通过热补丁挂钩...dll 中的非导出类方法
我一直在研究这种使用 Windows dll 中的热补丁机制进行 API 挂钩的方法。
http://www.codeproject.com/KB/winsdk/0xF9EB_Hooking.aspx
我想知道是否有人知道一种方法来扩展它来挂钩非导出函数,例如 DLL 内部类的 C++ 构造函数。我已经通过反汇编知道了地址...我遇到的问题是如何设置正确的调用约定,以便我可以在钩子函数内调用原始函数。
我已经到了我的钩子函数被调用的地步...程序崩溃了,因为我无法返回调用原始函数的结果。
假设我们正在讨论将内部类构造函数与原型挂钩,如下所示:
public __thiscall <class_name>::<class_name>(<single pointer arg to another object>)
I have been studying this method of API hooking using the mechanisms for hotpatching in windows dlls.
http://www.codeproject.com/KB/winsdk/0xF9EB_Hooking.aspx
I was wondering if anyone would know of a way to extend that to hooking non exported functions such as a C++ constructor for an internal class inside of a DLL. I have already know the address via dis-assembly... the problem I am having is how to set up the right calling conventions so that I can call the original function inside of my hook function.
I'm already to the point to where my hook function gets called... the program crashes because I can't return the results of calling the original function.
Lets assume we are talking about hooking an internal class constructor with a prototype something like this:
public __thiscall <class_name>::<class_name>(<single pointer arg to another object>)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据模块的加载方式,您通常可以覆盖各自调用站点的相对或绝对地址,否则您需要创建一个蹦床函数,为此更容易使用 MS Detours 之类的东西。
就基于 __thiscall 的类成员函数的正确原型而言,您需要一些技巧,因为您通常不能在类外部使用 __thiscall 。最快、最简单的方法是使用 __fastcall 并忽略第二个参数。因此,您的第一个定义变为
void __fastcall myctor(myobj* pObj)。depending on how your module is loaded, you can generally just overwrite the relative or absolute addresses at their respective call sites, else you need to make a trampolining function, for which its easier to use something like MS Detours.
In terms of the correct prototype for
__thiscallbased class member functions, you need some trickery, as you can't generally use__thiscalloutside classes. The fastest and easiest way is to use__fastcalland ignore the second parameter. So your first definition becomesvoid __fastcall myctor(myobj* pObj).将其定义为典型的 __stdcall 函数,只不过在 ecx 寄存器中有
this指针。如果您需要此指针,请使用 __asm 关键字来获取值:请注意,您必须在调用开始时执行此操作。否则,
ecx寄存器的值可能会被覆盖。Define it as a typical
__stdcallfunction except that you'll havethispointer inecxregister. If you need this pointer, then use the__asmkeyword to get the value:Note that you'll have to do this at the beginning of the call. Otherwise, the value of
ecxregister may be overwritten.