Page 1 of 1

Calling a procedure with a return address?

Posted: Sun Mar 14, 2021 2:24 am
by abalonge
I use madCodeHook for a number of uses, but I have a problem that is out of my experience. Does anyone know how I could call function from a DLL that is loaded by a program that can not pass function addresses or export functions due to limitations of the language?
The idea I have so far is to have the program's function (that I'm wanting to call later from the DLL) make an inital call to a function in the DLL to store address information (return address). Later, I call the saved return address in the DLL to return control to the same place as it did initally. It is unstable as it is, I assume the stack frame might be the issue? Is there a way to Hook it maybe? This is would be for use in my program only and would not be distibuted in any way, no black hat stuff!
Suggestions please. :)


Code: Select all

external: "ra_test.dll", INT, "Initial_Function_Save";

method void ReturnFunction() // * can not export this *
    Initial_Function_Save(); // calls function in DLL
    // *** returns here, start execution here when call from the DLL later 
    Print("*RA - next line*");
DLL ra_test.dll:

Code: Select all

  ra: pointer;
  ra_func: Tra_func;

function Initial_Function_Save: integer;
  ra := System.ReturnAddress;
  result := 1;

procedure Call_Program_Function;
  ra_func := Tra_func(ra);

exports Initial_Function_Save,

Re: Calling a procedure with a return address?

Posted: Mon Mar 15, 2021 8:49 am
by madshi
This sounds specific to the language this program is created with? If you just call the "return address", then you're jumping into the middle of a function. That will be hard to make stable. You probably need to jump to the start of a function, and provide proper parameters. But figuring out where the start of the function is and what kind of parameters it needs could be hard. Maybe you could use a runtime disassembler to try to find the start of the function? But it's very hard for a disassembler to "look back" in code, because assembler instructions do not have a specific length and if you look back 2 bytes on a 3 byte assembler instructions, then it could look to the disassembler like a valid 2 byte instruction, although in reality it was a 3 byte assembler instruction. This sounds like a concept for disaster, to be honest...

Re: Calling a procedure with a return address?

Posted: Mon Mar 15, 2021 1:00 pm
by abalonge
Ok, thank you for your thoughts on the matter, they sound reasonable to me.