madshi,
Not sure, I might have asked this question before:
Is there a way to get the calling return address from a madCHook hooked API function?
It's some time needed as I use hooks to help debug, in reverse engineering projects, etc.
I've been able to get it before by using some inline assembly (VC 6 C++)
with a hardcoded offset from ESP but it's a pain to setup and maintain.
Note: I'm a registered user as of about three weeks ago.
Getting the return address of a madCodeHook'ed function.
Okay, for people trying to do this, you can do it like I say.
Takes a little work to find the correct ESP offset.
With out variables, I think the offset is always constant when using MadCdoeHook. Maybe just an extra "push" or two on the stack.
But if you have local variables I.E.
Usally iLocal1 and iLocal2 will count (add 8 to the stack) so you have to account for those.
Or you could make these variables static and they won't be on the stack of
course.
At any rate you can find he initail offset to the return pointer on the stack using a debuger..
Takes a little work to find the correct ESP offset.
With out variables, I think the offset is always constant when using MadCdoeHook. Maybe just an extra "push" or two on the stack.
But if you have local variables I.E.
Code: Select all
void MyHookFunction(void)
{
int iLocal1; // On the stack
int iLocal2; // ""
.....
Or you could make these variables static and they won't be on the stack of
course.
Code: Select all
int iLocal1; // Not on the stack
int iLocal2; // ""
void MyHookFunction(void)
{
.....
should work like this (delphi has stackframes, i dont know if c++ has it)
www.arschvoll.net/sirmabus.jpg
www.arschvoll.net/sirmabus.jpg