Reputation:
How to find a functions address to hook/detour in an EXE file?
I drove against a wall again and need your help with some low-level stuff. I already succeeded in hooking exported DLL-Functions (with this code btw.) by injecting them into my target process (e.g. I can easily detour MessageBoxW from user32.dll). Unfortunately I aim for a different scenario: I have to detour a function defined inside the executable I'm injecting my code into. The application is Open-Source so I know everything about the function I'd need for hooking it, but the binary is signed with a certificate so I can not compile my own version. Is it possible to fetch the functions' address at runtime or detour it with another technique? The target is a "normal" 32bit Windows binary btw. nothing special I thought ;)
Yours, Nefarius
EDIT: maybe due to my lame English I was not detailed enough, so here a little sample code:
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
foo();
}
BOOL foo(char* someData)
{
return printf("%s", someData);
}
Now I want to detour the function foo() which does not exist in a dynamic library. This is my problem. I don't know how and I'm not sure if this works like I think it does.
EDIT: Now I know it is possible, so the important question changed to: how? How do I get the information I need; the functions address?
Upvotes: 4
Views: 7988
Answers (4)
Reputation: 2813
Use EasyHook for that. With that library you can intercept a function with the address.
Upvotes: 0
Reputation: 11768
you need to get the functions address then insert a jmp at the functions entry point to your procedure and then restore the original proc and then jump back to the original function.
Upvotes: 0
Reputation: 20528
If this is for something that is more than a one time debugging jaunt, look into Microsoft Detours, an API for hooking functions.
Upvotes: 1
Reputation: 65903
Sure, just use something like Ollydbg to set a breakpoint, and edit the assembly after the executable has loaded (and finished checking its certificate). To do it permanently is a bit more challenging, but depending on how sophisticated the certificate check is, you might just be able to bypass that bit of code by replacing it with a NOP (no operation).
EDIT: If you're running 64-bit Windows, you might have better luck with Microsoft's own Debugging Tools. I've never used them, so I have no idea how they compare to Ollydbg.
Upvotes: 1
Related Questions
- How can I hook Windows functions in C/C++?
- How to get address of user-defined function?
- How to hook an exe function?
- Hooking a function I don't know the parameters to
- How do I locate the position in an executable file, where a function resides?
- Finding where a handle is open to
- Win32, How can i hook functions in compiled programs with C++?
- Is it possible to locate functions from executable at runtime on Windows?
- How to find a custom function's address to hook/detour in another running process?
- Retrieving address of a function from ExE or Bin file