megaman54 Posted January 14, 2014 Share Posted January 14, 2014 I have been studying around the MTA source code lately and i'm kinda confused about the HookInstall function. What does the last parameter called iJmpCodeSize do? How do i know what to put in that argument? Another question is, how to use the HookInstallMethod and HookInstallCall functions? They have same arguments but different implementation code so i dont know how to use them. Thanks in advance! Link to comment
Jusonex Posted January 14, 2014 Share Posted January 14, 2014 What does the last parameter called iJmpCodeSize do? iJmpCodeSize specifies the amount of bytes you want to replace to install the hook. This must be at least 5 bytes since a jmp instruction has a size of 5 bytes. In most cases it's the best to replace the instruction at the source address entirely. To find out how long this instruction is, you can use IDA Pro's Hex-View subwindow. That means: Mark/select the instruction you want to replace and switch to the Hex-View tab where you can see the length in bytes (each block is one byte) of the instruction. Another question is, how to use the HookInstallMethod and HookInstallCall functions? They have same arguments but different implementation code so i dont know how to use them. HookInstallCall works in a similar way. Instead of creating a jmp instruction, HookInstallCall creates a call instruction so that the current eip will be pushed onto the stack. On the contrary HookInstallMethod which is often used in the context of VTables only replaces the function address and leaves the rest well enough alone. Link to comment
megaman54 Posted January 14, 2014 Author Share Posted January 14, 2014 Thanks! Now it all makes much more sense. Hooking has always been somewhat confusing to me Thanks again. Link to comment
Recommended Posts