Hook the usercall exe function?

Jun 30, 2014 at 5:25 PM
Hello!

I am new with easyhook and I would like to know how to hook the function that shows as

int __usercall callTable<eax>(int a1<eax>, int a2<ecx>, int a3) in idaPro?
Jul 1, 2014 at 10:06 AM
Hey guys,

I need some help here. I have managed to understand how to do the injection, although maybe I am doing something wrong.

So I created C++ library with these functions, that deal the call through assembler:
extern "C" __declspec(dllexport) __declspec(naked) void func_hook()
{
    __asm{

            push ebp
            mov ebp, esp
            push dword ptr[ebp + 0x04] // args[0]
            push ecx // callnum
            push eax // callnum
            call myfunc2
            leave
            ret // note: __usercall is cdecl-like
    }
}

extern "C" __declspec(dllexport) int _stdcall myfunc2(int a1, int a2, int a3)
{
    ofstream myfile;
    myfile.open("d:/example.txt");
    myfile << "Writing from C++ to a file.\n";
    myfile.close();

    return 0;
}
In C#, in Run method of Injet library I have made:
              var funcAddr = new IntPtr(
                                 0x007B2D70 +
                                 (int)Process.GetCurrentProcess().MainModule.BaseAddress);
                         
                var addrs = LocalHook.GetProcAddress(@".\ClassLibrary1.dll", "func_hook");
                this.StrangeMethod = LocalHook.CreateUnmanaged(funcAddr, addrs, IntPtr.Zero);                
                this.StrangeMethod.ThreadACL.SetExclusiveACL(new[] { 0 });
No errors, but the hook is not working, the function in C++ is not called, although just for test, when I import the library:
        [DllImport(@".\ClassLibrary1.dll", 
        CallingConvention = CallingConvention.StdCall)]
        static extern void func_hook();
and add it to the Run method of Inject library in C#, and call it
   public void Run(
            RemoteHooking.IContext InContext,
            String InChannelName)
        {
           func_hook();
        }
The function works and writes the file at d:\example.txt

So can you tell me where I can be wrong? How to troubleshoot what is wrong with the injection itself? If func_hook works when I run it from Run method, it means everything is ok, and as I understand when hook is installed the call to funcAddr IntPtr should detour to LocalHook.GetProcAddress(@".\ClassLibrary1.dll", "func_hook"), so instead of calling originalFunction Address 0x007B2D70 it should call the address where the func_hook is, but why this is not happening? All other hooks that I have in the Inject library work well, so what am I missing?
Jul 1, 2014 at 11:14 AM
Edited Jul 1, 2014 at 11:20 AM
I found out that if I try to hook any other function instead of my exe function

for example
 this.StrangeMethod = LocalHook.CreateUnmanaged(LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), addrs, IntPtr.Zero);      
this works and file d:\example.txt is being written. So it means there is some issue with detouring the exe function? I double checked and the address of the function is correct, so what can prevent hook to be installed for the exe function by address?
Jul 1, 2014 at 12:22 PM
Edited Jul 1, 2014 at 12:23 PM
I found where was an issue. Instead of getting a pointer to the function like this:
var funcAddr = new IntPtr(0x007B2D70 + 
(int)Process.GetCurrentProcess().MainModule.BaseAddress);
I have to do it like this:
var funcAddr = new IntPtr(0x007B2D70 );
This has fixed an issue, although all the discussions here on codeplex and out on the internet say that it should be used with base address offset. The only explanation is that CreateUnmanaged method was changed and it adds the offset inside.