[General] va_list in C#

[Frosttall]

Hello,

my question isn't about directly about WoW, but I'd like to ask you for help anyways.

I'm trying to use GreyMagic in order to Detour a Cdecl - C++ signature looks like this:

Code:

int Naked PacketSend(DWORD type,LPCSTR format,...)

and this is what I got so far in C#

Code:

        [UnmanagedFunctionPointer(CallingConvention.Cdecl, CharSet = CharSet.Ansi, SetLastError=true)]
        private delegate int SendPacketDetour(uint type, string format, IntPtr args);

        private int Callback(uint type, string format, IntPtr args)
        {
                return (int)_presentHook.CallOriginal(type, format, args);
        }

The content could look like this:
type = 0x12
format = "bbd"
... = va_list

The C#-Declaration works only partly: Type and format are read correctly, but 'IntPtr args' seems to be wrong.
Returning the control back to the original doesn't crash but cause some arguments not getting sent to the server.

The following packet gets sent correctly:

Code:

Type: 0x5
Format: d

whereas every packet with more than one argument like the following doesn't get sent:

Code:

Type: 0x12
Format: bbb

This means the IntPtr I'm using is not enough.



I've tried various solutions like working with params object[], params IntPtr[], object[] etc, but this didn't work and isn't the equivalent of va_list. C# itself contains a keyword which was made for Cdecl external functions like the following:

Code:

[System.Runtime.InteropServices.DllImportAttribute("unmanaged.dll", EntryPoint = "VarSum", 
            CallingConvention=System.Runtime.InteropServices.CallingConvention.Cdecl)]
        public static extern int VarSum(int nargs, __arglist);

Unfortunately is __arglist only valid for imported function and throws the following exception in case it's used with an UnmanagedFunctionPointer:

__arglist is not valid in this context

Has somebody ever experienced that case and could point me to the right direction?

[Master674]

That won't work. It's a function where the caller pushes a unknown number of arguments onto the stack and the function which is called can only determine the number when it parses the format string. You won't be able to detour that function from C# at least not without any asm.

Edit: You couldn't even detour that in C++ without any dumb hacks.

Edit2: It is not even possible to forward arguments from such a function other than doing nothing in the forwarder function and directly jump out as call does a push retaddr

[DarthTon]

Well, I think it's partly possible. Let's assume you know maximum number of args vararg function can receive.
For example, function always receive less than 5 variable arguments. So you can make such delegate and detour

Code:

int VarFn(int type, String fmt, IntPtr a1, IntPtr a2, IntPtr a3, IntPtr a4, IntPtr a5);

[System.Runtime.InteropServices.UnmanagedFunctionPointer(System.Runtime.InteropServices.CallingConvention.Cdecl)]
delegate int TheDelegate1(int a1, String a2, IntPtr a3, IntPtr a4, IntPtr a5, IntPtr a6, IntPtr a7);

This will work because varargs are on the stack, they just sit there after last non-variable argument. And you will get first 5 of them into a3-a7. Using 'format' argument, you can get number of args passed, and their types. Remember that arguments a3-a7 are just raw data from stack.

To call an original function you use same delegate. Just fill appropriate number of args and set unused ones to IntPtr.Zero, original function will ignore them anyway. And because of cdecl convention, stack pointer will be always restored by caller function, no matter how many actual parameters callee used.

[jjaa]

RuntimeArgumentHandle Structure (System)

http://www.ownedcore.com/forums/worl...guments-c.html ([How To] Hooking functions in WoW with variable arguments.. from C#)

[Master674]

RuntimeArgumentHandle Structure (System)

http://www.ownedcore.com/forums/worl...guments-c.html ([How To] Hooking functions in WoW with variable arguments.. from C#)

Wtf, they seriously thought about something like this? Sorry for my response then, I had big problems hooking such a function from C++.
I wonder how RuntimeArgumentHandle works though since you have to clean up the stack from your detour after you called the original function, so it somehow needs to know the number of arguments.

Edit: Another option just came to my mind: You could use a software breakpoint to detour that function, that way you would be allowed to run your detour code before returning to the original function.

[jjaa]

Variable argument functions are cleaned by the caller. So the caller will always just clean up the number of arguments that they set on the stack. If another place in the code calls the function again with a different number, then that call will clean a different number of arguments cleaned from the stack. The caller always knows the size of the arguments passed to the function on the stack.

[Master674]

Variable argument functions are cleaned by the caller. So the caller will always just clean up the number of arguments that they set on the stack. If another place in the code calls the function again with a different number, then that call will clean a different number of arguments cleaned from the stack. The caller always knows the size of the arguments passed to the function on the stack.

Yeah I know that but that wont work because you invoke the original function from your hook code. So you are the caller in your hook.

[Bananenbrot]

I don't think you can use RuntimeArgumentHandle (RAH) with that delegate, because RAH is the equivalent to an va_list parameter, which is not the same as accepting ... . In other words:

Code:

void foo(int bar, ...);

isn't the same as

Code:

void foo(int bar, va_list args);

. The latter can be decepted via the equivalent function and RAH, the former would have no equivalent in C#/.NET, unless the marshaler would provide the conversion from ... to va_list in the trampoline it allocates for UnmanagedFunctionPointers.
Prove me wrong though.

