Jump to content
Tuts 4 You

FindNextFileW hook ok but...


DarkInjection

Recommended Posts

DarkInjection
Posted

hello there im trying to make some usermode hooks to explorer.exe process

my first goal is to hook findnextfileW api but when im going to open a directory

explorer crashes.I have spot an access violation but i cant spot why that happened

here is my source code

diafora.h


typedef struct AdressEs{ //....target
DWORD FindNextFileW_;
//....redirect
DWORD FindNextFile_;
//...data
BYTE FindNextFileData[6];
}AdressEs;void HoonOnAddress(DWORD addr,DWORD dst);
void UnHoonOnAddress(DWORD addr,BYTE *patch);
int JMP(DWORD func,DWORD tramboline);
bool FindNextFile_(HANDLE hAndle,WIN32_FIND_DATAW *FileData);
void DumpFirstBytesBeforePatch(DWORD addr);
void InitializeHook();DWORD prot = 0;
AdressEs placeS;

hook_FindNextFileW.cpp


#include <windows.h>
#include "diafora.h"
/*
targets:
FindNextFileW
*/
#define TEST_FILE "cmd.exe"
#define nAked __declspec( naked )
void HoonOnAddress(DWORD addr,DWORD dst){ VirtualProtect((void*)addr,5,PAGE_EXECUTE_READWRITE,&prot); *(BYTE*)(addr) = 0xe9; //jmp
*(int*)(addr+1) = dst;}
void DumpFirstBytesBeforePatch(DWORD addr,BYTE *data){ //AdressEs placeS; //it will be replaced cos i will put more functions to hooak for(int i = 0; i < 5; i++){
data[i] = *(BYTE*)(addr+i);
}}
void UnHookOnAddress(DWORD addr,BYTE *patch){ for(int i = 0; i < 5; i++){ *(BYTE*)(addr+i) = patch[i];
} //VirtualProtect((void*)addr,5,prot,&prot);}
int JMP(DWORD func,DWORD tramboline){ return (DWORD)(func - tramboline) - 5;
}bool FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){ bool returned = false; UnHookOnAddress((DWORD)placeS.FindNextFileW_,(BYTE*)placeS.FindNextFileData);
/*
code will be placed here
*/
returned = (bool)(FindNextFileW(hAndle,FileData));
HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));
return (bool)returned;
}void InitializeHook(){ placeS.FindNextFileW_ = (DWORD)GetProcAddress(GetModuleHandle("kernel32"),"FindNextFileW");
placeS.FindNextFile_ = (DWORD)(FindNextFile_); DumpFirstBytesBeforePatch((DWORD)placeS.FindNextFileW_,(BYTE *)placeS.FindNextFileData);
HoonOnAddress((DWORD)placeS.FindNextFileW_,(DWORD)JMP(placeS.FindNextFile_,placeS.FindNextFileW_));}bool WINAPI DllMain(HANDLE hAndle, DWORD reason , LPVOID no){ if(reason == 1){ CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)InitializeHook,NULL,NULL,0); } return TRUE;
}

compiled with VSCPP 6.0

Posted

Windows API have a calling convention of __stdcall, most compilers are set to have functions default to __cdecl though. Try adding __stdcall to your hook function.

bool __stdcall FindNextFile_(HANDLE hAndle,LPWIN32_FIND_DATAW FileData){
DarkInjection
Posted

solved THNX alot u save my day(night):)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...