Detours Hook in external process for "empty" function does not work

C

2

6

Im hooking functions in an external process via their function offset. That works well for the functions im hooking so far - however i have found a "debugLog(char...)" function that still exist in the binary but doesnt do any printing - it looks like this

debugMessage    proc near               ; 
            xor     eax, eax        ; Logical Exclusive OR
            retn                    ; Return Near from Procedure
debugMessage    endp

it is called like this

push    offset debugString ; "This is a debug message"...
call    debugMessage    ; Call Procedure

Now the debug message has obviously been disabled, i wanted to hook into this as i was able to simply hook into similar func(char..) in the binary already.

This is the code:

typedef void (__stdcall* DebugLog)(const char*);
DebugLog Real_DebugLog = (DebugLog)(0xCAFEBABE);

extern "C"
 {
 static void __stdcall Hook_DebugLog(const char*);
 }

void __stdcall Hook_DebugLog(const char* text) {
MessageBox(NULL, text, "MyDebugLog", MB_OK);
return Real_DebugLog(text);
}

// in dll main attach..
DetourTransactionBegin(); 
DetourUpdateThread(GetCurrentThread()); 
DetourAttach(&(PVOID&)Real_DebugLog, (PVOID)Hook_DebugLog);

A similar approach works for all other functions i have so far hooked into this binary. I also made sure the debugMessage is even called with a debugger.

Any ideas why this hook is not working at all? Maybe because the function could have var args? i already tried with const char*,...).

Corrales answered 20/8, 2011 at 11:29 Comment(0)

Y

3

The function is likely too small to hook. Detours has to overwrite a potion of the hooked function to redirect calls elsewhere, but there probably isn't enough room in that logging stub for Detours to write a JMP instruction targeted at your replacement.

Yttriferous answered 20/8, 2011 at 14:18 Comment(1)

only other way is to detour all of the call sites instead – Gamesome 21/1, 2016 at 11:44

O

4

A "detour" requires a minimum of 5 bytes to work (x86) - debugMessage is only 3 bytes.

Orang answered 20/8, 2011 at 16:9 Comment(3)

thank you for the specific answer, do you know another solution? – Corrales 20/8, 2011 at 19:11

You could use software or hardware breakpoints. Have a look at msdn.microsoft.com/en-us/library/ms679274(v=vs.85).aspx – Orang 20/8, 2011 at 20:28

Yes, at least software breakpoints may help. You can put 0xcc (int 3) instead of the first byte of the function that you want to hook, and provide a trap handler. Vectored Exception Handling (VEH) Noergaard referred to might help here. – Chameleon 20/8, 2011 at 21:8

Y

3

The function is likely too small to hook. Detours has to overwrite a potion of the hooked function to redirect calls elsewhere, but there probably isn't enough room in that logging stub for Detours to write a JMP instruction targeted at your replacement.

Yttriferous answered 20/8, 2011 at 14:18 Comment(1)

only other way is to detour all of the call sites instead – Gamesome 21/1, 2016 at 11:44

Recommended topics

Hot tags