Video Tutorial – Function Hooking

This is my video tutorial on function hooking.

Click here for the tutorial!

The hooking function:

1
2
3
4
5
6
7
8
 void WriteJMP(byte* location, byte* newFunction)
{
DWORD dwOldProtection;
VirtualProtect(location, 5, PAGE_EXECUTE_READWRITE, dwOldProtection);
location[0] = 0xE9;
 *((dword*)(location + 1)) = (dword)(newFunction - location) - 5;
VirtualProtect(location, 5, dwOldProtection, &dwOldProtection);
}

Complete Source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <windows.h>
 
typedef unsigned char byte;
typedef unsigned short word;
typedef unsigned int dword;
 
byte countSwitch = 0;
 
DWORD UpdateTimeCall = 0x01001D6C; //This call calls the UpdateTime function
DWORD UpdateTimeRetn = 0x01001D71; //This is the place where we will return     0x01001D6C + 0x05
DWORD UpdateTimeFunc = 0x01002FE0; //This is the updateTime function
 
 
void WriteJMP(byte* location, byte* newFunction){
	DWORD dwOldProtection;
	VirtualProtect(location, 5, PAGE_EXECUTE_READWRITE, &dwOldProtection);
		location[0] = 0xE9;
		*((dword*)(location + 1)) = (dword)(newFunction - location) - 5;
	VirtualProtect(location, 5, dwOldProtection, &dwOldProtection);
}
 
 
void _declspec(naked) hTimeFunc(){
 
	if(countSwitch == 0)
	{
		countSwitch = 1;
 
		_asm 
		{
			JMP UpdateTimeRetn
		}
	}
	else
	{
		countSwitch = 0;
 
		_asm 
		{
			CALL UpdateTimeFunc
			JMP UpdateTimeRetn
		}
 
	}
 
}
 
void initHooks(){
	WriteJMP((byte*)UpdateTimeCall,(byte*)hTimeFunc); //Writes a jump from the original call to our custom function
 
}
 
 
 
 
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		initHooks();
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Enjoy.

13 thoughts on “Video Tutorial – Function Hooking

  1. Oh, and a few other ideas.

    How to freeze an address the way cheat engine does

    How to use CreateRemoteThread to inject a dll

    How to Instead of writing a separate DLL, coping your code to the remote process directly with WriteProcessMemory, and execute it with CreateRemoteThread

  2. Well I can make a tut on how to make a DLL Trainer in C++ with injection and how to freeze an address the way Cheat Engine does and a more elegant way.

        1. You need the 32-bit version and I believe Olly Phantom Plugin so it runs on 64-bit machines. It cannot debug 64-bit apps though.

Leave a message

Your email address will not be published. Required fields are marked *

*