How to redirect reads and writes to a variable?

Question

I have a compiled 32-bit Windows application that was built with MSVC 6.0. I want to inject code and redirect reads or writes to a variable. For simple cases something like:

DWORD& dword_995344 = *(DWORD*)0x995344;

Can work. But I would also like the code to compile as its own standalone exe. Obviously this can't work because 0x995344 isn't likely to be a valid address. Also it won't work for this like char buffer[256]; // at address 0xdeadbeef char buffer[256]; // at address 0xdeadbeef for instance.

Then I thought perhaps I could come up with some template wrapper:

template<DWORD VarAddr, class VarType>
class Var
{
public:
    using VarTypePtr = VarType*;

    Var()
    {
        mVar = (VarTypePtr)VarAddr;
    }

    Var(const Var&) = delete;
    Var& operator = (const Var&) = delete;

    operator VarType()
    {
        return *mVar;
    }

    void operator = (VarType v)
    {
        *mVar = v;
    }


private:
    VarTypePtr mVar;
};

Var<0x00995344, DWORD> dword_995344_;

void Test()
{
    dword_995344_ = 7;
    DWORD y = dword_995344_;
}

But again handling all types and cases isn't simple or probably not possible in some cases too. Is there some other technique (no matter how hacky :)) that could trap the reads and writes so I could do something like:

DWORD dword_995344 = 0;

void InstallVarHooks()
{
   RedirectReadWrites(&dword_995344, 0x995344);
}

Answer 1

What you might consider is instrumenting the source code to collect the information you need. This can be done with program transformation systems .

Such tools let you write patterns that say essentially,

when you see <this>, replace it by <that>

in a compiler-accurate way (not string hacking which never works on real code). In your case, you'd want to say something like,

when you see a <write of varX>,
replace it by <store varX to known location, then do write varX>

Inspiration for how to do this can be found in my tech paper, Branch Coverage for Arbitrary Languages made Easy .

To do this with C++, see https://softwareengineering.stackexchange.com/a/257441/12135

Answer 2

I am not sure if I understood your problem, you want to intercept the moment a variable is written and if so then redirect write to some other memory location, and the same with reads. This part can be theoretically acomplished with debug breakpoints, there is a project https://github.com/mmorearty/hardware-breakpoints that should give you hints how to acomplish it. It looks quite dated but since you want to use it on VS6.0 application it might actually work. You would have to use your DLL injection code to get into your target application to use this.

This is actually only a tool, it should allow you to intercept moment when variable is read/written, you would still have to write code that would modify appropriately variables.

Anyway looks like a lot of hacking.

Answer 3

It is totally possible to have a reference to an array although the syntax is messy:

char (&TheArray)[256] = *reinterpret_cast<char(*)[256]>(0xDEADBEEF);

In C++11 you can make use of auto and thus avoid repeating the type twice:

auto &TheArray = *reinterpret_cast<char(*)[256]>(0xDEADBEEF);

There is also the simpler approach of just taking a pointer to the address:

char *TheArray = *reinterpret_cast<char*>(0xDEADBEEF);

Since pointers act like arrays in C (and hence also C++) the above would have essentially the same effect.

So approach does work if what you need is a reference to some object at an arbitrary address, even if it is of an arbitrarily complex type.

If the variable you want to access is not located at a constant address (which few variables are these days), you can replace the constant 0xDEADBEEF with an arbitrarily complex expression that figures out the address of said variable, which might well involve a call to GetModuleHandle , to get the address of the main executable.