I want to do the following:
I have a function that is not mine (it really doesn't matter here but just to say that I don't have control over it) and that I want to patch so that it calls a function of mine, preserving the arguments list (jumping is not an option).
What I'm trying to do is, to put the stack pointer as it was before that function is called and then call mine (like going back and do again the same thing but with a different function). This doesn't work straight because the stack becomes messed up. I believe that when I do the call it replaces the return address. So, I did a step to preserve the return address saving it in a globally variable and it works but this is not ok because I want it to resist to recursitivy and you know what I mean. Anyway, i'm a newbie in assembly so that's why I'm here.
Please, don't tell me about already made software to do this because I want to make things my way.
Of course, this code has to be compiler and optimization independent.
My code (If it is bigger than what is acceptable please tell me how to post it):
// A function that is not mine but to which I have access and want to patch so that it calls a function of mine with its original arguments
void real(int a,int b,int c,int d)
{
}
// A function that I want to be called, receiving the original arguments
void receiver(int a,int b,int c,int d)
{
printf("Arguments %d %d %d %d\n",a,b,c,d);
}
long helper;
// A patch to apply in the "real" function and on which I will call "receiver" with the same arguments that "real" received.
__declspec( naked ) void patch()
{
_asm
{
// This first two instructions save the return address in a global variable
// If I don't save and restore, the program won't work correctly.
// I want to do this without having to use a global variable
mov eax, [ebp+4]
mov helper,eax
push ebp
mov ebp, esp
// Make that the stack becomes as it were before the real function was called
add esp, 8
// Calls our receiver
call receiver
mov esp, ebp
pop ebp
// Restores the return address previously saved
mov eax, helper
mov [ebp+4],eax
ret
}
}
int _tmain(int argc, _TCHAR* argv[])
{
FlushInstructionCache(GetCurrentProcess(),&real,5);
DWORD oldProtection;
VirtualProtect(&real,5,PAGE_EXECUTE_READWRITE,&oldProtection);
// Patching the real function to go to my patch
((unsigned char*)real)[0] = 0xE9;
*((long*)((long)(real) + sizeof(unsigned char))) = (char*)patch - (char*)real - 5;
// calling real function (I'm just calling it with inline assembly because otherwise it seems to works as if it were un patched
// that is strange but irrelevant for this
_asm
{
push 666
push 1337
push 69
push 100
call real
add esp, 16
}
return 0;
}
