我通过弯路钩住了一个 C++ 成员方法。
该方法的声明是从 IDA 中的符号文件 (*.pdb) 中检索的
LPVOID __thiscall Foo(class UnknownClass, unsigned int, int)
以下是我替换真实的方法
// the first parameter of the method is an unknown class to me
// I don't know its implementation, don't know its size
// so I just declare a dummy class with a enough size
class UnknownClass { public: CHAR dummy[1024]; };
typedef LPVOID (__thiscall MyDummyClass::*PFN_Foo)( UnknownClass, unsigned int, int );
class MyDummyClass
{
public:
// The address of the real method
PFN_Foo m_pfnFoo;
// My method to replace the real one
LPVOID MyFoo( UnknownClass p1, unsigned int p2, int p3)
{
MyDummyClass * pThis = (MyDummyClass*)this;
// call the real one.
// and here the error happens
return (pThis->*m_pfnFoo)( p1, p2, p3 );
}
};
钩子起作用并被MyFoo调用而不是真正的方法。但是在调用真实方法时出现错误:
Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
你对我有什么建议吗?当参数之一作为对象传递时如何处理这种钩子,但我不知道它的实现。