0

I managed to hook everything I wanted (API functions, virtual methods, "standard" functions) but I'm wondering how to hook a non-virtual class member function (method). To hook a virtual method you just need to get the VTable and patch it (or copy it, modify it and change the VPointer). However, when the method is NOT virtual, there is no VTable.

First of all, how can I get the address of the method I want to hook from its name? I can't use GetProcAddress() since the function is not exported. The only way seems to search for a byte pattern in memory corresponding to the function. Then, once I got the address, how do I hook it? Using a basic method (JMP)? What if I want to hook only ONE instance? I think I'd do check in my hooking function: if it's the right instance then do what has to be done, otherwise just execute it without doing anything else.

Actually I'm looking for better solutions because I think the ones above would work but they're not very "neat", are they?

Thank you.

GuiTeK
  • 1,561
  • 5
  • 20
  • 39
  • I don't know much about the `WinAPI` but you can take the address of a member-function using the `&ClassName::member_name` syntax. – pmr Jan 17 '14 at 22:25
  • Let's say `ClassName` is not part of a library I can `#include` in my DLL (which I want to inject) but instead it's a class defined in the program I want to hook: I can't write `&ClassName:member_name` in my DLL, I'll get a compilation error. – GuiTeK Jan 18 '14 at 11:04

1 Answers1

1

Most of the time it is simply not possible to divert a statically-resolved function. Have you ever heard of this optimization called inlining? Even when that doesn't occur, COMDAT-folding can make isolating your function of interest quite impossible.

Strongly recommended reading: Raymond Chen's "Why does the debugger show me the wrong function?"

Ben Voigt
  • 277,958
  • 43
  • 419
  • 720
  • What do you mean by "statically-resolved function"? Yes I forgot about inlining... you're right, it can be problematic. As for COMDAT-folding, let's say the function is referenced in the program so it hasn't been deleted by the linker (I wouldn't hook a function which is not used?). Then how would you proceed to hook this function if it has not been inlined? – GuiTeK Jan 18 '14 at 11:09
  • 1
    @GuiTeK: Statically-resolved means that the compiler decides (resolves) exactly what function is called at compile-time. This includes all calls to named non-virtual function. Virtual functions and calls through function pointers might be statically-resolved or dynamically-resolved, depending on whether the compiler can figure out the exact type. – Ben Voigt Jan 18 '14 at 21:08
  • 1
    Also, by COMDAT-folding I mean that functions containing identical instructions (which happens more often in C++ than you'd first think, for example all getters that read and return an integer stored 8 bytes into the object tend to produce the exact same machine code, regardless of the object's actual type) then these function are mapped to the same location in the executable. See http://stackoverflow.com/questions/15168924/gcc-clang-merging-functions-with-identical-instructions-comdat-folding Then consider the problem of replacing one of the functions sharing a single implementation. – Ben Voigt Jan 18 '14 at 21:10