Detouring Library

[cerealnp]

Well, I'm looking for a Detouring Library that works fine with GunZ. I was actually using CDetour, it works mostly fine, but I found out some incompatibilities with x64, plus, I'm wanting to upgrade to Visual Studio 2008, and CDetour conversion for 2008 is giving me a bunch of errors. I've already tried Micro$oft Detours, but it isn't that good for Gunz. That's it, I would really appreciate all the suggestions. Thanks.

 

[PaulBub]

Microsoft Detours 2.0 works fine.

 

[cerealnp]

Microsoft Detours 2.0 works fine.

It does, but it crashes sometimes when calling the original function after the detoured one ends. Especially with the ones that has classes and structures as parameters.

 

[Guy]

Writing your own isn't terribly complicated.

Example.cpp:

#include "hiJackr.h"

PBYTE _LastFunction;
PBYTE _LastHook;
DWORD _LastReturnAddress;
CRITICAL_SECTION CS;
BOOL iCS = FALSE;

PBYTE Detour( PBYTE Offset, PBYTE Hook )
{
	PBYTE _Prologue = new BYTE[_HookLength];
	DWORD OldProtect;

	if( !iCS )
	{
		InitializeCriticalSection( &CS );
		iCS = TRUE;
	}

	memcpy( _Prologue, &Offset[0], _HookLength );

	VirtualProtect( Offset, _HookLength, PAGE_EXECUTE_READWRITE, &OldProtect );

	Offset[0] = 0xE8;
	*( DWORD_PTR * ) ( &Offset[1] ) = ( DWORD_PTR ) ( Hook - Offset ) - _HookLength;

	VirtualProtect( Offset, _HookLength, OldProtect, &OldProtect );

	return( _Prologue );
}

void RepairFunction( BYTE *Offset, BYTE *Buffer )
{
	DWORD OldProtect;
	
	VirtualProtect( Offset, _HookLength, PAGE_EXECUTE_READWRITE, &OldProtect );

	for( UINT i = 0; i < _HookLength; i++ )
		*( ( PBYTE ) Offset + i ) = Buffer[i];

	VirtualProtect( Offset, _HookLength, OldProtect, &OldProtect );
}

void RepairDetour( )
{
	Detour( ( PBYTE ) _LastFunction, ( PBYTE ) &_LastHook );
	*( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) = _LastReturnAddress;
	LeaveCriticalSection( &CS );
}

Example.h:

#pragma once
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <intrin.h>

#ifndef _M_IX86
	#ifndef _M_X64
		#error Platform not supported: build for x86 or x86-64 only.
	#endif
#endif

#ifdef _M_IX86
	#define _HookLength 5
#elif _M_X64
	#define _HookLength 9
#endif

#define _Prologue( _Prologue ) \
	_LastFunction = ( PBYTE ) ( ( DWORD ) _ReturnAddress( ) - _HookLength ); \
	RepairFunction( ( PBYTE ) _LastFunction, _Prologue );

#define _Epilogue( this ) \
	EnterCriticalSection( &CS ); \
	_LastHook = ( PBYTE ) this; \
	*( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) -= _HookLength; \
	_LastReturnAddress = ( DWORD ) *( ( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) \
			+ 8 / sizeof( DWORD_PTR * ) ); \
	*( ( DWORD_PTR * ) _AddressOfReturnAddress( ) + 4 / sizeof( DWORD_PTR * ) ) = ( DWORD_PTR ) RepairDetour; \
	return;

extern PBYTE _LastFunction;
extern PBYTE _LastHook;
extern DWORD _LastReturnAddress;
extern CRITICAL_SECTION CS;
extern BOOL iCS;

PBYTE Detour( PBYTE Offset, PBYTE Hook );
void RepairFunction( PBYTE Offset, PBYTE Buffer );
void RepairDetour( );

Terribly organized, but this does serve well as an example.

 

[ThievingSix]

So, where does it copy the original instructions that the detour jump copies over? That can't be a memcpy...

 

[Guy]

So, where does it copy the original instructions that the detour jump copies over? That can't be a memcpy...

Offset[0] = 0xE8;
	*( DWORD_PTR * ) ( &Offset[1] ) = ( DWORD_PTR ) ( Hook - Offset ) - _HookLength;

 

[ThievingSix]

You missed what I was trying to say. But I now assume this is was never meant to return to the original function.

 

[Guy]

You missed what I was trying to say. But I now assume this is was never meant to return to the original function.

Oh, yes it does.

#define _Prologue( _Prologue ) \
	_LastFunction = ( PBYTE ) ( ( DWORD ) _ReturnAddress( ) - _HookLength ); \
	RepairFunction( ( PBYTE ) _LastFunction, _Prologue );

#define _Epilogue( this ) \
	EnterCriticalSection( &CS ); \
	_LastHook = ( PBYTE ) this; \
	*( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) -= _HookLength; \
	_LastReturnAddress = ( DWORD ) *( ( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) \
			+ 8 / sizeof( DWORD_PTR * ) ); \
	*( ( DWORD_PTR * ) _AddressOfReturnAddress( ) + 4 / sizeof( DWORD_PTR * ) ) = ( DWORD_PTR ) RepairDetour; \
	return;

_Epilogue repairs and returns.

