Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

FindNextFileW hook ok but...

DarkInjection
DarkInjection
in Programming and Coding

Featured Replies

Posted

hello there im trying to make some usermode hooks to explorer.exe process

my first goal is to hook findnextfileW api but when im going to open a directory

explorer crashes.I have spot an access violation but i cant spot why that happened

here is my source code

diafora.h


typedef struct AdressEs{	//....target
	DWORD FindNextFileW_;
	//....redirect
	DWORD FindNextFile_;
	//...data
	BYTE FindNextFileData[6];
}AdressEs;void HoonOnAddress(DWORD addr,DWORD dst);
void UnHoonOnAddress(DWORD addr,BYTE *patch);
int JMP(DWORD func,DWORD tramboline);
bool FindNextFile_(HANDLE hAndle,WIN32_FIND_DATAW *FileData);
void DumpFirstBytesBeforePatch(DWORD addr);
void InitializeHook();DWORD prot = 0;
AdressEs placeS;

hook_FindNextFileW.cpp


#include <windows.h>
#include "diafora.h"
/*
targets:
FindNextFileW
*/
#define TEST_FILE "cmd.exe"
#define nAked __declspec( naked )
void HoonOnAddress(DWORD addr,DWORD dst){	VirtualProtect((void*)addr,5,PAGE_EXECUTE_READWRITE,&prot);	*(BYTE*)(addr) = 0xe9; //jmp
	*(int*)(addr+1) = dst;}
void DumpFirstBytesBeforePatch(DWORD addr,BYTE *data){	//AdressEs placeS; //it will be replaced cos i will put more functions to hooak	for(int i = 0; i < 5; i++){
		data[i] = *(BYTE*)(addr+i);
	}}
void UnHookOnAddress(DWORD addr,BYTE *patch){	for(int i = 0; i < 5; i++){		*(BYTE*)(addr+i) = patch[i];
	}	//VirtualProtect((void*)addr,5,prot,&prot);}
int JMP(DWORD func,DWORD tramboline){	return (DWORD)(func - tramboline) - 5;
}bool FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){	bool returned = false;	UnHookOnAddress((DWORD)placeS.FindNextFileW_,(BYTE*)placeS.FindNextFileData);
	/*
		code will be placed here
	*/
	returned = (bool)(FindNextFileW(hAndle,FileData));
	HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));
	return (bool)returned;
}void InitializeHook(){	placeS.FindNextFileW_ = (DWORD)GetProcAddress(GetModuleHandle("kernel32"),"FindNextFileW");
	placeS.FindNextFile_ = (DWORD)(FindNextFile_);	DumpFirstBytesBeforePatch((DWORD)placeS.FindNextFileW_,(BYTE *)placeS.FindNextFileData);
	HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));}bool WINAPI DllMain(HANDLE hAndle, DWORD reason , LPVOID no){	if(reason == 1){		CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)InitializeHook,NULL,NULL,0);	}	return TRUE;
}

compiled with VSCPP 6.0

Windows API have a calling convention of __stdcall, most compilers are set to have functions default to __cdecl though. Try adding __stdcall to your hook function.

bool __stdcall FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){
  • Author

solved THNX alot u save my day(night):)

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.