Mathias, one help at hooking method please....

c++ / delphi package - dll injection and api hooking
Post Reply
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Mathias, one help at hooking method please....

Post by nildo »

Mathias help... wrote:The solution sounds simple: We need to overwrite 5 bytes of the API's code. So we simply copy these bytes to another location and call it there, whenever we want to call the original API
This is to prevent from needing to Unhook, call the API and Hook again.
But I didn't understand what did ou mean there... I need to write a JMP instruct in the first 5 bytes of the original API, copy the old first 5 bytes of that API into another location, and when I'm going to call the original API, i need to jump to that new location? Is that what you mean?

Just for knowledge... Thank you
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

When hooking an API by "code overwriting", you're writing a JMP call in the beginning of the API's code. Of course by doing this you're destroying a part of the API. If you now want to call the original API you can't, because it's destroyed. The solution is to copy that part of the original code (which you've just overwritten with the JMP call) to another location and append a JMP call to this copied code chunk. The appended JMP call will jump back into the original API code right after the JMP instruction we've placed there.

Understood?

The problem with this logic is that asm instructions can have all kind of lengths from 1 byte to I don't know (8?) bytes. Of course when you would copy and execute "half" asm instructions the whole stuff will crash. So you need a disassembler which will analyze the code and tell you how many bytes you have to copy so that no "half" asm instructions are created.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You'll find more information about this whole logic in the Detours documentation.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Great! 8)
Post Reply