Thelvyn's Thread

thelvyn · January 31, 2007

VirtualQuery and VirtualProtect are used to get information on the page and to set the page to and from writable so there is no exception when you try to write there which is the only thing the two approaches share in common really.

Your way is a lot more error prone unfortunately at least in my experience, probably need a new version any time the binary compatibility changes between dll version don't you ?

ImageDirectoryEntryToData is what you use for finding and replacing the function pointer.

I believe it is possible to do this for non-exported functions as well.

The following are availabe

Value Meaning

IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 Architecture-specific data

IMAGE_DIRECTORY_ENTRY_BASERELOC 5 Base relocation table

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 Bound import directory

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 COM descriptor table

IMAGE_DIRECTORY_ENTRY_DEBUG 6 Debug directory

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 Delay import table

IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 Exception directory

IMAGE_DIRECTORY_ENTRY_EXPORT 0 Export directory

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 Relative virtual address of global pointer

IMAGE_DIRECTORY_ENTRY_IAT 12 Import address table

IMAGE_DIRECTORY_ENTRY_IMPORT 1 Import directory

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 Load configuration directory

IMAGE_DIRECTORY_ENTRY_RESOURCE 2 Resource directory

IMAGE_DIRECTORY_ENTRY_SECURITY 4 Security directory

IMAGE_DIRECTORY_ENTRY_TLS 9 Thread local storage directory

sparhawk · January 31, 2007

Your way is a lot more error prone unfortunately at least in my experience, probably need a new version any time the binary compatibility changes between dll version don't you ?

Nope. That's the beauty of it. It works in all circumstances. The only drawback is that it might need an update if a function is handwritten, and the mnemonics are not know at that time. Then you would have to update the dissassembler.

ImageDirectoryEntryToData is what you use for finding and replacing the function pointer.

Yeah, but this works only for functions that are called via a functionpointer. My version works for all functions, as long as you know the address, which you obviously always have.

For example, I used this method, to track malloc calls because I was looking for a memory leak. Since malloc is usally linked via a static library, and not called through a dll, I think your method wouldn't work in this case, right? It all depends on what you need. As I said, the dissassembler is really an overkill, but I haven't found a better solution, though I must say, that your method is quite nice, if you know that a pointer is used, because it's more elegant.

Still it, was a nice experience, because as a sidenote, I can use this dissassembler for other things as well.

thelvyn · January 31, 2007

I have never used that method but I have heard horror stories about it breaking apps quite frequently.

I was under the impression that there is ALWAYS a pointer to the function not just for exports/imports.

I could be wrong of course.

If I could have gotten the calling convention squabble fixed I would have implemented that as a class btw.

Every time I tried doom3 would crash on the second call it seems.

I was putting it in... when I changed from the class version it worked fine again.

What I ended up with was no better then doing it by hand so why bother increasing the complexity for no good reason says I.

thelvyn · February 1, 2007

Help me understand this please.

idAi::Collide receives two arguments const trace_t &collision and const idVec3 &oldVelocity

These are just samples.

.\game\ai\ai.cpp(851) :"idAI::Collide Arguments follow"

.\game\ai\ai.cpp(852) :"collision - endAxis = 1 0 0 0 1 0 0 0 1 endpos = -280 -784 -255.75 fraction = 0.000000"

.\game\ai\ai.cpp(853) :"oldVelocity = 0 0 0"