Tutorial Thiscall (member function) hooking

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Generally every member function is a thiscall: https://en.wikipedia.org/wiki/X86_calling_conventions#thiscall

To recognize thiscall, you should note the first argument will always be the this pointer (pushed to stack last - first in last out rule), pointing to the object. It's usually passed through ECX.

Now the problem with hooking a thiscall comes into play, you can't simply define a __thiscall and use that as your hook, your compiler won't allow it (some might though, idk).

But luckily we have another convention known as fastcall which acts out essentially the same (there just won't be any this pointers automatically added since it's not used for member functions). Therefore, we just add another pointer as the first argument.

So for example if your target member function would normally look something like this:
C++:
void* __thiscall memberFunction(int firstArg, char secondArg);
But since you can't define a function as __thiscall, you will build your hook as a fastcall with additional this pointer as first argument:
C++:
void* __fastcall memberFunction(void* pThis, int firstArg, char secondArg);
C++:
typedef void(__fastcall* oMemberFunction)(void*, int, char);
oMemberFunction pMemberFunction;

void __fastcall hMemberFunction((void* pThis, int firstArg, char secondArg)
{
	return pMemberFunction(pThis, firstArg, secondArg); 
}  



pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,362
78,998
2,413
Thank you for sharing this tutorial with us, c5! :)
 

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
Thanks will remember, i guess this will save lots of time :)
 

Ayyyther

Newbie
Dank Tier Donator
Feb 14, 2016
36
683
1
C++:
pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
DetourFunction being a function to perform instead? dwFunc being what? I'd really appreciate clarification on this post.
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,748
41,528
319
C++:
pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
DetourFunction being a function to perform instead? dwFunc being what? I'd really appreciate clarification on this post.
dwFunc is the pointer to the function which you want to hook. DetourFunction is just your normal detour function which places a jump at the target function to your hook function and creates a trampoline back to the original function.

Edit: When using a __fastcall to hook a member function the second argument is actually not the "real" second argument:
void __fastcall hkFunc(void * ThisPtr, void * EDX, args...);
Ignore the second argument.
 
  • Like
Reactions: IXSO

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,362
78,998
2,413
Necroed a good thread that I never read before! sweet!
 

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
Which detour library do you prefer? Microsoft Detour v1.5 or the new 3.0 Detour?
 

gingerbreadbot

Full Member
Mar 3, 2018
18
48
0
Since this has already been necro'd:
You can also define a stdcall hook and use inline assembly to move this out of ecx, but note this approach requires you move it back into ecx before you return.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,304
37,938
270
i mean last post was nearly a year ago but aight lmao
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,362
78,998
2,413
Mosst people use detours when they're a noob and then stop using it when they learn to write their own trampoline hook
 

IXSO

Newbie
Full Member
Nobleman
Dec 30, 2017
197
2,268
22
Mosst people use detours when they're a noob and then stop using it when they learn to write their own trampoline hook
Or in reverse - figure it out manualy and then realise there has been a fcking "DetourFunction" the entire time....
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,304
37,938
270
if you do it in reverse youre officially not a noob in that area
 
  • Like
Reactions: Broihon
May 21, 2018
1
4
0
Any idea what happn not heppning

i look up at the detours.h

PBYTE WINAPI DetourFunction(PBYTE pbTargetFunction,
PBYTE pbDetourFunction);

and WINAPI is __stdcall


Omg i need this fastcall But when i load the internal nothing happn
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,748
41,528
319
It doesn't matter what calling convention the detour function is. You can still hook a thiscall/fastcall from an stdcall function. Not sure if I got your problem though.
 
  • Like
Reactions: IXSO

Stricknein

Dank Tier Donator
Aug 14, 2019
23
298
0
Generally every member function is a thiscall: x86 calling conventions - Wikipedia

To recognize thiscall, you should note the first argument will always be the this pointer (pushed to stack last - first in last out rule), pointing to the object. It's usually passed through ECX.

Now the problem with hooking a thiscall comes into play, you can't simply define a __thiscall and use that as your hook, your compiler won't allow it (some might though, idk).

But luckily we have another convention known as fastcall which acts out essentially the same (there just won't be any this pointers automatically added since it's not used for member functions). Therefore, we just add another pointer as the first argument.

So for example if your target member function would normally look something like this:
C++:
void* __thiscall memberFunction(int firstArg, char secondArg);
But since you can't define a function as __thiscall, you will build your hook as a fastcall with additional this pointer as first argument:
C++:
void* __fastcall memberFunction(void* pThis, int firstArg, char secondArg);
C++:
typedef void(__fastcall* oMemberFunction)(void*, int, char);
oMemberFunction pMemberFunction;

void __fastcall hMemberFunction((void* pThis, int firstArg, char secondArg)
{
    return pMemberFunction(pThis, firstArg, secondArg);
} 



pMemberFunction = (oMemberFunction )DetourFunction((PBYTE)dwFunc,(PBYTE)hMemberFunction);
Very informative post, thank you.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods