Hooking kernel32.dll function stops my program from working

StackOverflow https://stackoverflow.com/questions/18033200

  •  23-06-2022
  •  | 
  •  

Question

Do you know why I can't run the program when hooking one of kernel32 functions? I'm writing anti cheat and want to optimize it more because currently it's in thread, but something is wrong...

There's written OpenProcess because I've tried before to hook it and the same problem.

typedef HANDLE ( WINAPI * pOpenProcess )(   _In_   HANDLE hProcess,
                                         _In_   LPSECURITY_ATTRIBUTES lpThreadAttributes,
                                         _In_   SIZE_T dwStackSize,
                                         _In_   LPTHREAD_START_ROUTINE lpStartAddress,
                                         _In_   LPVOID lpParameter,
                                         _In_   DWORD dwCreationFlags,
                                         _Out_  LPDWORD lpThreadId );

pOpenProcess original;

__declspec(naked) void hOpenProcess()
{
    __asm PUSHAD
    __asm PUSHFD
        //my actions here
    __asm POPFD
    __asm POPAD
    __asm JMP[original]
};

void ZPerformHook()
{
    DWORD Address = ( DWORD )GetProcAddress( GetModuleHandle( TEXT( "kernel32.dll" ) ), "CreateRemoteThread" );
    original = ( pOpenProcess )DetourFunction( (PBYTE)Address,  (PBYTE)hOpenProcess );
}
Was it helpful?

Solution

"//my actions here" would be interesting, maybe you are corrupting the stack. or maybe the error is in your DetourFunction. how does your program fail? maybe with a access violation?

also you don´t have to use a naked function. you can just hook to a function that has the exact same signature as your target. no asm needed.

HANDLE __stdcall hOpenProcess(  HANDLE hProcess,
                                LPSECURITY_ATTRIBUTES lpThreadAttributes,
                                SIZE_T dwStackSize,
                                LPTHREAD_START_ROUTINE lpStartAddress,
                                LPVOID lpParameter,
                                DWORD dwCreationFlags,
                                LPDWORD lpThreadId )
{
    // do your stuff here
    std::cout << "From hook" << std::endl;

    return original( hProcess, lpThreadAttributes, dwStackSize,  lpStartAddress, lpParameter,  dwCreationFlags,  lpThreadId);
}

if that doesn´t work, check the return value of GetProcAddress, if that´s correct, something in your DetourFunction may be going wrong.

you could also use a disassembler like beaengine and dump your target function after detouring to see if the hook was applied correctly

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top