Detours Hook in external process for "empty" function does not work

Question

Im hooking functions in an external process via their function offset. That works well for the functions im hooking so far - however i have found a "debugLog(char...)" function that still exist in the binary but doesnt do any printing - it looks like this

debugMessage    proc near               ; 
            xor     eax, eax        ; Logical Exclusive OR
            retn                    ; Return Near from Procedure
debugMessage    endp

it is called like this

push    offset debugString ; "This is a debug message"...
call    debugMessage    ; Call Procedure

Now the debug message has obviously been disabled, i wanted to hook into this as i was able to simply hook into similar func(char..) in the binary already.

This is the code:

typedef void (__stdcall* DebugLog)(const char*);
DebugLog Real_DebugLog = (DebugLog)(0xCAFEBABE);

extern "C"
 {
 static void __stdcall Hook_DebugLog(const char*);
 }

void __stdcall Hook_DebugLog(const char* text) {
MessageBox(NULL, text, "MyDebugLog", MB_OK);
return Real_DebugLog(text);
}

// in dll main attach..
DetourTransactionBegin(); 
DetourUpdateThread(GetCurrentThread()); 
DetourAttach(&(PVOID&)Real_DebugLog, (PVOID)Hook_DebugLog);

A similar approach works for all other functions i have so far hooked into this binary. I also made sure the debugMessage is even called with a debugger.

Any ideas why this hook is not working at all? Maybe because the function could have var args? i already tried with const char*,...).

score 4 · Answer 1 · answered Aug 20 '11 at 16:09

4

A "detour" requires a minimum of 5 bytes to work (x86) - debugMessage is only 3 bytes.

answered Aug 20 '11 at 16:09

Nop

315
1
3
9

thank you for the specific answer, do you know another solution? – Steve Aug 20 '11 at 19:11
You could use software or hardware breakpoints. Have a look at http://msdn.microsoft.com/en-us/library/ms679274(v=vs.85).aspx – Nop Aug 20 '11 at 20:28
Yes, at least software breakpoints may help. You can put 0xcc (int 3) instead of the first byte of the function that you want to hook, and provide a trap handler. Vectored Exception Handling (VEH) Noergaard referred to might help here. – Eugene Aug 20 '11 at 21:08

score 3 · Accepted Answer · answered Aug 20 '11 at 14:18

3

The function is likely too small to hook. Detours has to overwrite a potion of the hooked function to redirect calls elsewhere, but there probably isn't enough room in that logging stub for Detours to write a JMP instruction targeted at your replacement.

answered Aug 20 '11 at 14:18

Rob Kennedy

161,384
21
275
467

only other way is to detour all of the call sites instead – paulm Jan 21 '16 at 11:44

Detours Hook in external process for "empty" function does not work

2 Answers2