Getting the return address of a madCodeHook'ed function.

c++ / delphi package - dll injection and api hooking
Post Reply
Sirmabus
Posts: 89
Joined: Fri May 28, 2004 6:20 pm

Getting the return address of a madCodeHook'ed function.

Post by Sirmabus »

madshi,

Not sure, I might have asked this question before:

Is there a way to get the calling return address from a madCHook hooked API function?
It's some time needed as I use hooks to help debug, in reverse engineering projects, etc.

I've been able to get it before by using some inline assembly (VC 6 C++)
with a hardcoded offset from ESP but it's a pain to setup and maintain.

Note: I'm a registered user as of about three weeks ago.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Are you satisfied with the calling module? Then you can use madCodeHook.GetCallingModule. Getting the return address is not supported right now. You need to do that ESP calculcating currently.
Sirmabus
Posts: 89
Joined: Fri May 28, 2004 6:20 pm

Post by Sirmabus »

Okay, for people trying to do this, you can do it like I say.
Takes a little work to find the correct ESP offset.

With out variables, I think the offset is always constant when using MadCdoeHook. Maybe just an extra "push" or two on the stack.

But if you have local variables I.E.

Code: Select all

void MyHookFunction(void)
{
     int iLocal1;  // On the stack
     int iLocal2;  // ""
.....
Usally iLocal1 and iLocal2 will count (add 8 to the stack) so you have to account for those.
Or you could make these variables static and they won't be on the stack of
course.

Code: Select all

int iLocal1;   // Not on the stack
 int iLocal2;  // ""

void MyHookFunction(void)
{
     
.....
At any rate you can find he initail offset to the return pointer on the stack using a debuger..
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Maybe it works better by using EBP? That way local variables shouldn't matter. That works only, if your function has a stack frame, though.
uall
Posts: 254
Joined: Sun Feb 20, 2005 1:24 pm

Post by uall »

should work like this (delphi has stackframes, i dont know if c++ has it)
www.arschvoll.net/sirmabus.jpg
Post Reply