DarkInjection Posted January 20, 2010 Posted January 20, 2010 hello there im trying to make some usermode hooks to explorer.exe processmy first goal is to hook findnextfileW api but when im going to open a directoryexplorer crashes.I have spot an access violation but i cant spot why that happenedhere is my source codediafora.htypedef struct AdressEs{ //....target DWORD FindNextFileW_; //....redirect DWORD FindNextFile_; //...data BYTE FindNextFileData[6];}AdressEs;void HoonOnAddress(DWORD addr,DWORD dst);void UnHoonOnAddress(DWORD addr,BYTE *patch);int JMP(DWORD func,DWORD tramboline);bool FindNextFile_(HANDLE hAndle,WIN32_FIND_DATAW *FileData);void DumpFirstBytesBeforePatch(DWORD addr);void InitializeHook();DWORD prot = 0;AdressEs placeS;hook_FindNextFileW.cpp#include <windows.h>#include "diafora.h"/*targets:FindNextFileW*/#define TEST_FILE "cmd.exe"#define nAked __declspec( naked )void HoonOnAddress(DWORD addr,DWORD dst){ VirtualProtect((void*)addr,5,PAGE_EXECUTE_READWRITE,&prot); *(BYTE*)(addr) = 0xe9; //jmp *(int*)(addr+1) = dst;}void DumpFirstBytesBeforePatch(DWORD addr,BYTE *data){ //AdressEs placeS; //it will be replaced cos i will put more functions to hooak for(int i = 0; i < 5; i++){ data[i] = *(BYTE*)(addr+i); }}void UnHookOnAddress(DWORD addr,BYTE *patch){ for(int i = 0; i < 5; i++){ *(BYTE*)(addr+i) = patch[i]; } //VirtualProtect((void*)addr,5,prot,&prot);}int JMP(DWORD func,DWORD tramboline){ return (DWORD)(func - tramboline) - 5;}bool FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){ bool returned = false; UnHookOnAddress((DWORD)placeS.FindNextFileW_,(BYTE*)placeS.FindNextFileData); /* code will be placed here */ returned = (bool)(FindNextFileW(hAndle,FileData)); HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_)); return (bool)returned;}void InitializeHook(){ placeS.FindNextFileW_ = (DWORD)GetProcAddress(GetModuleHandle("kernel32"),"FindNextFileW"); placeS.FindNextFile_ = (DWORD)(FindNextFile_); DumpFirstBytesBeforePatch((DWORD)placeS.FindNextFileW_,(BYTE *)placeS.FindNextFileData); HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));}bool WINAPI DllMain(HANDLE hAndle, DWORD reason , LPVOID no){ if(reason == 1){ CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)InitializeHook,NULL,NULL,0); } return TRUE;}compiled with VSCPP 6.0
atom0s Posted January 20, 2010 Posted January 20, 2010 Windows API have a calling convention of __stdcall, most compilers are set to have functions default to __cdecl though. Try adding __stdcall to your hook function.bool __stdcall FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){
DarkInjection Posted January 20, 2010 Author Posted January 20, 2010 solved THNX alot u save my day(night)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now