Tutorial Thiscall (member function) hooking

Hexui Undetected CSGO Cheats PUBG Accounts

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,183
19,938
76
Generally every member function is a thiscall: https://en.wikipedia.org/wiki/X86_calling_conventions#thiscall

To recognize thiscall, you should note the first argument will always be the this pointer (pushed to stack last - first in last out rule), pointing to the object. It's usually passed through ECX.

Now the problem with hooking a thiscall comes into play, you can't simply define a __thiscall and use that as your hook, your compiler won't allow it (some might though, idk).

But luckily we have another convention known as fastcall which acts out essentially the same (there just won't be any this pointers automatically added since it's not used for member functions). Therefore, we just add another pointer as the first argument.

So for example if your target member function would normally look something like this:
C++:
void* __thiscall memberFunction(int firstArg, char secondArg);
But since you can't define a function as __thiscall, you will build your hook as a fastcall with additional this pointer as first argument:
C++:
void* __fastcall memberFunction(void* pThis, int firstArg, char secondArg);
C++:
typedef void(__fastcall* oMemberFunction)(void*, int, char);
oMemberFunction pMemberFunction;

void __fastcall hMemberFunction((void* pThis, int firstArg, char secondArg)
{
	return pMemberFunction(pThis, firstArg, secondArg); 
}  



pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
 
Last edited:

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,032
79,068
2,469
Thank you for sharing this tutorial with us, c5! :)
 

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
Thanks will remember, i guess this will save lots of time :)
 

Ayyyther

Newbie
Dank Tier Donator
Feb 14, 2016
36
683
1
C++:
pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
DetourFunction being a function to perform instead? dwFunc being what? I'd really appreciate clarification on this post.
 

Broihon

Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,793
41,598
324
C++:
pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
DetourFunction being a function to perform instead? dwFunc being what? I'd really appreciate clarification on this post.
dwFunc is the pointer to the function which you want to hook. DetourFunction is just your normal detour function which places a jump at the target function to your hook function and creates a trampoline back to the original function.

Edit: When using a __fastcall to hook a member function the second argument is actually not the "real" second argument:
void __fastcall hkFunc(void * ThisPtr, void * EDX, args...);
Ignore the second argument.
 
  • Like
Reactions: IXSO

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,032
79,068
2,469
Necroed a good thread that I never read before! sweet!
 

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
Which detour library do you prefer? Microsoft Detour v1.5 or the new 3.0 Detour?
 

gingerbreadbot

Trump Tier Donator
Full Member
Mar 3, 2018
18
488
0
Since this has already been necro'd:
You can also define a stdcall hook and use inline assembly to move this out of ecx, but note this approach requires you move it back into ecx before you return.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,315
37,938
271
i mean last post was nearly a year ago but aight lmao
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,032
79,068
2,469
Mosst people use detours when they're a noob and then stop using it when they learn to write their own trampoline hook
 

IXSO

Newbie
Full Member
Nobleman
Dec 30, 2017
197
2,268
22
Mosst people use detours when they're a noob and then stop using it when they learn to write their own trampoline hook
Or in reverse - figure it out manualy and then realise there has been a fcking "DetourFunction" the entire time....
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,315
37,938
271
if you do it in reverse youre officially not a noob in that area
 
  • Like
Reactions: Broihon
May 21, 2018
1
4
0
Any idea what happn not heppning

i look up at the detours.h

PBYTE WINAPI DetourFunction(PBYTE pbTargetFunction,
PBYTE pbDetourFunction);

and WINAPI is __stdcall


Omg i need this fastcall But when i load the internal nothing happn
 

Broihon

Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,793
41,598
324
It doesn't matter what calling convention the detour function is. You can still hook a thiscall/fastcall from an stdcall function. Not sure if I got your problem though.
 
  • Like
Reactions: IXSO

Stricknein

Dank Tier Donator
Aug 14, 2019
23
298
0
Generally every member function is a thiscall: x86 calling conventions - Wikipedia

To recognize thiscall, you should note the first argument will always be the this pointer (pushed to stack last - first in last out rule), pointing to the object. It's usually passed through ECX.

Now the problem with hooking a thiscall comes into play, you can't simply define a __thiscall and use that as your hook, your compiler won't allow it (some might though, idk).

But luckily we have another convention known as fastcall which acts out essentially the same (there just won't be any this pointers automatically added since it's not used for member functions). Therefore, we just add another pointer as the first argument.

So for example if your target member function would normally look something like this:
C++:
void* __thiscall memberFunction(int firstArg, char secondArg);
But since you can't define a function as __thiscall, you will build your hook as a fastcall with additional this pointer as first argument:
C++:
void* __fastcall memberFunction(void* pThis, int firstArg, char secondArg);
C++:
typedef void(__fastcall* oMemberFunction)(void*, int, char);
oMemberFunction pMemberFunction;

void __fastcall hMemberFunction((void* pThis, int firstArg, char secondArg)
{
    return pMemberFunction(pThis, firstArg, secondArg);
} 



pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
Very informative post, thank you.
 

Similar threads

Community Mods