usercall

问题 /* * Wrapper from * int func(int a, int b, int c, unsigned int d, signed int e); * to * int __usercall func<eax>(int a<eax>, int b<ecx>, int c, unsigned int d, signed int e); */ int func(int a, int b, int c, unsigned int d, signed int e) { __asm { push e push d push c mov ecx, b mov eax, a call __usercall_func // access violation somewhere inside here add esp, 12 } } 回答1: You cannot perform ret yourself from within an inline asm block, because you don't know what the outer function has done

问题 After hours of spending on installing drivers, I began looking at minispy driver: Windows-driver-samples/filesys/miniFilter/minispy/ I am trying to catch all the calls of user to open files. I was trying to do it with all the parameters it prints (like Opr, Major Operation...) but I can't filter it in exact way. How can I filter only the user calls (open file)?? How can I determinate within the code if the user called the transaction? Thank you very much for your help. 回答1: look for FLT

问题 I have a virtual machine, which on VM_Create passes the address of a function (systemCalls) to the virtual machine. So I hook VM_Create and steal the syscalls address, put it into a backup function pointer, and the address of my modified systemCalls function pass to the original VM_Create, from which I can alter arguments, add or remove calls, and then call the backed-up syscalls function. That worked well, until a new release of the game. I believe to have found the problem: This is the

问题 Know anybody something about hooking __usercall type of functions? I hooking successfully __thiscall , __stdcall and __cdecl calls but this is enough for me. Know anybody hooking library for __usercall 's or how to hook this type of functions using translation to __stdcall or __cdecl ? Function what i must hook at first is: int __usercall func<eax>(int a<eax>, int b<ecx>, int c, unsigned int d, signed int e); 回答1: Use a wrapper which will convert it to __stdcall . int __stdcall func_hook