Question : IAT patching, problem when calling back to original target function?

Hi,

I was wondering if an expert could help me with IAT patching on NT based O/Ss as I've come a little unstuck. I'm trying to install an API hook using DLL injection (LoadLibrary/CreateRemoteThread technique), and then patch a couple of OpenGL functions to be able to intercept their parameters and perform operations before calling the originals. All of this is working apart from, it seems, when I call back to the original versions of functions that have a parameter list - calling back to functions with no parameters is fine.

I suspect it is how I've specified by function pointers, I'm new to this technique and can't seem to figure out which is the correct way of doing things. When I call back to the original functions with the parameter list it just crashes the target process.

The code I'm using is as follows:-

// Pointer to original function:

void (WINAPI glRotatefOrig)(GLfloat angle, GLfloat x, GLfloat y, GLfloat z);

// Code to get original function pointer:

glRotatefOrig = (void (WINAPI )(GLfloat, GLfloat, GLfloat, GLfloat)) GetProcAddress(hMod, "glRotatef"); // hMod = handle to openGL module.

// My own function implentation (this is called successfully by the target process following IAT patch):

void myglRotatef( GLfloat angle, GLfloat x, GLfloat y, GLfloat z)
{
console->Write("glRotatef Called\n"); // prints ok
glRotatefOrig(angle, x, y, z); // This call crashes the application (no meaningful error given).
}

Can anyone possibly point me to where I'm going wrong? I've tried numerous different ways of specifying the original function pointer but all end in tears :/

Cheers in advance if you can help,
Chris

Answer : IAT patching, problem when calling back to original target function?

Hi Chris,

IAT patching is something I fiddled with quite a lot not so long ago: J.Richter's books really are required reading on this :)

I wrote a wrapper class, inspired by the above gentleman, which enabled me to successfully hook functions such as ::MessageBox etc. I have attached my helper class below, along with example usage. Please try it out using your OpenGL functions - it should work without problem.

You will see that when I hook the call to ::MessageBox, I change the text that was originally specified to "I have hooked this call!"

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:

           
           
             // Set up the hook
VERIFY ( CFuncInAPIHook::Instance().HookFunction ( _T("user32.dll"), _T("MessageBoxW"), AfxGetInstanceHandle(), ( PROC )&MyMessageBox ) );

// Replacement procedure
int WINAPI MyMessageBox( HWND hWnd,
    LPCTSTR lpText,
    LPCTSTR lpCaption,
    UINT uType
)
{
	// Function pointer must have same calling convention as PROC (WINAPI)!  Therefore, prepend WINAPI (__stdcall)!
	typedef int  (WINAPI *MESSAGEBOX_FUNC)(HWND, LPCTSTR, LPCTSTR, UINT);

	// Only retrieve the original function's address once!
	static MESSAGEBOX_FUNC pFunc = ( MESSAGEBOX_FUNC ) CFuncInAPIHook::Instance().RetrieveOriginalAPIFunctionAddress ( _T("user32.dll"), _T("MessageBoxW") );
	ASSERT ( pFunc );
	return pFunc ? ( *pFunc )( hWnd, _T("I have hooked this call!"), lpCaption, uType ) : 0;
}

// This call will be hooked
::MessageBox ( NULL, _T(""), _T("Title"), MB_OK );

           
         