Closed fabi8 closed 3 years ago
m417z
commented
4 years ago The library checks that pTarget points to executable memory, and then tries to do it's thing. If pTarget points to random bytes, the function might fail or modify the data in unexpected ways. I'm not sure what you're trying to do, but hopefully that answers your question.
fabi8
commented
4 years ago What I am trying to do is to hook in the middle of some function. Not at its start. The question is if I can do it by your function whitout a need to do something like:
On Thu, Dec 26, 2019, 12:32 Michael Maltsev notifications@github.com wrote:
The library checks that pTarget points to executable memory https://github.com/TsudaKageyu/minhook/blob/8fda4f5481fed5797dc2651cd91e238e9b3928c6/src/hook.c#L543, and then tries to do it's thing. If pTarget points to random bytes, the function might fail or modify the data in unexpected ways. I'm not sure what you're trying to do, but hopefully that answers your question.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/TsudaKageyu/minhook/issues/83?email_source=notifications&email_token=ADVL6K7GPD3EDSUCLY72DZ3Q2SI3PA5CNFSM4J7HKOY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHVONYY#issuecomment-569042659, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADVL6K4OYHGY34QREPDPXATQ2SI3PANCNFSM4J7HKOYQ .
m417z
commented
4 years ago You can use MinHook for hooking a function in the middle if you know what you're doing. All MH_CreateHook does is patching a jump on the given location, and generating a trampoline that acts as the continuation of the function.
Depending on the target function, calling the trampoline (pOriginal) might not work since the prolog is going to be missing. Similarly, returning from the detour function might not work since the target function's epilog won't run. Also, if you continue to run the function that you disrupted in the middle, you might need to preserve registers which might not be preserved by default (and maybe CPU flags too).
For the general case, you can implement your detour function in assembly like this, it should work:
pushad ; or equivalent in x64
pushfd ; if necessary
; if x64, prepare shadow space on the stack
; push arguments (x86) or set registers (x64) if necessary
call MyHook
popfd ; if necessary
popad ; or equivalent in x64
jmp pOriginal
Needs pTarget in MH_CreateHook point to function (address where code execution appeared after "jump" or "call") or it can be some random address in code/text segment of process memory?
My guess is that it can not be cause Detour could mess up some registers which are in use. But thanks to my very noobish knowledge of Assembly I can not say if your code handle this or not :D