hooking via hotpatching... non exported class method in dll

Question

I have been studying this method of API hooking using the mechanisms for hotpatching in windows dlls.

http://www.codeproject.com/KB/winsdk/0xF9EB_Hooking.aspx

I was wondering if anyone would know of a way to extend that to hooking non exported functions such as a C++ constructor for an internal class inside of a DLL. I have already know the address via dis-assembly... the problem I am having is how to set up the right calling conventions so that I can call the original function inside of my hook function.

I'm already to the point to where my hook function gets called... the program crashes because I can't return the results of calling the original function.

Lets assume we are talking about hooking an internal class constructor with a prototype something like this:

public __thiscall <class_name>::<class_name>(<single pointer arg to another object>)

Answer 1

Define it as a typical __stdcall function except that you'll have this pointer in ecx register. If you need this pointer, then use the __asm keyword to get the value:

void __stdcall HookedConstructor( SomeObject *pObject){
    HookedClass *pClass;
    __asm mov pClass, ecx;
    ...
}

Note that you'll have to do this at the beginning of the call. Otherwise, the value of ecx register may be overwritten.

Answer 2

depending on how your module is loaded, you can generally just overwrite the relative or absolute addresses at their respective call sites, else you need to make a trampolining function, for which its easier to use something like MS Detours.

In terms of the correct prototype for __thiscall based class member functions, you need some trickery, as you can't generally use __thiscall outside classes. The fastest and easiest way is to use __fastcall and ignore the second parameter. So your first definition becomes void __fastcall myctor(myobj* pObj).