开发者

How to find a functions address to hook/detour in an EXE file?

问答 作者:

I drove against a wall again and need your help with some low-level stuff. I already succeeded in hooking exported DLL-Functions (with this code btw.) by injecting them into my target process (e.g. I can easily detour MessageBoxW from user32.dll). Unfortunately I aim for a different scenario: I have to detour a function defined inside the executable I'm injecting my code into. The application is Open-Source so I know everything about the function I'd need for hooking it, but the binary is signed with a certificate so I can not compile my own version. Is it possible to fetch the functions' address at runtime or detour it with another technique? The target is a "normal" 32bit Windows binary btw. nothing special I thought ;)

Yours, Nefarius

EDIT: maybe due to my lame English I was not detailed enough, so here a little sample code:

int WINAPI WinMain(HINSTANC开发者_Go百科E hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
    foo();
}

BOOL foo(char* someData)
{
    return printf("%s", someData);
}

Now I want to detour the function foo() which does not exist in a dynamic library. This is my problem. I don't know how and I'm not sure if this works like I think it does.

EDIT: Now I know it is possible, so the important question changed to: how? How do I get the information I need; the functions address?

Sure, just use something like Ollydbg to set a breakpoint, and edit the assembly after the executable has loaded (and finished checking its certificate). To do it permanently is a bit more challenging, but depending on how sophisticated the certificate check is, you might just be able to bypass that bit of code by replacing it with a NOP (no operation).

EDIT: If you're running 64-bit Windows, you might have better luck with Microsoft's own Debugging Tools. I've never used them, so I have no idea how they compare to Ollydbg.

If this is for something that is more than a one time debugging jaunt, look into Microsoft Detours, an API for hooking functions.

you need to get the functions address then insert a jmp at the functions entry point to your procedure and then restore the original proc and then jump back to the original function.

Use EasyHook for that. With that library you can intercept a function with the address.

I acquired my aim with hooking some low-level Windows API functions, not the best solution but it works, Assembler isn't mine...

继续阅读:chookwindows

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9