Calling a procedure with a return address?

c++ / delphi package - dll injection and api hooking
Post Reply
abalonge
Posts: 11
Joined: Tue Jun 26, 2012 10:14 pm

Calling a procedure with a return address?

Post by abalonge »

I use madCodeHook for a number of uses, but I have a problem that is out of my experience. Does anyone know how I could call function from a DLL that is loaded by a program that can not pass function addresses or export functions due to limitations of the language?
The idea I have so far is to have the program's function (that I'm wanting to call later from the DLL) make an inital call to a function in the DLL to store address information (return address). Later, I call the saved return address in the DLL to return control to the same place as it did initally. It is unstable as it is, I assume the stack frame might be the issue? Is there a way to Hook it maybe? This is would be for use in my program only and would not be distibuted in any way, no black hat stuff!
Suggestions please. :)

TEST PROGRAM:

Code: Select all

external: "ra_test.dll", INT, "Initial_Function_Save";

method void ReturnFunction() // * can not export this *
begin 
    Initial_Function_Save(); // calls function in DLL
    // *** returns here, start execution here when call from the DLL later 
    Print("*RA - next line*");
    ...
end;
DLL ra_test.dll:

Code: Select all

var
  ra: pointer;
  ra_func: Tra_func;

function Initial_Function_Save: integer;
begin
  ra := System.ReturnAddress;
  result := 1;
end;

procedure Call_Program_Function;
begin
  ra_func := Tra_func(ra);
  ra_func; 
end;

exports Initial_Function_Save,
	Call_Program_Function;

madshi
Site Admin
Posts: 10820
Joined: Sun Mar 21, 2004 5:25 pm

Re: Calling a procedure with a return address?

Post by madshi »

This sounds specific to the language this program is created with? If you just call the "return address", then you're jumping into the middle of a function. That will be hard to make stable. You probably need to jump to the start of a function, and provide proper parameters. But figuring out where the start of the function is and what kind of parameters it needs could be hard. Maybe you could use a runtime disassembler to try to find the start of the function? But it's very hard for a disassembler to "look back" in code, because assembler instructions do not have a specific length and if you look back 2 bytes on a 3 byte assembler instructions, then it could look to the disassembler like a valid 2 byte instruction, although in reality it was a 3 byte assembler instruction. This sounds like a concept for disaster, to be honest...
abalonge
Posts: 11
Joined: Tue Jun 26, 2012 10:14 pm

Re: Calling a procedure with a return address?

Post by abalonge »

Ok, thank you for your thoughts on the matter, they sound reasonable to me.
Post Reply