[Frosttall]

Alright I've been able to route the function trough my detour without crashing or loosing any packets. The next step is converting the IntPtrs into their equivalents, but here is what I got so far:

PHP Code:

        [UnmanagedFunctionPointer(CallingConvention.Cdecl, CharSet = CharSet.Ansi, SetLastError = true)]
        private delegate int SendPacketDetour(uint type, string format, IntPtr arg1, IntPtr arg2, IntPtr arg3, IntPtr arg4, IntPtr arg5, IntPtr arg6, IntPtr arg7, IntPtr arg8, IntPtr arg9, IntPtr arg10, IntPtr arg11, IntPtr arg12, IntPtr arg13, IntPtr arg14);

 private static int SendHookCallback(uint opcode, string format, IntPtr arg1, IntPtr arg2, IntPtr arg3, IntPtr arg4, IntPtr arg5, IntPtr arg6, IntPtr arg7, IntPtr arg8, IntPtr arg9, IntPtr arg10, IntPtr arg11, IntPtr arg12, IntPtr arg13, IntPtr arg14)
        {
            int argumentsToPush = 0;
            for (int i = 0; i < format.Length; i += 1)
            {
                switch (format[i])
                {
                    case 'b':
                        argumentsToPush += 1;
                        break;
                    case 'd':
                        argumentsToPush += 1;
                        break;
                    case 'f':
                        argumentsToPush += 2;
                        break;
                    case 'u':
                        argumentsToPush += 1;
                        break;
                    case 's':
                        argumentsToPush += 1;
                        break;
                    case 'm':
                        argumentsToPush += 2;
                        break;
                    default:
                        Logger.Log("Unknown type: " + format[i]);
                        break;
                }
            }


            return (int)_sendHook.CallOriginal(opcode, format,
                argumentsToPush >= 1 ? arg1 : IntPtr.Zero,
                argumentsToPush >= 2 ? arg2 : IntPtr.Zero,
                argumentsToPush >= 3 ? arg3 : IntPtr.Zero,
                argumentsToPush >= 4 ? arg4 : IntPtr.Zero,
                argumentsToPush >= 5 ? arg5 : IntPtr.Zero,
                argumentsToPush >= 6 ? arg6 : IntPtr.Zero,
                argumentsToPush >= 7 ? arg7 : IntPtr.Zero,
                argumentsToPush >= 8 ? arg8 : IntPtr.Zero,
                argumentsToPush >= 9 ? arg9 : IntPtr.Zero,
                argumentsToPush >= 10? arg10: IntPtr.Zero,
                argumentsToPush >= 11? arg11: IntPtr.Zero,
                argumentsToPush >= 12? arg12: IntPtr.Zero,
                argumentsToPush >= 13? arg13: IntPtr.Zero,
                argumentsToPush >= 14? arg14: IntPtr.Zero
                );
        } 


It's ugly but at least it's working

Thank you guys so far

[jjaa]

Yeah I know that but that wont work because you invoke the original function from your hook code. So you are the caller in your hook.

Ahh i get what you mean now. Without some hacky detour, it's a bit annoying. Its rather easy to read the args out of the va_list but you either need to replace the whole function or do a hacky detour. The C# example is the same thing as va_list. You will still have some stack cleaning issues.

[MaiN]

RuntimeArgumentHandle Structure (System)

http://www.ownedcore.com/forums/worl...guments-c.html ([How To] Hooking functions in WoW with variable arguments.. from C#)

Wow, cool to see something so old actually found.

Wtf, they seriously thought about something like this? Sorry for my response then, I had big problems hooking such a function from C++.
I wonder how RuntimeArgumentHandle works though since you have to clean up the stack from your detour after you called the original function, so it somehow needs to know the number of arguments.

Edit: Another option just came to my mind: You could use a software breakpoint to detour that function, that way you would be allowed to run your detour code before returning to the original function.

I don't think you can use RuntimeArgumentHandle (RAH) with that delegate, because RAH is the equivalent to an va_list parameter, which is not the same as accepting ... . In other words:

Code:

void foo(int bar, ...);

isn't the same as

Code:

void foo(int bar, va_list args);

. The latter can be decepted via the equivalent function and RAH, the former would have no equivalent in C#/.NET, unless the marshaler would provide the conversion from ... to va_list in the trampoline it allocates for UnmanagedFunctionPointers.
Prove me wrong though.

You all raise valid points, and I have no idea how that would work back then. Wow. That is really strange. I just tested it again in a more artificial manner, and it's definitely not working correctly.

Anyway, C# actually has support for native variadic functions through the __arglist keyword (which is undocumented), but that keyword is only valid in function declarations (such a pinvokes, so it is possible to pinvoke printf, for example), not in delegates. Indeed, if I had to hook a variadic function today, it would probably involve some ASM stub to do the original call correctly, and then just get a pointer to the first arg and pass that off to my hook stub.