Databases
StackOverflow2013
Postsdbo
POHow to create a trampoline function for hook
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to create a trampoline function for hook
    primarykey
    data
    text
    <p>I'm interested in hooking and I decided to see if I could hook some functions. I wasn't interested in using a library like detours because I want to have the experience of doing it on my own. With some sources I found on the internet, I was able to create the code below. It's basic, but it works alright. However when hooking functions that are called by multiple threads it proves to be extremely unstable. If two calls are made at nearly the same time, it'll crash. After some research I think I need to create a trampoline function. After looking for hours all I was not able to find anything other that a general description on what a trampoline was. I could not find anything specifically about writing a trampoline function, or how they really worked. If any one could help me write one, post some sources, or at least point me in the right direction by recommending some articles, sites, books, etc. I would greatly appreciate it.</p> <p>Below is the code I've written. It's really basic but I hope others might learn from it.</p> <p>test.cpp</p> <pre><code>#include "stdafx.h" Hook hook; typedef int (WINAPI *tMessageBox)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); DWORD hMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) { hook.removeHook(); tMessageBox oMessageBox = (tMessageBox)hook.funcPtr; int ret =oMessageBox(hWnd, lpText, "Hooked!", uType); hook.applyHook(&amp;hMessageBox); return ret; } void hookMessageBox() { printf("Hooking MessageBox...\n"); if(hook.findFunc("User32.dll", "MessageBoxA")) { if(hook.applyHook(&amp;hMessageBox)) { printf("hook applied! \n\n"); } else printf("hook could not be applied\n"); } } </code></pre> <p>hook.cpp</p> <pre><code>#include "stdafx.h" bool Hook::findFunc(char* libName, char* funcName) { Hook::funcPtr = (void*)GetProcAddress(GetModuleHandleA(libName), funcName); return (Hook::funcPtr != NULL); } bool Hook::removeHook() { DWORD dwProtect; if(VirtualProtect(Hook::funcPtr, 6, PAGE_EXECUTE_READWRITE, &amp;dwProtect)) { WriteProcessMemory(GetCurrentProcess(), (LPVOID)Hook::funcPtr, Hook::origData, 6, 0); VirtualProtect(Hook::funcPtr, 6, dwProtect, NULL); return true; } else return false; } bool Hook::reapplyHook() { DWORD dwProtect; if(VirtualProtect(funcPtr, 6, PAGE_EXECUTE_READWRITE, &amp;dwProtect)) { WriteProcessMemory(GetCurrentProcess(), (LPVOID)funcPtr, Hook::hookData, 6, 0); VirtualProtect(funcPtr, 6, dwProtect, NULL); return true; } else return false; } bool Hook::applyHook(void* hook) { return setHookAtAddress(Hook::funcPtr, hook); } bool Hook::setHookAtAddress(void* funcPtr, void* hook) { Hook::funcPtr = funcPtr; BYTE jmp[6] = { 0xE9, //jmp 0x00, 0x00, 0x00, 0x00, //address 0xC3 //retn }; DWORD dwProtect; if(VirtualProtect(funcPtr, 6, PAGE_EXECUTE_READWRITE, &amp;dwProtect)) // make memory writable { ReadProcessMemory(GetCurrentProcess(), (LPVOID)funcPtr, Hook::origData, 6, 0); // save old data DWORD offset = ((DWORD)hook - (DWORD)funcPtr - 5); //((to)-(from)-5) memcpy(&amp;jmp[1], &amp;offset, 4); // write address into jmp memcpy(Hook::hookData, jmp, 6); // save hook data WriteProcessMemory(GetCurrentProcess(), (LPVOID)funcPtr, jmp, 6, 0); // write jmp VirtualProtect(funcPtr, 6, dwProtect, NULL); // reprotect return true; } else return false; } </code></pre>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USFlavius
    1. USStratus
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow to create a trampoline function for hook
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow to create a trampoline function for hook
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POHow to create a trampoline function for hook
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI was going to post a link to GD, but I just noticed you are a member there too. Have you tried using their search function? It comes up with tons of examples :)
      singulars
      1. POHow to create a trampoline function for hook
      1. USTom Knapen
    2. COYou may check EasyHook's code, I believe it's open-source. There are also plenty of other examples around. If you're planning to use this in a deployed application, I'd recommend using a library (like EasyHook) that can already handle recursion on the hook/trampoline, threading, and some of the fun stuff.
      singulars
      1. POHow to create a trampoline function for hook
      1. USssube
    3. CO@Tom Knapen I searched GD, MPGH and a few other sites before I posted. Searching 'trampoline' on GD returns a few slightly-related posts but not what I'm looking for.
      singulars
      1. POHow to create a trampoline function for hook
      1. USStratus
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload