Quote:
Originally Posted by asherkin
You can wildcard the first 8 (I think) bytes of the signature (but make sure it still matches what you expect) to account for the patched bytes from the previous detour.
|
That's an interesting idea. Not sure though that it will always work properly. Correct me If I' wrong with my understanding. Lets assume the function signature is ABC, where A is to be replaced by a jump.
When the first extension is loaded the signature looks this way XBC
When the second extension is loaded, the signature looks YBC. When the function is called, the chain looks this way:
Y -> 2nd extension detour -> X - > 1st extension detour -> A -> back to the original function.
Now if the 1-st extension is unloaded, YBC is changed to ABC.
When the second extension is unloaded, ABC becomes XBC, which is not the original state and will likely lead to SIGFAULT/SIGSEGV
Loading:
ABC->XBC->YBC
Unloading: YBC->ABC->
XBC
Am I right?
How is it handled in virtual function hooking? the same virtual function can be hooked/unhooked many times without such problems.