How to change the implementation (detour) of an externally declared function

前端 未结 2 562
囚心锁ツ
囚心锁ツ 2020-11-27 04:18

I have a third party function

function DataCompare(const S1, S2: string; APartial: Boolean): Boolean;
begin
   ...
end;

It is used in anot

相关标签:
2条回答
  • 2020-11-27 05:11

    Yes you can do that, using the ReadProcessMemory and WriteProcessMemory functions to patch the code of the current process. Basically, you get the address of the procedure or function to patch and then insert a Jump instruction to the address of the new procedure.

    Check this code

    Uses
      uThirdParty; //this is the unit where the original DataCompare function is declarated
    
    type
      //strctures to hold the address and instructions to patch
      TJumpOfs = Integer;
      PPointer = ^Pointer;
    
      PXRedirCode = ^TXRedirCode;
      TXRedirCode = packed record
        Jump: Byte;
        Offset: TJumpOfs;
      end;
    
      PAbsoluteIndirectJmp = ^TAbsoluteIndirectJmp;
      TAbsoluteIndirectJmp = packed record
        OpCode: Word;
        Addr: PPointer;
      end;
    
    var
     DataCompareBackup: TXRedirCode; //Store the original address of the function to patch
    
    
    //this is the implementation of the new function
    function DataCompareHack(const S1, S2: string; APartial: Boolean): Boolean;
    begin
      //here write your own code
    end;
    
    //get the address of a procedure or method of a function 
    function GetActualAddr(Proc: Pointer): Pointer;
    begin
      if Proc <> nil then
      begin
        if (Win32Platform = VER_PLATFORM_WIN32_NT) and (PAbsoluteIndirectJmp(Proc).OpCode = $25FF) then
          Result := PAbsoluteIndirectJmp(Proc).Addr^
        else
          Result := Proc;
      end
      else
        Result := nil;
    end;
    
    //patch the original function or procedure
    procedure HookProc(Proc, Dest: Pointer; var BackupCode: TXRedirCode);
    var
      n: {$IFDEF VER230}NativeUInt{$ELSE}DWORD{$ENDIF};
      Code: TXRedirCode;
    begin
      Proc := GetActualAddr(Proc);
      Assert(Proc <> nil);
      //store the address of the original procedure to patch
      if ReadProcessMemory(GetCurrentProcess, Proc, @BackupCode, SizeOf(BackupCode), n) then
      begin
        Code.Jump := $E9;
        Code.Offset := PAnsiChar(Dest) - PAnsiChar(Proc) - SizeOf(Code);
        //replace the target procedure address  with the new one.
        WriteProcessMemory(GetCurrentProcess, Proc, @Code, SizeOf(Code), n);
      end;
    end;
    //restore the original address of the hooked function or procedure
    procedure UnhookProc(Proc: Pointer; var BackupCode: TXRedirCode);
    var
      n: {$IFDEF VER230}NativeUInt{$ELSE}Cardinal{$ENDIF};
    begin
      if (BackupCode.Jump <> 0) and (Proc <> nil) then
      begin
        Proc := GetActualAddr(Proc);
        Assert(Proc <> nil);
        WriteProcessMemory(GetCurrentProcess, Proc, @BackupCode, SizeOf(BackupCode), n);
        BackupCode.Jump := 0;
      end;
    end;
    
    //Patch the original procedure or function
    procedure HookDataCompare;
    begin
      //look how is passed the address of the original procedure (including the unit name)
      HookProc(@uThirdParty.DataCompare, @DataCompareHack, DataCompareBackup);
    end;
    
    //restore the address of the original procedure or function
    procedure UnHookDataCompare;
    begin
      UnhookProc(@uThirdParty.DataCompare, DataCompareBackup);
    end;
    
    
    initialization
     HookDataCompare;
    finalization
     UnHookDataCompare;
    end.
    

    Now every time you execute your app and a call to the DataCompare function was made, the jump instruction (to he new address) will be executed causing which the DataCompareHack function will be called instead.

    0 讨论(0)
  • 2020-11-27 05:15

    I think JCL has some utils for this kind of stuff... I haven't used it myself but had a quick look and following items look promising:

    jclSysUtils.WriteProtectedMemory()
    jclPeImage.TJclPeMapImgHooks.ReplaceImport()
    

    I think the jclHookExcept.JclHookExceptions() demonstrates how to use them.

    0 讨论(0)
提交回复
热议问题