Problem with Detours

[unbekannt1]

Hello,
i just started playing around with detours. Hooking Winapi functions works fine, but i have trouble with detouring e.g. a notepad function.

My Code is :

Code:

#include <windows.h>
#include <detours.h>
#pragma comment(lib, "detours.lib")


int (__stdcall* InsertDateTime)(int x); 


int MyInsertDateTime(int x)
{
	MessageBoxA( NULL, "A", "a", MB_OK);
	return InsertDateTime(x);
}

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
	if(DLL_PROCESS_ATTACH == Reason)
	{
		InsertDateTime = (int (__stdcall*)(int))DetourFunction((PBYTE)0x0100978A, (PBYTE)MyInsertDateTime);
		
	}
	return TRUE;
}

It looks right for me, but Winject won't inject the compiled .dll. I always get an error. The error seems to be here

Code:

(PBYTE)0x0100978A

, but it is the right address.

[flo8464]

This is a number, not a function.

Detours requires a pointer on a functionpointer btw, else it will deadlock.

Code:

int (__stdcall* InsertDateTime_Ptr)(int x); 
InsertDateTime_Ptr InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(0x0100978A);

Now pass this functionpointer instead of the number.

[unbekannt1]

thx for your reply. i changed my code to:

Code:

#include <windows.h>
#include <detours.h>
#pragma comment(lib, "detours.lib")

int (__stdcall* InsertDateTime)(int x); 
typedef int (__stdcall* InsertDateTime_Ptr)(int x); 

int MyInsertDateTime(int x)
{
	MessageBoxA( NULL, "A", "a", MB_OK);
	return InsertDateTime(x);
}

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
	if(DLL_PROCESS_ATTACH == Reason)
	{
		InsertDateTime_Ptr InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(0x0100978A);
		InsertDateTime = (int (__stdcall*)(int))DetourFunction((PBYTE)&InsertDateTime, (PBYTE)MyInsertDateTime);
		
	}
	return TRUE;
}

I can inject the dll now but i get an error which says " Run-Time Check Failure #2 - Stack around the variable 'InsertDateTime' was corrupted"

I am really helpless^^

[flo8464]

You know that data from the stack "is removed" after the scope is left, correct?
Define your pointer outside the function or static, else it will become invalid after the scope is left.

[unbekannt1]

yes i know....i fixed it...stupid mistake...now i can inject without any problems

BUT^^
the detour doesnt work...no message box opens...and it's 100% the correct address, i just looked it up in ida.

Code:

#include <windows.h>
#include <detours.h>
#pragma comment(lib, "detours.lib")

typedef int (__stdcall* InsertDateTime_Ptr)(int x); 
InsertDateTime_Ptr InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(0x0100978A);

int MyInsertDateTime(int x)
{
	MessageBoxA( NULL, "Detoured", "Detoured", MB_OK);
	return InsertDateTime(x);
}

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
	if(DLL_PROCESS_ATTACH == Reason)
	{
		InsertDateTime = (int (__stdcall*)(int))DetourFunction((PBYTE)&InsertDateTime, (PBYTE)&MyInsertDateTime);
	}
	return TRUE;
}

Everything right now, or?

[Cypher]

What OS are you running?

I know for a fact that programs like Notepad have ASLR enabled by default on Windows 7, and almost certainly on Vista too.

You should be using RVAs, not VAs.

[unbekannt1]

I am running Windows 7 on my system!

I am new at detouring and all this memory stuff so i dont know what ASLR , RVAs are. I hope google will tell me^^

Edit:
Ok i found some information about Address Space Layout Randomization and see the problem now.
I am trying to find the relative virtual address(rva) for the function now. I found something :

Offset = address - imagebase
newAdress = offset + HMODULE

I tried this, but it didnt work for me. Could somebody please explain me how to calculate the rva?

[Cypher]

If you can't work out how to calculate an RVA you shouldn't be using Detours to begin with.

I'm not trying to be an *******, I'm just trying to point out that there's obviously a gap in knowledge that will come back to bite you in the ass later on down the track.

