Databases
StackOverflow2013
Postsdbo
POHook the method whose parameters contain unknown object
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHook the method whose parameters contain unknown object
    primarykey
    data
    text
    <p>I hooked a C++ member method via detours.</p> <p>The method's declaration is retrieved from Symbol file (*.pdb) in IDA</p> <pre><code>LPVOID __thiscall Foo(class UnknownClass, unsigned int, int) </code></pre> <p>The following is my method replacing the real one</p> <pre><code>// the first parameter of the method is an unknown class to me // I don't know its implementation, don't know its size // so I just declare a dummy class with a enough size class UnknownClass { public: CHAR dummy[1024]; }; typedef LPVOID (__thiscall MyDummyClass::*PFN_Foo)( UnknownClass, unsigned int, int ); class MyDummyClass { public: // The address of the real method PFN_Foo m_pfnFoo; // My method to replace the real one LPVOID MyFoo( UnknownClass p1, unsigned int p2, int p3) { MyDummyClass * pThis = (MyDummyClass*)this; // call the real one. // and here the error happens return (pThis-&gt;*m_pfnFoo)( p1, p2, p3 ); } }; </code></pre> <p>The hook works and <code>MyFoo</code> is called instead of the real method. but I get an error when calling the real method:</p> <blockquote> <p><code>Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.</code></p> </blockquote> <p>Do you have any suggestion to me? How to handle this kind of hook when one of the parameter is passed as object, but its implementation is unknown to me.</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USMr.Wang from Next Door
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. COYou need to get the exact sizes of the object right, as well as potentially calling any destructors. Without debug symbols or headers, that's going to be a bit challenging. You may need to recreate more of the class than just a buffer. However, *do not use Detours*. It's touchy and unstable, known to crash when running on systems it doesn't like, and makes this sort of thing a lot harder than it needs to be. EasyHook or a similar library will provide a much better experience.
      singulars
      1. POHook the method whose parameters contain unknown object
      1. USssube
    2. COchanged to EasyHook, still the same :(
      singulars
      1. POHook the method whose parameters contain unknown object
      1. USMr.Wang from Next Door
    3. COAre you sure p1 is passed by value? if it is, your choice of 1024 bytes causes quite a lot of stuff to be pushed on the stack.
      singulars
      1. POHook the method whose parameters contain unknown object
      1. USWillem Hengeveld
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload