OpenRCE_Sirmabus
November 27th, 2007, 21:21
While browsing around I ran into an article that showed a few intrinsics that might be of interested to those using API hooks, etc. Probably been around since at least VS2003, but I just learned of them. I guess I have to read MSDN, etc., more often.
There is also a "_AddressOfReturnAddress()" which might just be a clean and handy way to look at a functions arguments on the stack along with the return address.
Return address, and, or, better the calling stack are handy things to know when you do API hooks for reversing, and advanced monitoring.
You can track particular API usage right down to the code where invoked, etc.
In the past I resorted to strange hacks using inline assembly like this:
Ugly huh? Easily broken and error prone. You have to figure out the offset from where the stack is manually. I'd stick that "int 3" in there and catch it in a debugger to figure out the stack offset needed.
Also one can directly use in an API hook (or as a stub) a "__declspec(naked)" declared function with more inline asm,
but this is hardly ideal too.
To use these intrinsics just add the header file:
#include <intrin.h>
And this should give you the return address of the function your in:
PVOID pMyReturn = _ReturnAddress();
EDIT: Tested it out in some normal wrapper/sub-class hooks and works perfectly.
https://www.openrce.org/blog/view/967/Intrinsic_"_ReturnAddress()"_C/C++_WTF!
Code:
void *_ReturnAddress(void)
There is also a "_AddressOfReturnAddress()" which might just be a clean and handy way to look at a functions arguments on the stack along with the return address.
Return address, and, or, better the calling stack are handy things to know when you do API hooks for reversing, and advanced monitoring.
You can track particular API usage right down to the code where invoked, etc.
In the past I resorted to strange hacks using inline assembly like this:
Code:
DWORD dwReturn = -1;
_asm
{
//int 3
mov eax,[esp + (4 * 4)]
mov dwReturn,eax
};
Ugly huh? Easily broken and error prone. You have to figure out the offset from where the stack is manually. I'd stick that "int 3" in there and catch it in a debugger to figure out the stack offset needed.
Also one can directly use in an API hook (or as a stub) a "__declspec(naked)" declared function with more inline asm,
but this is hardly ideal too.
To use these intrinsics just add the header file:
#include <intrin.h>
And this should give you the return address of the function your in:
PVOID pMyReturn = _ReturnAddress();
EDIT: Tested it out in some normal wrapper/sub-class hooks and works perfectly.
https://www.openrce.org/blog/view/967/Intrinsic_"_ReturnAddress()"_C/C++_WTF!