3

Know anybody something about hooking __usercall type of functions? I hooking successfully __thiscall, __stdcall and __cdecl calls but this is enough for me.

Know anybody hooking library for __usercall's or how to hook this type of functions using translation to __stdcall or __cdecl?

Function what i must hook at first is:

int __usercall func<eax>(int a<eax>, int b<ecx>, int c, unsigned int d, signed int e);
Svisstack
  • 16,203
  • 6
  • 66
  • 100

2 Answers2

5

Use a wrapper which will convert it to __stdcall.

int __stdcall func_hook_payload(int a, int b, int c, unsigned int d, signed int e);

// Wrapper for
// int __usercall func<eax>(int a<eax>, int b<ecx>, int c, unsigned int d, signed int e);
__declspec(naked) void func_hook()
{__asm{
    push ebp
    mov ebp, esp
    push dword ptr[ebp + 0x0C] // or just push e
    push dword ptr[ebp + 0x08] // d
    push dword ptr[ebp + 0x04] // c
    push ecx // b
    push eax // a
    call func_hook_payload
    leave
    ret // note: __usercall is cdecl-like
}}
Svisstack
  • 16,203
  • 6
  • 66
  • 100
Abyx
  • 12,345
  • 5
  • 44
  • 76
  • you are sure of working this? You not should `pop` arguments from detoured function callee? – Svisstack Nov 05 '10 at 01:39
  • @Svisstack: yes, I'm sure. Just try it. – Abyx Nov 05 '10 at 01:41
  • i trying, but maybe something is wrong maybe in my second wrapper __stdcall to __usercall, debugger says access violation after calling original usercall function (becasue i must have result) hmm propably i doing something wrong with arguments. – Svisstack Nov 05 '10 at 01:45
  • can you look at this http://stackoverflow.com/questions/4102981/what-is-wrong-with-this-usercall-wrapper ? – Svisstack Nov 05 '10 at 01:49
  • Abyx how should I call this? by func_hook_payload? or func_hook? I never seen a function inside of a function like that. – SSpoke Sep 11 '11 at 14:57
  • @SSpoke: it's *hook* function (callback). Program will call it, not you. – Abyx Sep 11 '11 at 21:18
2

When all else fails.. walk through it with a debugger.

In particular take note of these like the ESP when you enter the call, and then again just before the function returns..

Sirmabus
  • 21
  • 1