Hooking thiscall without using fastcall

Question

Say you need to hook/detour a function that is the __thiscall type on x86 Windows and in order to do that, you need to pass a void* to the shim function. Yes this is technically "horrible abuse" of C++, but this is function hooking, not an exercise in coding a portable application.

For example, say you need to hook a function such as this:

void __thiscall SomeClass::MemberFunction(int b) { this->somevar = b; }

Obviously it's well known that you can just create a __fastcall function that uses an extra arg to dispose of EDX, but that's a bit... lame.

So the question is: What trickery can you think of to be able to convert the type of a non-static C++ class member function to a void* variable?

Olipro Olipro · Accepted Answer · 2014-02-07T19:44:32

I have a couple of solutions already for this, so here we go:

the first is arguably the quickest:

__declspec(naked) __cdecl void* MemberFuncToPtr(...) {
    __asm {
        mov eax, [esp+4]
        retn
    }
}
void* ptr = MemberFuncToPtr(&MyClass::TheMemberFunction);

And an alternative that's asm-free but requires an unused argument:

void* MemberFuncToPtr(char i, ...) {
    va_list v;
    va_start(v,i);
    void* ret = va_arg(v, void*);
    va_end(v);
    return ret;
}
void* ptr = MemberFuncToPtr(0, &MyClass::TheMemberFunction);

Hooking __thiscall without using __fastcall

1 Answers

Hooking thiscall without using fastcall