. I still do this with some protectors when inline patching. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now