Understanding Variadic Function Hooking and Stack Context Pollution with TrampolineHook

In a previous article the author introduced a full‑bridge Hook solution called TrampolineHook and mentioned a subtle bug related to context pollution . While most developers think of register pollution, the stack itself can also be corrupted when intercepting variadic functions.

To illustrate the problem, a simple Objective‑C class @interface TestObject : NSObject with a variadic method - (void)method:(int *)value,... is shown, followed by the TrampolineHook interception code that replaces the original IMP with a custom interceptor void wzq_check_variadic(id a, char *methodName, int *v, ...) . The interceptor works fine when it only logs the call, but crashes on the second read of the variadic arguments.

The crash is caused by the way the caller places the addresses of the variadic arguments on the stack. The interceptor saves the current context on the stack before calling the original function, which overwrites the memory region where the caller’s argument addresses reside. When the interceptor later tries to read the next argument with v = va_arg(args, int *) , it accesses corrupted stack data and crashes.

Detailed ARM64 assembly of the caller shows the stack frame allocation, storing of local variables, and pushing the addresses of the arguments onto the stack. The method’s prologue and the subsequent call to objc_msgSend are also displayed, highlighting that the first variadic argument is passed in a register (the “anchor” parameter) while the remaining arguments live on the caller’s stack.

To fix the issue, the article proposes preserving the entire execution context on the heap instead of the stack. A struct typedef struct _THPageVariadicContext { int64_t gR[10]; int64_t vR[16]; int64_t linkRegister; int64_t originIMPRegister; } THPageVariadicContext; is used as a conceptual model for the saved registers.

The solution consists of three steps:

In the pre‑interceptor ( THPageVariadicContextPre ), save registers, allocate heap memory with malloc , store the allocation address in a callee‑saved register, and write all general‑purpose and floating‑point registers to the heap.

After the original function returns, the post‑interceptor ( THPageVariadicContextPost ) restores the registers from the heap, frees the allocated memory, and jumps back to the original return address.

Both interceptors are declared with __attribute__((__naked__)) to avoid automatic prologue/epilogue code that would otherwise modify the stack.

By moving the context to the heap, the stack layout used by the variadic arguments remains untouched, eliminating the crash. The article concludes that this approach enables reliable variadic Hooking and points readers to the GitHub repository for the latest THVariadicInterceptor implementation.