Hook unexported functions

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.

MIT License

5.18k stars 1k forks source link

Hook unexported functions #302

Closed djn3m0 closed 11 months ago

djn3m0 commented 11 months ago

Hello,

I need to hook a function inside a .exe file, there is no symbol that I can resolve or it's not exported like in .dlls. What is the right way of hooking unexported functions inside a .exe file?

I would appreciate if you can point me to any code or sample.

Thanks

sylveon commented 11 months ago

You need to use something else to find the address, for example the DIA API with PDB symbols, or hardcoding a raw offset, etc.

Then once you have a function pointer, you should be able to use Detours as usual.

djn3m0 commented 11 months ago

I'm not familiar with DIA Api and googling brings up some unrelated stuff, can you please provide link or some documentation?

thanks

ptrstr commented 11 months ago

You can also use a tool like Ghidra or IDA to find the address of the function you want to hook.

You can then:

Subtract that address with the load address Ghidra/IDA sets (this gives you the offset)
Find the base address of the loaded executable (You can use GetModuleHandleA)
Add that offset to the base address of the loaded executable. You now have the address of the function to hook.

sylveon commented 11 months ago

Yes, that would be hardcoding a raw offset

djn3m0 commented 11 months ago

Thanks it was very helpful