0

Im quite new to C++ and Im currently learning Function Hooking.

In my case the target application´s function I want to hook returns an class looking like this:

EventsForMe.dll:

RandomEventListener GetEventReg()  {
    return RandomEventListener();
}

class RandomEventListener {
    public:
        void RegisterToEvent(EventTypeEnum eventType,  IListener listener) {
            ....
        }
}

enum EventTypeEnum {
    APP_OPENED,
    APP_CLOSED
}

Now at the moment im hooking the function that returns the "EventRegister". That works fine...i get notified everytime the class is used (which is 3 times).

My plan is to attach to an event from the injected dll. Problem is the "IListener" type is only existing in my other app. And I think the point of hooking is that you dont have to include the code of the other program.

Im using easyhook for this and this what i got so far: (I rebuilt the enum cause I found no other way) App.exe

#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <iostream>
#include <windows.h>
#include <shlobj.h>
#include <easyhook.h>
#include <string>
#include <fstream>


enum EventTypeEnum {
    APP_OPENED,
    APP_CLOSED
}

class MyListener {
     static EventTypeEnum GetTypeOfEvent() {
         return EventTypeEnum::APP_CLOSED;
     }

     void OnEventHappening() {
            std::cout << "App closing!!!!! And im registered from outside!" << std::endl;
     }
}

extern struct RandomEventListener  { /* PlaceHolder Structure */
    void RegisterToEvent(EventTypeEnum eventType,  MyListener listener); 
};


void RandomEventListener::RegisterToEvent(EventTypeEnum eventType,  MyListener listener)
{}

typedef RandomEventListener(__cdecl* fRandomEventListener)();
fRandomEventListener  orig;

extern "C" void __declspec(dllexport) __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);


void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
    HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook

    HMODULE dll = LoadLibrary(L"EventsForMe.dll");

    FARPROC addressConnect = GetProcAddress(dll, "GetEventReg");

    if (NULL != addressConnect) {
                orig = (fRandomEventListener)GetProcAddress(dll, "connect");     

                orig.RegisterToEvent(EventTypeEnum::APP_CLOSED, MyListener());
    }

    
    // If the threadId in the ACL is set to 0,
    // then internally EasyHook uses GetCurrentThreadId()
    ULONG ACLEntries[1] = { 0 };

    // Disable the hook for the provided threadIds, enable for all others
    LhSetExclusiveACL(ACLEntries, 1, &hHook);
     

    RhWakeUpProcess(); 

}

The call does not break the code so no error appears but if I close my App it should print "App closing!!!!! And im registered from outside!" right after "Closing app..." which is in the App.exe.

So the question I have is: Is it possible to pass an class as listener from the Injector to the Injected App? Cause my expected output is not happening... (I stripped my code a bit for this post)

Malte
  • 40
  • 5
  • `Im quite new to C++ and Im currently learning Function Hooking` - I strongly advise learning language and it's concepts well, before jumping to quite complicated topics like function hooking. – SergeyA Sep 14 '21 at 23:13
  • Im quite new to C++ but now C`like languages. If I learn a new language I usually start with an topic I like for better learning :-) – Malte Sep 16 '21 at 20:57

0 Answers0