These are chat archives for EasyHook/EasyHook

13th
Apr 2017
Andrew
@zezba9000
Apr 13 2017 19:48
Hey I have a question about hooking a 64 bit apps classes method. On 32 bit this hooking works fine but when I try to hook in when built for x64 I get stack corruption issues.
class ITestPoseGet
{
public:
    virtual DriverPose_t GetPose() = 0;
};

class ShimTest :
public ITestPoseGet
{
    DriverPose_t GetPose() override
    {
        return DriverPose_t();
    }
}

typedef DriverPose_t(__thiscall *GetPose_Org)(ITestPoseGet* thisptr);
DriverPose_t __fastcall GetPose_Hook(ITestPoseGet* thisptr, int edx)
{
    return DriverPose_t();
}

void HookMethod(ITestPoseGet* driver)
{
    trackedDeviceVTable = *(void***)(driver);
    VirtualQuery((LPCVOID)trackedDeviceVTable, (PMEMORY_BASIC_INFORMATION)&trackedDeviceMBI, sizeof(MEMORY_BASIC_INFORMATION64));
    VirtualProtect((LPVOID)trackedDeviceMBI.BaseAddress, trackedDeviceMBI.RegionSize, PAGE_EXECUTE_READWRITE, &trackedDeviceMBI.Protect);// unlock
    GetPose_Ptr = (GetPose_Org)trackedDeviceVTable[trackedDeviceVTableIndex_GetPose_Index];
    trackedDeviceVTable[trackedDeviceVTableIndex_GetPose_Index] = &GetPose_Hook;// Hook!
    VirtualProtect((LPVOID)trackedDeviceMBI.BaseAddress, trackedDeviceMBI.RegionSize, trackedDeviceMBI.Protect, &trackedDeviceMBI.Protect);// lock
}
On x86 (32 bit) I use MEMORY_BASIC_INFORMATION32
somehow the "struct DriverPose_t" is causing issues on x64 and idk why
Andrew
@zezba9000
Apr 13 2017 19:53
for x64 does the EDX, etc layout change?
Andrew
@zezba9000
Apr 13 2017 20:56
ic that the "Microsoft x64 calling convention" is different: https://en.wikipedia.org/wiki/X86_calling_conventions
but still unclear on how to fix this on x64