-1

I'm playing with Microsoft's Detours to hook api, for example, I can change what happens when MessageBoxA is called in this way:

  int (WINAPI* pMessageBoxA)(HWND, LPCTSTR, LPCTSTR, UINT) = MessageBoxA;

  int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
  {
      printf("A function is called here!\n");
      return pMessageBoxA(hWnd, lpText, lpCaption, uType);  // call the regular MessageBoxA
  }

  DetourTransactionBegin();
  DetourUpdateThread(GetCurrentThread());
  DetourAttach(&(PVOID&)pMessageBoxA, MyMessageBoxA);

So when you call MessageBoxA, you are actually calling MyMessageBoxA.
Now I want to write a function Hook(), which would do what codes above do at runtime. For example, if I pass function pointer MessageBoxA to the function, it will do exactly what the above code did.
Of course, I can pass other function pointer to it too.
Then there is a question, when I get a function pointer in Hook, how could I define a function with the same return value and parameter as the given function(in this case, MessageBoxA to int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)) and then fill the function's function body?

wong2
  • 34,358
  • 48
  • 134
  • 179
  • Sounds like you're looking for eval() - the holy grail of dynamically typed languages. But it's not available in C++. You could, of course, write the function to a file, call the compiler so it produces a loadable library, load it, obtain the pointer to the function. – Ingo Apr 16 '11 at 14:36
  • 1
    It sounds like you want to hook the entire Win32 API. To do that with Detours is going to require you to produce stubs for every single API function. You could do this a runtime but it would involve run time code generation. That's possible, but naturally a bit hard in C++ than in Python, .net etc. Since you don't want to produce stubs for all API functions you have reached an impasse. Perhaps you could tell us your ultimate goal. For example, are you trying to instrument your app's use of the Win32 APIs? – David Heffernan Apr 16 '11 at 15:32
  • @David What I want to do: first, get all the apis that a program will use from its exe file, then hook those functions with new functions that will print the name of the function, so I can get a sequence of how apis are called in the program, then use this information to do some security check – wong2 Apr 16 '11 at 15:44
  • @wong2 How will you get all the APIs that a program uses? Not all the functions will be in the import table. How are you going to hook functions whose calling convention and parameter lists you don't know? – David Heffernan Apr 16 '11 at 15:53
  • @David yeah this is a big problem...but I think that malwares will always call system apis to do something like scan your disk, connect to the net, etc, so I think maybe just hook system apis will be enough. What do you think? – wong2 Apr 16 '11 at 16:00
  • @wong2 I think it's very hard to write an anti-malware program and it's easier to buy one. Of course, I'm having to guess at what your ultimate goal is because you haven't told us. – David Heffernan Apr 16 '11 at 16:04
  • @David er...I will use it to participate a student contest focus on computer security. – wong2 Apr 16 '11 at 16:08
  • @wong2 Are you allowed to use Stack Overflow according to the contest rules? ;-) – David Heffernan Apr 16 '11 at 16:13

2 Answers2

1

In C++, functions aren't first-class object, that means they cannot be created at runtime.

However, you can use an array of function-pointers, each pointer pointing to an already defined function, and choosing the appropriate function-pointer at runtime based on some conditions, and call it. And it looks like you're already using function-pointer in the code-snippet.

Nawaz
  • 353,942
  • 115
  • 666
  • 851
  • I can't make a pre-defined array of function-pointers...there are too much API functions.. – wong2 Apr 16 '11 at 14:38
  • @wong2: Your question isn't clear enough. Based on what I understand from the wordings of your question, all I can say that functions cannot be created at runtime, in C++. – Nawaz Apr 16 '11 at 14:41
0

Which isn't entirely true. You can easily store a (member) function reference, so you can have a function call another function (decidable at runtime).

You can also use a functor which is a struct/class olverloading the () operator. This can then use the class's state to remember which actual function to call. An example of a functor:

STL has a <functional> header that contains a load of helpful utilities to make handling (member) function references 'easier' (slightly). Random example from cplusplus.com:

// mem_fun example
#include <iostream>
#include <functional>
#include <vector>
#include <algorithm>
#include <string>
using namespace std;

int main () 
{
  vector <string*> numbers;

  // populate vector of pointers:
  numbers.push_back ( new string ("one") );
  numbers.push_back ( new string ("two") );
  numbers.push_back ( new string ("three") );
  numbers.push_back ( new string ("four") );
  numbers.push_back ( new string ("five") );

  vector <int> lengths ( numbers.size() );

  transform (numbers.begin(), numbers.end(), lengths.begin(), mem_fun(&string::length));

  for (int i=0; i<5; i++) {
      cout << *numbers[i] << " has " << lengths[i] << " letters.\n";
  }
  return 0;
}

c++0x has a lot of nifty new features (including 'auto' type inference and lambda expressions) that will make a lot of this easier

sehe
  • 374,641
  • 47
  • 450
  • 633