Jump to content
Tuts 4 You

FindNextFileW hook ok but...

DarkInjection

By DarkInjection
in Programming and Coding

Recommended Posts

DarkInjection

DarkInjection

Posted
Posted

hello there im trying to make some usermode hooks to explorer.exe process

my first goal is to hook findnextfileW api but when im going to open a directory

explorer crashes.I have spot an access violation but i cant spot why that happened

here is my source code

diafora.h


typedef struct AdressEs{	//....target
	DWORD FindNextFileW_;
	//....redirect
	DWORD FindNextFile_;
	//...data
	BYTE FindNextFileData[6];
}AdressEs;void HoonOnAddress(DWORD addr,DWORD dst);
void UnHoonOnAddress(DWORD addr,BYTE *patch);
int JMP(DWORD func,DWORD tramboline);
bool FindNextFile_(HANDLE hAndle,WIN32_FIND_DATAW *FileData);
void DumpFirstBytesBeforePatch(DWORD addr);
void InitializeHook();DWORD prot = 0;
AdressEs placeS;

hook_FindNextFileW.cpp


#include <windows.h>
#include "diafora.h"
/*
targets:
FindNextFileW
*/
#define TEST_FILE "cmd.exe"
#define nAked __declspec( naked )
void HoonOnAddress(DWORD addr,DWORD dst){	VirtualProtect((void*)addr,5,PAGE_EXECUTE_READWRITE,&prot);	*(BYTE*)(addr) = 0xe9; //jmp
	*(int*)(addr+1) = dst;}
void DumpFirstBytesBeforePatch(DWORD addr,BYTE *data){	//AdressEs placeS; //it will be replaced cos i will put more functions to hooak	for(int i = 0; i < 5; i++){
		data[i] = *(BYTE*)(addr+i);
	}}
void UnHookOnAddress(DWORD addr,BYTE *patch){	for(int i = 0; i < 5; i++){		*(BYTE*)(addr+i) = patch[i];
	}	//VirtualProtect((void*)addr,5,prot,&prot);}
int JMP(DWORD func,DWORD tramboline){	return (DWORD)(func - tramboline) - 5;
}bool FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){	bool returned = false;	UnHookOnAddress((DWORD)placeS.FindNextFileW_,(BYTE*)placeS.FindNextFileData);
	/*
		code will be placed here
	*/
	returned = (bool)(FindNextFileW(hAndle,FileData));
	HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));
	return (bool)returned;
}void InitializeHook(){	placeS.FindNextFileW_ = (DWORD)GetProcAddress(GetModuleHandle("kernel32"),"FindNextFileW");
	placeS.FindNextFile_ = (DWORD)(FindNextFile_);	DumpFirstBytesBeforePatch((DWORD)placeS.FindNextFileW_,(BYTE *)placeS.FindNextFileData);
	HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));}bool WINAPI DllMain(HANDLE hAndle, DWORD reason , LPVOID no){	if(reason == 1){		CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)InitializeHook,NULL,NULL,0);	}	return TRUE;
}

compiled with VSCPP 6.0

atom0s

atom0s

Posted
Posted

Windows API have a calling convention of __stdcall, most compilers are set to have functions default to __cdecl though. Try adding __stdcall to your hook function.

bool __stdcall FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){
DarkInjection

DarkInjection

Posted
  • Author
Posted

solved THNX alot u save my day(night):)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...