EDN Admin
Well-known member
Hey all,<br/> <br/> I am trying to write a simple DLL which will detour the function LdrGetProcedureAddress from within ntdll.dll and log the parameters of the call. The problem is, I my DLL causes the applications to close when I inject. My code is below (note that the log class simply streams output to a text file):<br/> <br/>
<pre lang="x-c# /* Includes */
#include <windows.h>
#include "./msdetours/detours.h"
#include "./log/log.h"
#include "./ntddk/NT_DDK.h"
/* Typedef / Variables */
typedef NTSTATUS (NTAPI* Type_LdrGetProcedureAddress)(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress );
Type_LdrGetProcedureAddress OriginalGetProcedureAddress = 0;
cLog MyLog;
/* Hooked LdrGetProcedureAddress */
NTSTATUS NTAPI Hooked_LdrGetProcedureAddress(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress)
{
MyLog.Log("Function Called! Module Handle: [%x], Function Name: [%s], Ordinal: [%s], Function Address: [%x]", ModuleHandle, FunctionName, Oridinal, FunctionAddress);
return (OriginalGetProcedureAddress)(ModuleHandle,OPTIONAL FunctionName, OPTIONAL Oridinal, FunctionAddress);
}
/* DLL Main */
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
if(fdwReason == DLL_PROCESS_ATTACH)
{
MyLog.Initialise((HMODULE)hinstDLL, "nt_api_hook.txt");
MyLog.Log("Started, Attemping Detour...");
OriginalGetProcedureAddress = (Type_LdrGetProcedureAddress)DetourFunction((unsigned char*)GetProcAddress(LoadLibrary("ntdll.dll"),"LdrGetProcedureAddress"), (unsigned char*)Hooked_LdrGetProcedureAddress);
}
return true;
}
[/code]
<br/> I think it is to do with my call to GetProcAddress to locate the function, but I know the function exists at that address as I have logged the address and checked it within a debugger. Also note I am using MSDETOURS 1.5 & the NT_DDK header is from the Miscrosoft DDK. Can anyone see why this crashes?<br/> <br/> - Calvin
View the full article
<pre lang="x-c# /* Includes */
#include <windows.h>
#include "./msdetours/detours.h"
#include "./log/log.h"
#include "./ntddk/NT_DDK.h"
/* Typedef / Variables */
typedef NTSTATUS (NTAPI* Type_LdrGetProcedureAddress)(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress );
Type_LdrGetProcedureAddress OriginalGetProcedureAddress = 0;
cLog MyLog;
/* Hooked LdrGetProcedureAddress */
NTSTATUS NTAPI Hooked_LdrGetProcedureAddress(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress)
{
MyLog.Log("Function Called! Module Handle: [%x], Function Name: [%s], Ordinal: [%s], Function Address: [%x]", ModuleHandle, FunctionName, Oridinal, FunctionAddress);
return (OriginalGetProcedureAddress)(ModuleHandle,OPTIONAL FunctionName, OPTIONAL Oridinal, FunctionAddress);
}
/* DLL Main */
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
if(fdwReason == DLL_PROCESS_ATTACH)
{
MyLog.Initialise((HMODULE)hinstDLL, "nt_api_hook.txt");
MyLog.Log("Started, Attemping Detour...");
OriginalGetProcedureAddress = (Type_LdrGetProcedureAddress)DetourFunction((unsigned char*)GetProcAddress(LoadLibrary("ntdll.dll"),"LdrGetProcedureAddress"), (unsigned char*)Hooked_LdrGetProcedureAddress);
}
return true;
}
[/code]
<br/> I think it is to do with my call to GetProcAddress to locate the function, but I know the function exists at that address as I have logged the address and checked it within a debugger. Also note I am using MSDETOURS 1.5 & the NT_DDK header is from the Miscrosoft DDK. Can anyone see why this crashes?<br/> <br/> - Calvin
View the full article