CODEWITHSUNDEEP
c++visual-studiodllhookdetours
MikeO
MikeO

Reputation: 493

Why is the process crashing when attempting to detour a winapi?

I'm trying to use MS detours, and I don't know if I am doing something wrong; I cannot seem to find an answer to my issue.

I have tried detouring several functions in a process using my injected DLL, but each attempt causes the process to crash.

One of the functions I try to hook is winapi DirectDrawCreate:

DetourTransactionBegin();
DetourUpdateThread( GetCurrentThread() );
DetourAttach( (PVOID *)DirectDrawCreate, hkDirectDrawCreate );
DetourTransactionCommit();

hkDirectDrawCreate is defined as:

HRESULT __stdcall hkDirectDrawCreate( GUID *p1, LPDIRECTDRAW *p2, IUnknown *p3 )
{
    if( !pDDC )
        return 0x00;

    printf( "A call to hkDirectDrawCreate was made\n" );

    return DirectDrawCreate( p1, p2, p3 );
}

On the call to DetourAttach the process crashes; the stack trace is:

myProj.dll!detour_skip_jmp(unsigned char * pbCode, void * * ppGlobals) Line 135 C++
myProj.dll!DetourCodeFromPointer(void * pPointer, void * * ppGlobals) Line 984  C++
myProj.dll!DetourAttachEx(void * * ppPointer, void * pDetour, _DETOUR_TRAMPOLINE * * ppRealTrampoline, void * * ppRealTarget, void * * ppRealDetour) Line 1456  C++
myProj.dll!DetourAttach(void * * ppPointer, void * pDetour) Line 1395   C++

The code breaks in 'detour_skip_jmp' at '0x68B028BD':

// First, skip over the import vector if there is one.
    if (pbCode[0] == 0xff && pbCode[1] == 0x25) {   // jmp [imm32]
68B028B2  mov         ecx,1  
68B028B7  imul        edx,ecx,0  
68B028BA  mov         eax,dword ptr [pbCode]  
68B028BD  movzx       ecx,byte ptr [eax+edx]  
68B028C1  cmp         ecx,0FFh  
68B028C7  jne         detour_skip_jmp+82h (68B02912h)  
68B028C9  mov         edx,1  
68B028CE  shl         edx,0  
68B028D1  mov         eax,dword ptr [pbCode]  
68B028D4  movzx       ecx,byte ptr [eax+edx]  
68B028D8  cmp         ecx,25h  
68B028DB  jne         detour_skip_jmp+82h (68B02912h)

Edit: ppGlobals is NULL, and pbCode gives the error 'Error reading characters of string'

Going back to DetourCodeFromPointer ppGlobals is also NULL there, but I guess it is supposed to be; here is the call:

 pDetour = DetourCodeFromPointer(pDetour, NULL);

Upvotes: 0

Views: 731

Answers (1)

user5994185
user5994185

Reputation:

No doubt the import table has been moved or scrubbed as an anti-hooking technique. Just add a jump at the start of DirectDrawCreate to your hkDirectDrawCreate, then when calling the original jump back to DirectDrawCreate, but be sure it is after your jump to your hook otherwise you're stuck in an endless recursive loop.

Upvotes: 2

Related Questions