05 Feb

Getting the C++ “this” pointer from function hooks solution.

(Note: This is Windows-centric and 32bit only.)

In a previous entry I talked about a problem getting the C++ “this” (ECX) pointer from sub-class type function hooks.
Problem solved (credits to “Casual_Hacker”). One can simply use the seldom used __fastcall calling convention.

As it says here:  MSDN
The first two arguments are passed in ECX and EDX.
An example of a __stdcall C++ class function hook that had two arguments a char
string and integer value could be something like this:

void __fastcall HOOK_ClassMethiod(PVOID pTHIS, UINT uEDX, LPCSTR pszString, int iValue)
{
    Trace("Hook - THIS: %08X, S: "%s", V: %d, R: %08Xn", pTHIS, pszString, iValue, _ReturnAddress());

    // Chain to original function
    ((void (__fastcall *)(PVOID, UINT, LPCSTR, int)) pNext)(pTHIS, uEDX, pszString, iValue);
}

Leave a Reply