Detours 3.0 hook GetProcAddresss()

StackOverflow https://stackoverflow.com/questions/16882832

  •  30-05-2022
  •  | 
  •  

Pregunta

I'm using:

MS VS 10

Detours v3.0 Express

The complete source code DLL: 

#include <windows.h>
#include <detours.h>
ofstream prclist ;
#pragma comment(lib,"detours.lib")
FARPROC (WINAPI * pGetProcAddress)(HMODULE hModule,LPCSTR lpProcName) = GetProcAddress;
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName);
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName)
{
    prclist << lpProcName << endl; // <- ACCESS_VIOLATION READ
    return pGetProcAddress( hModule, lpProcName);
}

BOOL APIENTRY DllMain(HINSTANCE hDLL, DWORD reason, LPVOID reserved)
{

switch(reason)
    {
        case DLL_PROCESS_ATTACH:
        {
            prclist.open("proclst.log",ios::out | ios::app );
            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
        case DLL_PROCESS_DETACH:
        {
            prclist.close();
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
   }
        return TRUE;
}

I try to view the list of functions received by GetProcAddress. But after start, the program is closed with an error: "ACCESS_VIOLATION, UNABLE_TO_READ"

Somebody can prompt how to fix it ?

¿Fue útil?

Solución

From GetProcAddress() reference page, for lpProcName:

The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

This means it might not be a pointer to string but the replacement function always treats it at such. This is a possible cause of the access violation as it will be using an integer value (182 for example) as the starting memory address of a null terminated string.

Use HIWORD() to correct:

if (HIWORD(lpProcName))
{
    prclist << "name: " << lpProcName << std::endl;
}
else
{
    prclist << "ordinal: " << reinterpret_cast<DWORD>(lpProcName) << std::endl;
}

Otros consejos

See my comment. Looks like the stream just needs to be tested for being open before insertion operators (<<) are used on it.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top