So i have an injected DLL and i'm trying to call a thiscall function with the following signature:
int __thiscall sub_76FDF3(CMFCTabCtrl *this, int, int)
From what i've read i can create a function pointer and call it directly, so i've created a typedef for the function:
#include <afxtabctrl.h>
typedef int(__thiscall *TestFuncDef)(CMFCTabCtrl, int, int);
TestFunc = (TestFuncDef)0x76FDF3;
Now i'm scratching my head wondering if i have to locate 'this' being the real tabctrl and then somehow cast it to a CMFCTabCtrl to be able to actually call the function passing my own int params?
New to all this so i apologize if it's a daft question. Thanks.
Your code is correct for calling a _thiscall function, by defining your function pointer as a __thiscall and passing the this pointer as the first argument, it will correctly put it in ECX and everything should work fine as long as the this pointer points to a valid object of the correct type.
You will need to find an object in memory and pass it's address as the this pointer. If you can't find the correct object then you can try to find the correct constructor, call the constructor and pass the return as your this pointer.
To find the constructor, reverse engineer the other virtual table functions for that class and try to find lines of code that look like it's initializing member variables.
If you want to find real objects, you can hook the vtable functions and make a copy of the this pointer, essentially creating a list of objects of that type. You can then try using these.
You can also just create a struct of about the correct size and just pass that as the this pointer and see what happens, just make sure the vtable pointer points to the correct vtable so those functions resolve correctly. Sometimes this works fine if it's not dependent on the member variable having proper values.