Is it possible to hook un-exported function

c++ / delphi package - dll injection and api hooking

Is it possible to hook un-exported function

Postby wineggdrop » Sat Dec 14, 2019 6:18 pm

#include <windows.h>
#include <stdio.h>

bool TestFunction()
{
..............
return true;
}

int main(int argc,char *argv[])
{
TestFunction();
return 0;
}

Is it possible to hook TestFunction() in the above program with madcodehook?if so,how?
wineggdrop
 
Posts: 19
Joined: Mon Nov 18, 2019 6:18 am

Re: Is it possible to hook un-exported function

Postby iconic » Sun Dec 15, 2019 8:11 pm

Hello,

Unexported functions can be tricky to hook only because they can be tricky to "find". Most common approach, but not the best in this case, is to use binary signature pattern scanning.

If you break down the below function:

BOOL TestFunction()
{
...............
return TRUE;
}

You would only have these bytes to search for, unless ... is indicative of more code you can scan for, of course.
Code: Select all
0xb8, 0x01, 0x00, 0x00, 0x00, 0xc3

with the assembly code looking like this
Code: Select all
mov eax, 0x00000001
ret


You can scan the specific module containing your target function by searching through its PE sections that contain executable code, usually .text and/or .code sections are the most common.
Once your signature function locates the code pattern you can return the (hModule + code section base address + code section index you matched at) for the function pointer and then
pass this into HookCode(). It's actually rather simple to do but creating unique code signature patterns can prove difficult and depends on what the binary code structure looks like.

--Iconic
iconic
Site Admin
 
Posts: 971
Joined: Wed Jun 08, 2005 5:08 am

Re: Is it possible to hook un-exported function

Postby madshi » Wed Dec 18, 2019 10:05 am

Yep, as iconic said, finding the address of the function you want to hook is the tricky part. The actual hooking itself is pretty simply, just call HookCode(). Of course if you already happen to know the address of the function you want to hook, everything's easy as cake.
madshi
Site Admin
 
Posts: 10301
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 31 guests