Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I am trying to make a tutorial using the detour library.

In older version of the detour library v1.5 the function DetourFunction was used to define the address so the DLL knows where to look for the function.

It could for example be used as follows:

         InsertDateTime = (int (__stdcall*)(int))DetourFunction((PBYTE)0x01006F10,       (PBYTE)MyInsertDateTime)
see http://www.moddb.com/groups/ibepex/tutorials/function-hooking
However in newer versions the function is changed to 
     LONG DetourAttach(
        PVOID * ppPointer,
        PVOID pDetour
where ppPointer is a pointer to the target pointer to which the detour will be attached.
Now since I know the adress of the target function in hex format, 0x01006F10, I want to somehow use that as an argument for ppPointer. I tried to just write:
               InsertDateTime = (int (__stdcall*)(int))DetourAttach((PVOID*)0x01006F10, MyInsertDateTime);
and it compiles fine but my program does not work as I thought. It seems that the program never catches the function from that adress.
So basically my question is, did I use the pointer to the hex adress correctly and second, do I have some fundamental mistakes in the way I use DetourAttach()?
You are using DetourAttach incorrectly. The correct usage in your case would be:
int(__stdcall* InsertDateTime)(int) = (int(__stdcall*)(int))(0x01006F10);
LONG errorCode = DetourAttach((PVOID*)(&InsertDateTime), (PVOID)MyInsertDateTime);
if(!errorCode) {
    //Detour successful
Note that in the presence of technologies like ASLR; You should use something like GetProcAddress to retrieve the address of the function at runtime otherwise you are likely to cause corruption or crashes.
                First, Good answer! So the first line you write is the pointer to the function with start adress 0x01006F10. I tried to do this but still nothing happens when I activate the function with that adress. I use Winject to inject the DLL into the process. Now the process I try to inject hook a function in is Notepad 32 bit. Is there any chance that it would use ASLR so that the function adress I found in IDA Pro not is valid?
– Euklides
                Jun 7, 2013 at 14:18
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.