https://stackoverflow.com/questions/21500719
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianGot it. Find the address of the function in IDA and subtract the starting address value listed in IDA. Or using OllyDbg, find the start of the function in memory and subtract the .textbss..text code segment from it. That will give me the offset of the function within the process space. Pass that into mhook and you should be all set.
How to determine memory address of non-exported function in windows executable process?
-
05-10-2022 - |
Question
I am experimenting with code injection to try and educate myself on how it should be used.
Currently, I have an executable that I have developed as a target for code injection. I also have a dll that contains the code that I want to inject and an injector process which handles the insertion of the dll into the target executable's process.
What I'm trying to do specifically is hook a function (which has not been exported) within the target executable's process using the mhook framework.
My injector process works very well and I can verify that my dll is being inserted properly into the target executable process.
The challenge that I am currently facing is trying to determine what address to pass into mhook as the target location of the function I'm trying to hook. Since it's not an exported function, I can't use the typical approach of calling GetProcAddress() and am having trouble figuring out how to find it.
I have de-compiled the target executable in IDA and know where the function resides in the executable file (offset 0x1770) but when I pass this in to mhook it does not call my trampoline function i.e. my hook doesn't work. I've tried finding the starting memory location of the module while it's running and adding that offset to it but that doesn't seem to work either.
I appear to be missing something basic in my understanding of code injection but can't figure out what it is. Google hasn't helped me either although I've been researching this for over a week now.
Please help me figure out what value I should be passing in to mhook.
Thanks and please let me know, blargfoot
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
