Gamerz Online

by Specific

This tutorial on how to hook process functions via dll injection is not for the beginning programmer.  I assume that you have knowledge of creating DLL (Dynamic Link Libraries) files in C++, as I do not cover this.  If you do not know how to inject a dll into a process, please read my tutorial "Inject DLL into running process with CPP."
Some of you may remember a release I had for MSN Gaming Zone called ZoneHook, this very code was used to hook the functions inside it's inner workings.  We start out planning how we will implement this code. Because ZoneHook was reasonably complex, I made a class so that implementing was easy as possible.
What we want to accomplish here is overwrite the address of the function to either jmp, or call our own function in the dll file.  Sounds really complicated, but it's not and with little knowledge of pointers and how programs work we can do this.
How do we accomplish what was just said?  We create a function that will render an instruction to jmp or call a specified offset.  With this instruction we then assign appropriate permissions to access and write to the original function call, we then write our new instruction in place of the original. 
Here is the basic structure (Redirect.h):
#define CALL(a) _asm call [a] #define JMP(a) _asm jmp [a] class Redirect { public: void RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf); void JMPFunction(DWORD address, DWORD jumpto); void RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf); void CALLFunction(DWORD address, DWORD jumpto); Redirect(); virtual ~Redirect(); };

The class consists of one constructor and four methods. 

With the structure there, there is nothing more to do but code what we wanted to do.
#include "Redirect.h" ////////////////////////////////////////////////////////////////////// // Construction/Destruction ////////////////////////////////////////////////////////////////////// Redirect::Redirect() { } Redirect::~Redirect() { } void Redirect::CALLFunction(DWORD address, DWORD jumpto) { char instruction[5]; RenderCALLInstruction((LPVOID)address,(LPVOID)jumpto,instruction); DWORD oldprot, dummy; VirtualProtect((void*)address,5,PAGE_EXECUTE_READWRITE,&oldprot); memcpy((LPVOID)address,(LPVOID)instruction,5); VirtualProtect((void*)address,5,oldprot,&dummy); } void Redirect::RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf) { int offset = (int)jumpto - ((int)address + 5); buf[0] = (char)0xE8; *(DWORD*)(buf+1) = offset; } void Redirect::JMPFunction(DWORD address, DWORD jumpto) { char instruction[5]; RenderJMPInstruction((LPVOID)address,(LPVOID)jumpto,instruction); DWORD oldprot, dummy; VirtualProtect((void*)address,5,PAGE_EXECUTE_READWRITE,&oldprot); memcpy((LPVOID)address,(LPVOID)instruction,5); VirtualProtect((void*)address,5,oldprot,&dummy); } void Redirect::RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf) { int offset = (int)jumpto - ((int)address + 5); buf[0] = (char)0xE9; *(DWORD*)(buf+1) = offset; } Redirecting the function is simple:
/* This is just an example * 0x600542A5 would be the offset of the call in the original program you would like to redirect. */ Redirect Hook; Hook.CALLFunction(0x600542A5,(DWORD)OnZoneSend); Not done yet though, we still have to create the OnZoneSend function.  This is where people can run into problems if they don't know instruction flow in applications, it may require a little knowledge of assembly.
int WINAPI OnZoneSend(...) { // ... your code here return ZoneSend(...); } We now call a naked function which will jmp to the original function entry point.
DWORD lpZoneSend = 0x6005484F; // original function entry point. int __declspec(naked) WINAPI ZoneSend(...) { JMP(lpZoneSend) } Thats it!  Enjoy.