Hello! Can anyone help with this? It is necessary to zakukat one function in the dll, so that when she volunteered I could substitute my function. I tried to do it, but like that to no purpose. Nothing worked. Who can show a simple example. Ida will tell you how I did, at first I injected to the process, so that at that time I could intercept the f-ii from the dll .. And does xt have the value x64 x86?
Closed due to the fact that the essence of the question is unclear by the participants mega , cheops , user194374, Kromster , Grundy Jul 10 '16 at 6:56 pm .
Try to write more detailed questions. To get an answer, explain what exactly you see the problem, how to reproduce it, what you want to get as a result, etc. Give an example that clearly demonstrates the problem. If the question can be reformulated according to the rules set out in the certificate , edit it .
- Jeffrey Richter. Describes the entire method in its famous book. The code is there. - WhereColdWindsBlow
|
1 answer
// Вызывается, чтобы иметь возможность писать в область памяти по указателю ptr void Unprotect(void *ptr, int count) { DWORD protect; VirtualProtect(ptr, count, PAGE_EXECUTE_READWRITE, &protect); } // from - адрес функции, которую хукать // to - адрес функции для подмены void Jmp(size_t from, size_t to) { Unprotect((void*)from, 5); *(unsigned char*)from = 0xE9; *(int*)(from + 1) = (int)(to - (from + 5)); } This is the code for a complete substitution of the function call. The signatures of the functions for the hook and the original must match.
If you need to return to the original function after the hook, you will have to climb into the asm code and do an asm insert that is unique for each function (commands that have been erased by jmp ohm will not automatically overwrite themselves)
int3 int3
2,150 four 14
|