I drove against a wall again and need your help with some low-level stuff. I already succeeded in hooking exported DLL-Functions (with this code btw.) by injecting them into my target process (e.g. I can easily detour MessageBoxW from user32.dll). Unfortunately I aim for a different scenario: I have to detour a function defined inside the executable I'm injecting my code into. The application is Open-Source so I know everything about the function I'd need for hooking it, but the binary is signed with a certificate so I can not compile my own version. Is it possible to fetch the functions' address at runtime or detour it with another technique? The target is a "normal" 32bit Windows binary btw. nothing special I thought ;)
Yours, Nefarius
EDIT: maybe due to my lame English I was not detailed enough, so here a little sample code:
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
foo();
}
BOOL foo(char* someData)
{
return printf("%s", someData);
}
Now I want to detour the function foo() which does not exist in a dynamic library. This is my problem. I don't know how and I'm not sure if this works like I think it does.
EDIT: Now I know it is possible, so the important question changed to: how? How do I get the information I need; the functions address?
Sure, just use something like Ollydbg to set a breakpoint, and edit the assembly after the executable has loaded (and finished checking its certificate). To do it permanently is a bit more challenging, but depending on how sophisticated the certificate check is, you might just be able to bypass that bit of code by replacing it with a NOP (no operation).
EDIT: If you're running 64-bit Windows, you might have better luck with Microsoft's own Debugging Tools. I've never used them, so I have no idea how they compare to Ollydbg.
If this is for something that is more than a one time debugging jaunt, look into Microsoft Detours, an API for hooking functions.
you need to get the functions address then insert a jmp at the functions entry point to your procedure and then restore the original proc and then jump back to the original function.
Use EasyHook for that. With that library you can intercept a function with the address.
I acquired my aim with hooking some low-level Windows API functions, not the best solution but it works, Assembler isn't mine...
来源:https://stackoverflow.com/questions/4317465/how-to-find-a-functions-address-to-hook-detour-in-an-exe-file