 

[cerealnp]

Thanks gWX0, I'm gonna take a look at it. Btw someone have any clue about why some detouring libraries fails at returning to the original function when it has classes or structures as parameters?

 

[PaulBub]

It does, but it crashes sometimes when calling the original function after the detoured one ends. Especially with the ones that has classes and structures as parameters.

Be sure to compile it in release version.

 

[cerealnp]

Be sure to compile it in release version.

Yeah, that's not the prob, function's declaration looks fine too, that's why I'm asking if there is some kinda bug at the libraries.

 

[ThievingSix]

Oh, yes it does.

#define _Prologue( _Prologue ) \
    _LastFunction = ( PBYTE ) ( ( DWORD ) _ReturnAddress( ) - _HookLength ); \
    RepairFunction( ( PBYTE ) _LastFunction, _Prologue );

#define _Epilogue( this ) \
    EnterCriticalSection( &CS ); \
    _LastHook = ( PBYTE ) this; \
    *( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) -= _HookLength; \
    _LastReturnAddress = ( DWORD ) *( ( ( DWORD_PTR * ) _AddressOfReturnAddress( ) ) \
            + 8 / sizeof( DWORD_PTR * ) ); \
    *( ( DWORD_PTR * ) _AddressOfReturnAddress( ) + 4 / sizeof( DWORD_PTR * ) ) = ( DWORD_PTR ) RepairDetour; \
    return;

_Epilogue repairs and returns.

Ahhh! I see. So you can't return to the function in the middle of the hook.

 

[Guy]

Ahhh! I see. So you can't return to the function in the middle of the hook.

Er, the idea is you run _Prologue and _Epilogue to represent the beginning and ending of your hook. _Epilogue returns back to your function.

 

[ThievingSix]

OK, I get it now.

 

[arenti]

CDetour does not have any compatibility issues with x64, and in fact it cannot, because x64s run gunz in an x86 emulator

to get CDetour working with 2008, exclude CDetourDis and include detours.h (microsoft detours 1.5) instead

the struct thing is probably caused by not defining the calling convention of your hook functions

and gWX0, your detour library blows

 

[Guy]

CDetour does not have any compatibility issues with x64, and in fact it cannot, because x64s run gunz in an x86 emulator

to get CDetour working with 2008, exclude CDetourDis and include detours.h (microsoft detours 1.5) instead

the struct thing is probably caused by not defining the calling convention of your hook functions

and gWX0, your detour library blows

1) Yes, CDetour does have issues with x64, as in it cannot compile for x64 platforms......................

2) On 64-bit platforms, Gunz isn't ran in an "emulator"; though it is running under "emulation mode", using what you could call a pseudo-emulator at best.

3) What..? Remove the proper CDetour definitions and use the Microsoft Detours build? That changes the library entirely, making it a hybrid of MS Detours and CDetour, unless you mean to exclude all CDetour files and just use Microsoft's detours library.

4) Why would that only happen for structures or classes? Calling convention isn't the issue.

5) It works without using a run-length disassembler, which adds forward-compatibility when newer instructions are introduced and used in function prologue code.

EDIT:

Using the example:

#include "example.h"
PBYTE MBA_Prologue;

void MBA_Hook( )
{
	_Prologue( MBA_Prologue );

	MessageBoxA( 0, "Hooked!", "", MB_OK );

	_Epilogue( MBA_Hook );
}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
	MBA_Prologue = Detour( ( PBYTE ) MessageBoxA + 5, ( PBYTE ) &MBA_Hook );
	MessageBoxA( 0, "Works fine", "???", MB_OK );

	return( 0 );
}

 

[ThievingSix]

1) Yes, CDetour does have issues with x64, as in it cannot compile for x64 platforms......................

2) On 64-bit platforms, Gunz isn't ran in an "emulator"; though it is running under "emulation mode", using what you could call a pseudo-emulator at best.

3) What..? Remove the proper CDetour definitions and use the Microsoft Detours build? That changes the library entirely, making it a hybrid of MS Detours and CDetour, unless you mean to exclude all CDetour files and just use Microsoft's detours library.

4) Why would that only happen for structures or classes? Calling convention isn't the issue.

5) It works without using a run-length disassembler, which adds forward-compatibility when newer instructions are introduced and used in function prologue code.

EDIT:

Using the example:

#include "example.h"
PBYTE MBA_Prologue;

void MBA_Hook( )
{
    _Prologue( MBA_Prologue );

    MessageBoxA( 0, "Hooked!", "", MB_OK );

    _Epilogue( MBA_Hook );
}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
    MBA_Prologue = Detour( ( PBYTE ) MessageBoxA + 5, ( PBYTE ) &MBA_Hook );
    MessageBoxA( 0, "Works fine", "???", MB_OK );

    return( 0 );
}

CDetourDis = Microsoft Detour File renamed.

 

[Guy]

CDetourDis = Microsoft Detour File renamed.

If it's just renamed, why would you need to include a different file?

 

[ThievingSix]

Newer version? I don't know(well care really).

 

[Guy]

Newer version? I don't know(well care really).

Why would you mix old and new project files? That's like trying to replace a 1964 Mustang's windshield with a 2009 Mustang's windshield; it might work, but the result will be ugly and unsafe.