-
Notifications
You must be signed in to change notification settings - Fork 8
FAQ
"Indev" stands for "In development", which means the current implemention of PEDoll still lacks crucial features and/or contains serious bugs or flaws. PEDoll in this development stage is not considered a useable tool under real situations; it's rather a 'toy' or a 'hobby project'.
'Indev' also means no forward/backward compatibility is guaranteed; anything may change at anytime in this development stage.
PEDoll will be in this development stage, as long as there are still development goals in the TODO list.
These activations are actually different "phases" of a single activation.
Sometimes we care about the result of a function, e.g. an UDP packet from API recvfrom. This can be easliy implemented with a traditional inline hook handler, in which we can inform the user after calling the hooked function.
PEDoll does not utilize a "traditional inline hook handler". Instead, it hooks the function's return address each time the function is being called. This temporary return hook constitutes the "after" phase of the hook.
You can perform hook actions, evaluate expressions and give out verdicts on a "after" phase hook just like "before" ones (with an exception of cannot reject a "after" hook - what's the point?). If no action is required, you can simply skip this phase by setting its default verdict to "approve".
The client might is not using the function you have hooked.
Unlike Windows APIs which have a consistent module to reside in, the C standard library functions often have multiple copies in many different DLLs. Make sure to hook the function from the module client is using.
To make things worse, the client execuable can keep it's own copy of standard library functions via statically linking to the C library. If the debugging symbols is also removed from the execuable (which is often the case), you will have to locate the function via patterns, or hook the underlying Windows API (e.g. WriteConsole in place of printf) instead.
For additional information, see explanation given in Detours' FAQ.
tl;dr: There's no stdcall on a x64 client; use msvc in place of any x86 convention.
TODO
tl;dr: Set to 4 * (argument count) for a x86 Windows API (stdcall functions), 4 * (argument count - 2) for x86 fastcall functions and 0 for any other situations.
TODO