Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetTrampoline() Returns 0 If Hooking WINAPI #9

Closed
YaseenTwati opened this issue Apr 16, 2015 · 3 comments
Closed

GetTrampoline() Returns 0 If Hooking WINAPI #9

YaseenTwati opened this issue Apr 16, 2015 · 3 comments

Comments

@YaseenTwati
Copy link

It works well with normal functions but when hooking something from WIN32 API it return 0 .
Lets say we hooked MessageBox the only to call the original function would be using a ScopedRemove or a Remove.
@AAvivB AAvivB mentioned this issue Jul 18, 2015
Closed
@4zv4l
Copy link

4zv4l commented Feb 8, 2023

I also have that issue, any solution yet ?

@Zeex
Copy link
Owner

Zeex commented Feb 9, 2023
edited
Loading

I have just tried to do the same.

In my case the trampoline could not be created because the offset between the trampoline's code buffer address and a memory address used in one of the leading instructions inside MessageBoxA (those that we copy to the trampoline) was more than could be stored in 32 bits, i.e. size of the memory operand in that instruction (this is the branch where subhook_make_trampoline returns -EOVERFLOW), therefore it was not possible to safely relocate the code to the trampoline (that would change the address referenced by the original code). See my screenshot below.

image

I think that it's most likely what happened in your case too. This one of the limitations of the trampoline approach implemented in subhook.

@Zeex Zeex closed this as completed Feb 9, 2023
Zeex added a commit that referenced this issue Feb 9, 2023
@Zeex
Update limitations in README
4f173b2 
Related to #9
Zeex added a commit that referenced this issue Feb 9, 2023
@Zeex
Add flag to support allocation of trampolines within 32-bit offset ra…
85a2406 
…nge of target code on 64-bit Windows

Plus minor formatting fixes and more documentation for flags.

Fixes #9
@Zeex
Copy link
Owner

Zeex commented Feb 9, 2023

Now there is a new flag SUBHOOK_TRAMPOLINE_ALLOC_NEARBY that will use a new experimental trampoline allocation strategy. I was able to make my MessageBox test work with this flag. Note: to create trampolines, you now need to also add SUBHOOK_TRAMPOLINE flag (they are off by default).

This approach may be pretty slow though (hence experimental), as there is a chance it will make a million calls to VirtualAlloc inside a loop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Zeex @YaseenTwati @4zv4l