.Hi,
I wanted a very simple detour (hook) mechanism, for doing obvious stuff like:
BOOL hook_GetCursorPos(POINT *p)
{
printf("GetCursorPos called\n");
return real_GetCursorPos(p);
}
The approaches I found were all a bit too big for my taste (EasyHook is nice but very large, microsoft detours approach (e.g. have an additional trampoline code stub) is okay but also a tad too much overhead imho) and rewriting my code with something like:
BOOL hook_GetCursorPos(POINT *p)
{
BOOL foo;
printf("GetCursorPos called\n");
restore_old_code();
foo = real_GetCursorPos(p);
put_the_jmp_in_again();
return foo;
}
is not an option.
So I thought I could just load a DLL, allocate some memory (preferable close to the original image base of the loaded one), copy the image, fixup the base relocation and there you go. Now we have the DLL in memory in a different spot and I can compute the proc address by the difference from the original proc adress in the real DLL. The upside is that I can now just overwrite the original funcs with a bunch of jmps and don't need to restore them because I can call the original function in the second DLL. Nor do I have to rewrite stuff for trampolines (since you'd still have to do some dissasm to make sure the trampoline would work), etc. This all works nicely, I tested it (quickly) on XP through to win7 both on 32 and 64 bit.
Now my question; are there things I'm missing? e.g. are there potential problems? Since I'm only fixing up the base relocation all the other pointers in the DLL still point to the original DLL - but I don't think this is a problem ... or is it? I'm not sure but I have a feeling I could be missing something here so feedback is highly appreciated!
Thanx
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}