C ++钩挂成员函数和原始函数返回垃圾值。

时间:2019-01-02 04:45:55

标签: c++ winapi dll hook detours

我想要钩子类成员函数(使用dll注入)。目前,钩住是成功的。 但是在挂钩函数中,我编写了使用return调用原始函数的代码。 结果,原始函数返回垃圾值。我的工作有什么问题?

target.cpp

#include <iostream>
#include <windows.h>

class Target
{
    private:
        int _member;

    public:
        Target()
        : _member(0)
        {
        }

        Target(int i)
        : _member(i)
        {
        }

        virtual ~Target()
        {
        }

        int getValue() // I want to hooking this function.
        {
            return _member;
        }
};

int main(int argc, char **argv)
{
    while(1){
        Sleep(10000);        
        Target objA, objB(7);
        std::cout << objA.getValue() << " " << objB.getValue() << std::endl;
    }
    return 0; 
}

injection.dll

#include <windows.h>
#include <detours.h>
#include <iostream>
#include <sstream>

#pragma comment(lib, "detours.lib")

static const int ADDRESS = 0x2180;
int (__thiscall * original_func)(void *);

int hookedFunction(void *obj)
{
    uintptr_t base = (uintptr_t)GetModuleHandle(0);
    std::cout << obj << " Hooked Obj Address.\n";
    int result = original_func(obj);
    std::cout << "original function returns " << result << '\n';
    return result; 
}

DWORD WINAPI Attach(LPVOID param)
{
    uintptr_t base = (uintptr_t)GetModuleHandle(0);

    original_func = (decltype(original_func)) (base + ADDRESS);

    OutputDebugString(TEXT("Attach approach!"));
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)original_func, hookedFunction);

    LONG lError = DetourTransactionCommit();
    if (lError != NO_ERROR) {
        OutputDebugString(TEXT("Attach fail!"));
    } else {
        OutputDebugString(TEXT("Attach Sucess!!"));
    }
    return 0;
}

DWORD WINAPI Detach(LPVOID param)
{
    OutputDebugString(TEXT("Detach approach!"));
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourDetach(&(PVOID&)original_func, hookedFunction);

    LONG lError = DetourTransactionCommit();
    if (lError != NO_ERROR) {
        OutputDebugString(TEXT("Detach fail!"));
    } else {
        OutputDebugString(TEXT("Detach Sucess!!"));
    }
    return 0;
}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
    switch(dwReason)
    {
        case DLL_PROCESS_ATTACH:
        {
            CreateThread(0, 0, Attach, hModule, 0, 0); 
            break;
        }
        case DLL_PROCESS_DETACH:
        {
            CreateThread(0, 0, Detach, hModule, 0, 0); 
            break;
        }
    }
    return TRUE;
}

target.cpp程序的控制台输出。

0 7
0 7
0 7
0 7
0 7
0 7
0 7 <-- (DLL injection!)
000D1069 Hooked Obj Address.
original function returns 843966720 <-- why not 0 or 7?
000D8B30 Hooked Obj Address.
original function returns 890668
890668 843966720
000D1069 Hooked Obj Address.
original function returns 843966720
000D8B30 Hooked Obj Address.
original function returns 890668
如您在控制台输出中看到的

,原始函数返回垃圾值。 为什么原始函数返回垃圾值?

1 个答案:

答案 0 :(得分:1)

来自Using Detours

  

为正确拦截,目标函数,弯路函数和目标指针必须具有完全相同的调用签名,包括参数数量和调用约定。使用相同的调用约定,可以确保正确保存寄存器,并确保绕行和目标函数之间的堆栈正确对齐

int hookedFunction(void *obj)__thiscall的调用约定不匹配。

可能还有其他错误,但这很明显。