0

I am writing an analysis tool for an exe. I have the source code of this exe so I know which functions it uses. I need to hook a couple of specific functions so that I can inspect the passed parameters. The functions I am interested are not part of any DLL but they are part of the program.

I started using Detours to write an hooking DLL which intercepts the functions calls. I wrote the hooking DLL where I specify the functions to hook, but unfortunately since there is no DLL to refer to, when I compile the hooking DLL I cannot resolve the functions names.

How can I solve this problem?

P̲̳x͓L̳
  • 3,615
  • 3
  • 29
  • 37
N3d
  • 1
  • The location information is available from the compiler. Either the debug database or map listing have this information. See the [`/MAP` linker option](http://msdn.microsoft.com/en-us/library/k7xkk3e2.aspx) – Ben Voigt Mar 24 '14 at 15:34
  • BTW, if optimization was enabled, those functions might not even exist in the normal way. Their code could be inlined at multiple points in the calling functions, and then interwoven into the caller code by reordering. – Ben Voigt Mar 24 '14 at 15:36
  • 1
    If you have the source code for the executable, can't you add some instrumentation directly into the functions in question and then rebuild the program? – Adrian McCarthy Mar 28 '14 at 21:01
  • You've got the source code. You can do what you like. – David Heffernan Mar 28 '14 at 21:25

1 Answers1

0

Not a perfect solution, but it will solve your problem:

You can get the relative offsets of your functions by doing something like this in your target program:

int FuncToGet()
{
    int x = 5;
    return x;
}

int main()
{
    intptr_t baseAddr = (intptr_t)GetModuleHandle(NULL);

    intptr_t relativeoffset = baseAddr - (intptr_t)&FuncToGet;

    std::cout << "Relative offset = 0x" << std::hex << &relativeoffset;
}

You can use this to print out the relative offset of the functions you want to hook.

Then add the relative offset to the base address of the module in the target process, which you get at run time.

Then you can hook the functions using this address

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59