Zeupert Posted January 10, 2018 Posted January 10, 2018 (edited) In my DLL I am using the MinHook library to hook certain functions based on their address. The problem is, if I try to directly call the original function with the address that MinHook gives me, it ends up crashing, it only works when jumping directly to the address. I am working in x64 btw. I am hooking the function in a way like this: extern "C" LPVOID originalFunc; LPVOID myAddress = 0xDEADC0DE; MH_CreateHook(myAddress, &myCustomFunc, &originalFunc) the "myCustomFunc" is also declared extern "C" and is a function in a seperate assembly file, looking like this: myCustomFunc: *push all registers, similar to pushad* call myFunction *pop all registers, like popad* jmp originalFunc ; This works But if I replace the jump instruction with this: call originalFunc ret It no longer works, and I get a crash. I can't seem to figure out why it crashes, or if it has something to do with MinHook. But I'd like to replace the jump with a call so that I can run some code again after the function is done executing, which I can't really do if I jump to it. Any help would be appreciated! Edited January 10, 2018 by Zeupert
evlncrn8 Posted January 11, 2018 Posted January 11, 2018 (edited) well, to call it you'd have to push the additional parameters wouldnt you ?... think about the state of the stack / registers for the call... for x64 should be rcx, rdx, r8, r9, and then stack (if theres more than 4 params).. Edited January 11, 2018 by evlncrn8 1
Zeupert Posted January 12, 2018 Author Posted January 12, 2018 You might be right. The function takes 3 parameters, but how exactly should I do that? I mean, the parameters should already be in the correct registers when my assembly function is called, so should I just push the registers for these 3 parameters again before doing the call to the original function?
evlncrn8 Posted January 12, 2018 Posted January 12, 2018 if it takes 3 params then it'd be rcx, rdx and r8, cant you trace it and find out yourself whats going wrong ?
h4sh3m Posted January 12, 2018 Posted January 12, 2018 5 hours ago, Zeupert said: You might be right. The function takes 3 parameters, but how exactly should I do that? I mean, the parameters should already be in the correct registers when my assembly function is called, so should I just push the registers for these 3 parameters again before doing the call to the original function? Hi After call you have extra return(return to nowhere because of stack corruption). You can find hook samples that explain exactly what's you need to do! something like this : https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra or this one: https://www.apriorit.com/dev-blog/160-apihooks BR, h4sh3m 1
Zeupert Posted January 14, 2018 Author Posted January 14, 2018 On 12/1/2018 at 3:36 PM, h4sh3m said: Hi After call you have extra return(return to nowhere because of stack corruption). You can find hook samples that explain exactly what's you need to do! something like this : https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra or this one: https://www.apriorit.com/dev-blog/160-apihooks BR, h4sh3m I tried the most simple way as shown in the first link with MinHook, where I in the hooked function just returned the value from the call of the original function (Without any assembly involved at all), but that didn't even work. Maybe I should give Mhook a try then, and see if that works better. Thanks for the help.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now