A mechanism that trampoline hooks functions in x86/x64 systems.
This code is written pretty poorly, current code hardcodes and assumes there will be the same assembly instructions everytime in each program and that is not very flexible. This repository covers just the basics on how trampoline hooking should work.
Let's say, the target function contains this assembly code:
1. 8B FF: mov edi, edi
2. 55: push ebp
3. 8B EC: mov ebp, esp
4. 83 EC 10: sub esp, 10- Create your own C++ detour function, make a
typedefprototype and return it on the end of your function as you need to call the original function (gateway; trampoline).
typedef void(*target_function)(int a, int b, int c);
target_function trampoline_function = nullptr;
void some_function(int a, int b, int c) {
return trampoline_function(a, b, c);
}- Create a gateway (codecave), allocate atleast 5 bytes for the
jmpand addmov eax/rax, address,push eax/rax,retinstructions' sizes in bytes too to make sure it jumps out the gateway and keeps the program flow going. - Copy the 5 bytes from the target function to the gateway, it basically redirects the code of the target function to the gateway, so you can call it anytime.
1. 8B FF: mov edi, edi
2. 55: push ebp
3. 8B EC: mov ebp, esp- Fill out the additional bytes you've allocated earlier for the gateway. You can get those bytes from Cheat Engine by writing your own instructions. Make sure the address is
target_function_address + 5, the next instruction after later detouredjmp.
1. 8B FF: mov edi, edi
2. 55: push ebp
3. 8B EC: mov ebp, esp
4. (48) B8 xxxxxxxx(xxxxxxxx): mov eax/rax, target_function_address+5
5. 50: push eax/rax
6. C3: ret- Cast the gateway address as the prototype you've defined earlier.
- Detour (modify) the target function's first 5 bytes with
jmpto your C++ function address. Relativejmpoffset formula is:src-dst-5.
1. E9 xxxxxxxx: jmp your_function
4. 83 EC 10: sub esp, 10