How to change function pointers?

[philkr]

This is not directly linked with assembler, but I thought I post it here, because you seem to know the most of 'internal' things.
Problem: I have a DLL loaded into my address space and I want to change the pointers of the exported functions, so that when I call an exported function not the normal function is called, but another function which I specify doing the change. I hope I said it clear enough. Can you help me?

[Hobson]

Look at this article:
http://www.codeguru.com/Cpp/W-P/dll/...icle.php/c127/

[philkr]

Thanks for the link. It's rather a bit of source code than an article, but something to start with. However, I need something like a tutorial. I want to know what I'm doing and not only copy & paste other people's code.

[NoHero]

This is not directly linked with assembler, but I thought I post it here, because you seem to know the most of 'internal' things.
Problem: I have a DLL loaded into my address space and I want to change the pointers of the exported functions, so that when I call an exported function not the normal function is called, but another function which I specify doing the change. I hope I said it clear enough. Can you help me?

Is the function specifing the change an application defined or DLL defined function?

[philkr]

I think it is the best to use an example:
I have a hook DLL which is in the address space of mspaint.exe for example. If you open a file in mspaint GetOpenFileNameW() function from COMDLG32.DLL will be called. Instead I want now to call my OpenFileName() function which is in my hook DLL, in order to show my custom open dialog with preview functionality. I only know I need to change the import address table. But I don't know in which memory location it is.

[NoHero]

I think it is the best to use an example:
I have a hook DLL which is in the address space of mspaint.exe for example. If you open a file in mspaint GetOpenFileNameW() function from COMDLG32.DLL will be called. Instead I want now to call my OpenFileName() function which is in my hook DLL, in order to show my custom open dialog with preview functionality. I only know I need to change the import address table. But I don't know in which memory location it is.

This is your article...

[philkr]

Thank you very much! Given the above article and a description of the Windows PE format I managed to write my own functions for changing the import address table. Almost everything works. My function which overwrites the API address returns a pointer to the old function and it is the right GetOpenFileNameW pointer (I checked it with Dependency Walker). Now the problem: Notepad.exe does not seem to get my new function pointer right. It seems to point to garbage, at least notepad now crashes when clicking open. It was given in this way: &MyFunction. Why does it not work? Do I have to export my override function?

[NoHero]

Thank you very much! Given the above article and a description of the Windows PE format I managed to write my own functions for changing the import address table. Almost everything works. My function which overwrites the API address returns a pointer to the old function and it is the right GetOpenFileNameW pointer (I checked it with Dependency Walker). Now the problem: Notepad.exe does not seem to get my new function pointer right. It seems to point to garbage, at least notepad now crashes when clicking open. It was given in this way: &MyFunction. Why does it not work? Do I have to export my override function?

Yes you have to export via the DEF way. Otherwise the function will not converted correctly to the destinations address space, and you might not have enough rights to access it.

[philkr]

Yes you have to export via the DEF way. Otherwise the function will not converted correctly to the destinations address space, and you might not have enough rights to access it.

I did what you said, but it still doesn't work. By the way: the entry address of the exported function in dependency walker is the same as if using &MyFunction. But I tried also GetProcAddress() and tried to define my function with __stdcall, but it is still crashing. I am completely desperate.

EDIT:

An important requirement is that the newly provided function must have exactly the same signature as the original one

What does that mean exactly, perhaps this is the key to a solution.

[philkr]

It works!!! I was just doing a wrong copy operation when I copied the new pointer.

[NoHero]

What does that mean exactly, perhaps this is the key to a solution.

This means that the new function must have the same calling convention (how it returns the return value, parameter passing order, stack clean up etc.) as the old one. Otherwise you can run into CPU faults.