address of functions

[zameericle]

can anyone explain the following code-snippet (found on codeproject - program 75 http://www.codeproject.com/atl/atl_u...asp#xx321175xx)

Code:

#include <iostream>
#include <windows.h>
using namespace std;

class C;

C* g_pC = NULL;

typedef void(*pFUN)();

#pragma pack(push,1)
// structure to store the machine code
struct Thunk
{
    BYTE    m_jmp;          // op code of jmp instruction
    DWORD   m_relproc;      // relative jmp
};
#pragma pack(pop)

class C
{
public:
    Thunk    m_thunk;

    void Init(pFUN pFun, void* pThis)
    {
        // op code of jump instruction
        m_thunk.m_jmp = 0xe9;
        // address of the appripriate function
        m_thunk.m_relproc = (int)pFun - ((int)this+sizeof(Thunk));

        FlushInstructionCache(GetCurrentProcess(), 
                                &m_thunk, sizeof(m_thunk));
    }

    // this is cour call back function
    static void CallBackFun()
    {
        C* pC = g_pC;

        // initilize the thunk
        pC->Init(StaticFun, pC);

        // get the address of thunk code
        pFUN pFun = (pFUN)&(pC->m_thunk);

        // start executing thunk code which will call StaticFun
        pFun();

        cout << "C::CallBackFun" << endl;
    }

    static void StaticFun()
    {
        cout << "C::StaticFun" << endl;
    }
};

int main()
{
    C objC;
    g_pC = &objC;
    C::CallBackFun();
    return 0;
}

the line that I am having difficulty with is:

Code:

        m_thunk.m_relproc = (int)pFun - ((int)this+sizeof(Thunk));

What I don't understand is why you can't use (int)pFun as the address of the function, why the need for the math???

any help would be appreciate.. thanks

Zameer

[galathaea]

One (of the many) defintion of thunk is an inserted jump to a procedure normally used to redirect or intercept a code call. This appears to be what the code is doing. It is inserting a function into the address space before the function that is to be called. The math calculates the start location of this interception code and replaces a call to the original function. This is the reason that it is not just storing the address of the function. It doesn't want to call the function (at least not at first). It first calls the thunk which then appears to make an appropriate jump to the code it wants to execute.

[doublehook]

It seems a way for calculate an address value that is
the result of a substract operation. Casts the function
address to integer value and substracts the size of a piece
of code. It seems a sample of advanced code, but i don't know
if this is usefull and why he does this.

[zameericle]

suppose C::StaticFunc is located at say 0x0000001

why doesn't the following call the function?

jmp 0xe9, 0x0000001

what does ((int)this + sizeof(Thunk)) have to do with calculating the address of where to jump?

unless ofcourse the jmp operand requires a relative address (relative to the program), while &C::StaticFun returns the global address (in memory). But then would that mean that if I defined another class before C, would I then have to use the following to calculate the relative address:

(int)this + sizeof(Thunk) + sizeof(newClass)

for doublehook: This is commonly used in ATL to associate a call back function with it's appropriate hwnd.