Hooking into a rather big application

Question

i have this code :

.text:0045A020     ; int __thiscall CMapConnection__OnItemOptionCombination(CMapConnection *this, _tagRequestMAP_COMPOSITION_OPTIONITEM *prcreq)
.text:0045A020     ?OnItemOptionCombination@CMapConnection@@QAEHPAU_tagRequestMAP_COMPOSITION_OPTIONITEM@@@Z proc near

.text:0045A020
.text:0045A020 000                 push    ebp
.text:0045A021 004                 mov     ebp, esp
.text:0045A023 004                 sub     esp, 440h       ; Integer Subtraction
.text:0045A029 444                 mov     eax, ___security_cookie
.text:0045A02E 444                 xor     eax, ebp        ; Logical Exclusive OR
.text:0045A030 444                 mov     [ebp+var_2F0], eax
.text:0045A036 444                 push    esi
.text:0045A037 448                 push    edi
.text:0045A038 44C                 mov     [ebp+this], ecx
.text:0045A03E 44C                 mov     eax, [ebp+this]
.text:0045A044 44C                 mov     ecx, [eax+534h]
.text:0045A04A 44C                 mov     [ebp+pPlayer], ecx
.text:0045A050 44C                 cmp     [ebp+pPlayer], 0 ; Compare Two Operands
.text:0045A057 44C                 jnz     short loc_45A063 ; Jump if Not Zero (ZF=0)
.text:0045A057
.text:0045A059 44C                 mov     eax, 1
.text:0045A05E 44C                 jmp     loc_45A97B      ; Jump

Long things short, i need to do the folowing : - hook into the beginning of the function - do some checks ( allot of code is required for those checks ) - based on the checking result, i need to either let the function continue it's normal course or make it jump to the section where it triggers some errors or simply stop it from advancing.

I have to do this with basic understanding of asm.

From what i've read i can do that with a hook, but here's my problem : The checking function needs to read the _tagRequestMAP_COMPOSITION_OPTIONITEM *prcreq data, so it can gather some numbers.

.text:0041A464 784C                mov     ecx, [ebp+pPacket] ; jumptable 00417B7A case 27
.text:0041A467 784C                add     ecx, 4          ; Add
.text:0041A46A 784C                mov     [ebp+var_1874], ecx
.text:0041A470 784C                mov     edx, [ebp+var_1874]
.text:0041A476 784C                push    edx             ; prcreq
.text:0041A477 7850                mov     ecx, [ebp+this] ; this
.text:0041A47D 7850                call    ?OnItemOptionCombination@CMapConnection@@QAEHPAU_tagRequestMAP_COMPOSITION_OPTIONITEM@@@Z ;

Here's how the original function is called.

My questions :

1. How do i read the data from *pcreq in C++ code? Is it possible?
2. Is it possible to call another function from my hook while passing the same parameters to it as the hooked function has?
3. I don't mess with the parameters of the OnItemCombination function at all, do i have to redo the stack when i exit from my hook?

Answer 1

Since you can't "pause" the program in order to inject the DLL/so and do the checks (or at least I've never heard of such a thing) you could modify the startup code in order to loop around a variable.
While the program is spinning, perform your checks into the injected DLL/so then get the static pointer used for that variable and modify it to allow the continuation of the injected program.

This will probably take some skill to achieve.

Eagerly waiting for more answers,

Cheers.

Update:

Here's what I had in mind.

edit the startup code of the program to spin at a loop like the following. Using jmp and cmp instructions.

static bool spin = true;
while(spin){ }

Then inject your DLL/so and do your checks. Once you're done. Change spin to false and allow the program to continue.

To change spin you'll have to find the static pointer. You can do that by studying the instructions or with a program like CheatEngine.

Answer 2

Detours Library http://research.microsoft.com/en-us/projects/detours/

or EasyHook http://www.codeproject.com/Articles/27637/EasyHook-The-reinvention-of-Windows-API-hooking