I'll give you a quick explanation, but you should really do some reading about Windows and how virtual memory works. Check out the book "Windows via C++", it has a fairly comprehensive section on it.

An RVA is a 'relative virtual address' (as opposed to an absolute virtual address). So what you need to do is take the address of the function in IDA, subtract the base address that IDA is using, and you'll have your RVA. Then you need to get the base address of Notepad at runtime (Hint: GetModuleHandle) and add your RVA to it.

[kolis764]

If you can't work out how to calculate an RVA you shouldn't be using Detours to begin with.

Well know he knows. Sometimes you have to actually get into and stop readings books. Its even better when you have dynamic resources ; )

[Cypher]

Well know he knows. Sometimes you have to actually get into and stop readings books. Its even better when you have dynamic resources ; )

Your logic is retarded.

What he SHOULD have done is read up on virtual memory a bit, then he could "get into" that. Then once he has a decent grasp on that he can move onto other more 'advanced' topics in which knowledge of virtual memory is a prerequisite.

The "just get into it" approach doesn't work if you don't have the necessary fundamentals down. You're just going to waste your own time and the time of others.

[unbekannt1]

Thx Cypher, i ordered the book, i hope it will come soon.

My new Code is

Code:

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
	if(DLL_PROCESS_ATTACH == Reason)
	{
		DWORD a = reinterpret_cast<DWORD>(GetModuleHandleA("notepad.exe")) + 0x978A;
		InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(a);
		InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(DetourFunction((PBYTE)&InsertDateTime, (PBYTE)&MyInsertDateTime));
	}
	return TRUE;
}

InserDateTime Adress in IDA : 0100978A
Imagebase : 1000000

so i get rva = 0100978A - 1000000 = 0x978A

then i get the notepad base with GetModuleHandleA("notepad.exe") and add my rva to get the right adress. But the detour still doesn't work....

[flo8464]

Don't assign the result of DetourFunction, which is probably a long containing an errorcode, to your function pointer...

And don't cast your own function, just pass it and no reference...

Code:

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
	if(DLL_PROCESS_ATTACH == Reason)
	{
		DWORD a = reinterpret_cast<DWORD>(GetModuleHandleA("notepad.exe")) + 0x978A;
		InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(a);
		LONG result = DetourFunction((PBYTE)&InsertDateTime, MyInsertDateTime);
	}
	return TRUE;
}

[unbekannt1]

Code:

LONG result = DetourFunction((PBYTE)&InsertDateTime, MyInsertDateTime);

Doesnt work because DetourFunctions returns a PBYTE and i get the error:
error C2664: 'DetourFunction' : cannot convert parameter 2 from 'int (__cdecl *)(int)' to 'PBYTE'

So i changed the code to

Code:

PBYTE result = DetourFunction((PBYTE)&InsertDateTime, MyInsertDateTime);

and then i get the error: error C2664: 'DetourFunction' : cannot convert parameter 2 from 'int (__cdecl *)(int)' to 'PBYTE'

Edit:
I think DetourFunction returns the adress of the trampolinfunction, right? So i cant't put it in a Long variable

[Apoc]

Try

Code:

LONG result = DetourFunction((PBYTE)&InsertDateTime, (PBYTE)&MyInsertDateTime);

You really need to learn how to read the errors. (cannot convert parameter 2)

[unbekannt1]

ok thx to all it is workign now!

Code:

#include <windows.h>
#include <detours.h>
#pragma comment(lib, "detours.lib")

typedef int (__stdcall* InsertDateTime_Ptr)(int x); 
InsertDateTime_Ptr InsertDateTime;

int MyInsertDateTime(int x)
{
	MessageBoxA( NULL, "Detoured", "Detoured", MB_OK);
	return InsertDateTime(x);
}



INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
	if(DLL_PROCESS_ATTACH == Reason)
	{
		DWORD a = reinterpret_cast<DWORD>(GetModuleHandleA("notepad.exe")) + 0x978A;
		InsertDateTime = reinterpret_cast<InsertDateTime_Ptr>(DetourFunction((PBYTE)a, (PBYTE)&MyInsertDateTime));
	}
	return TRUE;
}