All geek questions in one place

Hook bypass in an external process for an "empty" function does not work

The capture function Im in the external process through their shift in function. This works well for the functions that I have hooked so far - however, I found the function debugLog (char ...) ", which still exists in binary but does not print at all - it looks like this

debugMessage proc near ; xor eax, eax ; Logical Exclusive OR retn ; Return Near from Procedure debugMessage endp

he is called like that

 push offset debugString ; "This is a debug message"... call debugMessage ; Call Procedure

Now the debug message was obviously disabled, I wanted to connect to it, because I was able to just connect to a similar function (char ..) in an existing binary format.

This is the code:

 typedef void (__stdcall* DebugLog)(const char*); DebugLog Real_DebugLog = (DebugLog)(0xCAFEBABE); extern "C" { static void __stdcall Hook_DebugLog(const char*); } void __stdcall Hook_DebugLog(const char* text) { MessageBox(NULL, text, "MyDebugLog", MB_OK); return Real_DebugLog(text); } // in dll main attach.. DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)Real_DebugLog, (PVOID)Hook_DebugLog);

A similar approach works for all other functions that are still connected to this binary. I also made sure that debugMessage is even called using the debugger.

Any ideas why this hook doesn't work at all? Maybe because a function can have var args? I already tried with const char *, ...).

+6
source share
2 answers

The function is probably too small to catch. Workarounds should rewrite the hooked function potion to redirect calls elsewhere, but there is probably not enough space in this log entry for Detours to write a JMP instruction intended for your replacement.

+2
source

A "crawl" requires at least 5 bytes to work (x86) - debugMessage - a total of 3 bytes.

+3
source

Source: https://habr.com/ru/post/895486/

More articles:


All Articles