Jump to content
Tuts 4 You
Sign in to follow this  
JQueue

C++ end-of-function hooking

Recommended Posts

JQueue

Are there any C++ hooking libraries that also allows a function to be called right before the return statement? I would like to get some values from two registers after the function has executed, without having to hook all the places where this function is called.

Share this post


Link to post
kao

Sure, set hook at the beginning of function like you would normally do. Your hook code should call original function and then process return values.

Since you didn't specify which API hook lib you're using, here's an example for Detours: https://reverseengineering.stackexchange.com/a/2470

 

  • Like 3

Share this post


Link to post
JQueue

But what if the function doesn't return any values, then I guess this wouldn't work? The function accesses properties on different objects, and I just know that the registers eax and edi contains the pointers that I need, right before the return.

I was primarily looking at MinHook and PolyHook, but I wasn't sure if I could achieve exactly what I needed with those.

 

#Edit: I was gonna try with PolyHook but I can't seem to set it up. I downloaded the github repository, added a reference to the "PolyHook.hpp" file and the "capstone.lib" library, but I get ~30 errors like this when I use any PolyHook class:

Quote

Error    LNK2005    "public: virtual bool __thiscall PLH::X86Detour::Hook(void)" (?Hook@X86Detour@PLH@@UAE_NXZ) already defined in dllmain.obj  

And I'm sure I've not defined any of it anywhere twice, do you know why I would get this?

Edited by JQueue (see edit history)

Share this post


Link to post
JQueue

On a related note. I am now trying to hook the function with the MinHook library, but I've come across a problem. The program ends up crashing after executing my hooked function, unless I only use inline-asm, which I assume is because of stack-corruption or something alike. I'd need to use C++, so how exactly can I also execute my own function, without changing or deleting any of the values that were set for the normal function?

Share this post


Link to post
VirtualPuppet

Just use a regular assembly hook, and write the memory manually.

For the desired effect (post-execution hooking), just hook the function at the start, push all the parameters onto the stack (again), call the function, and you'll return at the end of your call, which is at the end of the function. Then you can check the parameters.

Code would be something like this (notice, I just wrote this up real quick and didn't have much time, so there might've been som miscalculating):

 

uint32_t function_ptr = 0xDEADBEEF;

void __declspec(naked) end_hook 
{
    __asm
    {
        pushad
        
        /* Push all the arguments to the stack (again) 
        
        call dword ptr [function_ptr]
        
        /* Compare registers */
        
        popad
        ret (...)
    }
}

Edited by VirtualPuppet (see edit history)
  • Like 1

Share this post


Link to post
JohnWho

Back when i enjoyed gamehacking i often hooked return address on the stack. I still do this with some protectors when inline patching.

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...