Hooking a function without knowing its signature

c++ / delphi package - dll injection and api hooking

Hooking a function without knowing its signature

Postby TCS » Fri Sep 23, 2016 7:55 pm

Hey everyone,

I want to make a small application for a research that hooks functions that I don't know their signature and simply trace the parameters of a predefined stack size.
I was thinking of making my replaced function an ellipsis function, but than, how would I make the call to the original function?

There are applications out there that are doing that (like rohitab api monitor or winapioverride), but they are missing a functionality I need for my research.

Is this possible with the MadCodeHook framework? and does any one have any ideas how to achieve that goal?



Thanks a lot!
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Hooking a function without knowing its signature

Postby madshi » Mon Sep 26, 2016 9:00 am

madCodeHook was originally written for developers who know the signature. If you do, madCodeHook is extremely easy to use. If you don't, you might still be able to use madCodeHook, but you'll need to do some work on your own.

I guess what you could do is this:

1) Install an API hook using madCodeHook's "HookAPI()" function with the "STORE_THREAD_STATE" option activated.
2) In your hook callback function you can now use "GetStoredThreadState" to get the original contents of all the registers at the moment when the hooked API was called. See here:

http://help.madshi.net/ApiCodeHooking.h ... hreadState

3) Using the ESP/RSP register from the stored "thread state", you could probably duplicate the stack parameters, and then restore the original registers and then "CALL" the original API.
4) When the original API returns, you'd have to restore the current ESP to the one it had before 3), to cleanup for certain calling conventions.

I've never tried 3) + 4), so I'm not 100% sure it would work, but I think it probably would. One thing to note: When using the "STORE_THREAD_STATE" option, HookAPI() wants to know how many parameters the API has. This is needed so the parameters on stack can be copied/saved properly. You don't have to know the exact number, though, you can just "guess high". If you don't specify the number of parameters, HookAPI() saves 32 stack parameters by default. You can increase that number, just to be safe.

madCodeHook by design requires you to have a different "NextHook" function variable per hooked API. So you can't just use one "NextHook" global function variable. But I suppose you could easily use an allocated array of "NextHook" function variables.
madshi
Site Admin
 
Posts: 9321
Joined: Sun Mar 21, 2004 5:25 pm

Re: Hooking a function without knowing its signature

Postby TCS » Mon Sep 26, 2016 10:59 am

Great! Thanks! :-)
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests