Funny thing is, I answered a question not too long ago about getting the address of a C++ constructor saying that it can't be done so use perfect forwarding instead. However, in terms of detouring using Microsoft's Detour library, this isn't an option. The address is required in order to detour any call. So now I have to ask the question, if there is no address of a constructor, is it even possible to detour one? And if so, how?
Asked
Active
Viewed 471 times
0
-
A constructor has a memory address (it is executable code afterall, so it has to reside *somewhere* in memory). You just cannot use the `&` operator to obtain that address (the language standard forbids it). But, if you know how your compiler lays out the structure of the class in memory, you can probably get the constructor's address through "creative" means. But I would not advise it. – Remy Lebeau Apr 12 '15 at 03:17
-
Well, @RemyLebeau, seems that *creative* would have to be the way to go. I know that this is ***definitely*** not going to be portable, and I'm not looking for it to be. So long as it works under a MS C++ compiler, I'd be happy. – Adrian Apr 12 '15 at 03:23
1 Answers
0
Not sure about MS Detour, but I usually hooking detour manually with inline assembly in C++. If the code (constructor instance) is mapped in memory, and you can write to that memory region, then detouring is possible.
- The basic mechanism of hooking detour is find the place to replace the original opcode by a JUMP to your code cave. If the JUMP code doesn't match the size of the original opcode, fill it with NOPs.
- Execute the original opcode in your code cave
- PUSHAD & PUSHFD
- Doing anything you want using global variables (recommended)
- Call any custom function without params
- POPFD & POPAD
- Jump back to the patched opcode (skill some bytes of NOPS)
For the first step, to obtain the address of the constructor instance, you need to search for its dynamic address either by ReadProcessMemory or any method. I did detour a function from a DLL that load dynamically. To obtain the function, I use HANDLE tempHandle = GetModuleHandle((LPCWSTR)"DLLFileName.dll"); and go by the offset of the DLL handle.
Hao Nguyen
- 528
- 4
- 10