how to create a trampoline function using DetourAttachEx? (with MS detours)_问答_开发者

I have a dll and i wish to create a detour to one of its exported functions,

The dll is not part of windows.
I need to be able to call the real function after my detour (call the real function from a detoured one)
I know the exact signature of the function.
I already have been able to detour the function, but right now i can't call the real one.

I realize i need to use a trampoline function, I've seen examples online. the problem is: all those examples show how to detour a windows API function, i need to do the same for a function i get thorough a dll import.

any help would be welcomed

--edit just to clarify, I have attempted to call the original function by its pointer, but that does not work. also tried using the method from this stack overflow article

that doesn't even crash but it looks like it goes into to an infinite loop (i assume because in the original function there is a jump to the detoured one)

edit -- solved! not sure what solved it, used this as reference.

stop开发者_运维知识库ped using getProcadder and instead started using DetourFindFunction instead
cleaned up the code (pretty sure i cleaned out whatever caused the issue)

works, thanks anyway

I don't use detours(I actually detest it!), but detouring any non hot-patchable function can be done in a generic manner, like so:

Sstep 1: insert a JMP <your code> at the start of the function, takes 5 bytes, probably a little more to align to the nearest instruction. as an example

the start of the function to hook:

SUB ESP,3C
PUSH EDI
PUSH ESI
//more code

would become:

JMP MyFunction
//more code

one would do this by writing 0xE9 at the first byte then writing the value (function_addr - patch_addr + sizeof(INT_PTR)) in the following DWORD. writing should be done using WriteProcessMemory after setting Read/write/execute permissions with VirtualProtectEx

Step 2: next, we create an assembly interface:

void __declspec(naked) MyFunc()
{

    __asm
    {
        call Check             ;call out filter func
        test eax,eax           ; test if we let the call through
        je _EXIT
        sub esp,3c             ; its gone through, so we replicate what we overwrote
        push edi
        push esi
        jmp NextExecutionAddress ; now we jump back to the location just after our jump
    _EXIT:
        retn                   ; note, this must have the correct stack cleanup
    }

}

NextExecutionAddress will need to be filled at run time using ModuleBase + RVA.

To be honest, its way easier, and better(!) to just EAT (Export Address Table) hook the export table of the dll, or IAT (Import Address Table) hook the import tables of whats calling the funcs you want to filter. Detours should have functions for these type of hooks, if not, there are other freely available libs to do it.

The other way would be to use detour to hook every call in the apps using the dll to reroute them to a proxy function in your own code, this has the advantage of allowing one to filter only certain calls, and not everything across a binary(it is possible to do the same using _ReturnAddress, but thats more work), the disadvantage though is capturing the locations to patch(I use ollydbg + a custom patching engine) and it won't work on non-regular calling convention functions(like those made with #pragma aux in Watcom or the optimized calls generated by VC7+).

One important thing to note: if your hooking a multithreaded app, your patches need to be done with the app suspended, or be done attomically use InterlockedExchange, InterlockExchange64 and InterlockedExchangePointer(I use the latter for all IAT/EAT hooks, especially when hooking from a 'third party process')

Looking at the post you link to, the method there is horrible in my opinion, mainly due to the assmebly :P but, how are you calling this pointer you obtain, and how is it obtained?