0

I'm using:

MS VS 10

Detours v3.0 Express

The complete source code DLL: 

#include <windows.h>
#include <detours.h>
ofstream prclist ;
#pragma comment(lib,"detours.lib")
FARPROC (WINAPI * pGetProcAddress)(HMODULE hModule,LPCSTR lpProcName) = GetProcAddress;
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName);
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName)
{
    prclist << lpProcName << endl; // <- ACCESS_VIOLATION READ
    return pGetProcAddress( hModule, lpProcName);
}

BOOL APIENTRY DllMain(HINSTANCE hDLL, DWORD reason, LPVOID reserved)
{

switch(reason)
    {
        case DLL_PROCESS_ATTACH:
        {
            prclist.open("proclst.log",ios::out | ios::app );
            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
        case DLL_PROCESS_DETACH:
        {
            prclist.close();
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
   }
        return TRUE;
}

I try to view the list of functions received by GetProcAddress. But after start, the program is closed with an error: "ACCESS_VIOLATION, UNABLE_TO_READ"

Somebody can prompt how to fix it ?

NORM_4EL
  • 145
  • 1
  • 1
  • 13
  • 2
    Can you trap the AV in a debugger and examine the call stack, etc? – Scott Jones Jun 02 '13 at 12:43
  • Excuse, this code doesn't cause an error, I forgot to add: **prclist << lpProcName << endl; ** - It causes an error – NORM_4EL Jun 02 '13 at 12:53
  • I updated the source code. – NORM_4EL Jun 02 '13 at 12:56
  • Result: proclst.log
    ... DecodePointer
    DecodePointer
    EncodePointer
    DecodePointer
    DecodePointer
    DecodePointer
    EncodePointer
    DecodePointer
    DecodePointer
    DecodePointer
    IsDebuggerPresent

    and This application has encountered a critical error: Program: Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:604DD950 The instruction at '0x604DD950' referenced memory at '0x00000068'. The memory could not be 'read'. Press OK to terminate the application. --------------------------- ОК ---------------------------     – NORM_4EL Jun 02 '13 at 13:11
  • This helps a lot. The code is dereferencing an object pointer to read a member. The pointer is null and the member is 104 bytes offset, resulting in the failure to read at 0x00000068. – Scott Jones Jun 02 '13 at 15:27

2 Answers2

2

From GetProcAddress() reference page, for lpProcName:

The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

This means it might not be a pointer to string but the replacement function always treats it at such. This is a possible cause of the access violation as it will be using an integer value (182 for example) as the starting memory address of a null terminated string.

Use HIWORD() to correct:

if (HIWORD(lpProcName))
{
    prclist << "name: " << lpProcName << std::endl;
}
else
{
    prclist << "ordinal: " << reinterpret_cast<DWORD>(lpProcName) << std::endl;
}
hmjd
  • 120,187
  • 20
  • 207
  • 252
  • @DOLBOEB: [Don't use `IsBadReadPtr`](http://blogs.msdn.com/b/oldnewthing/archive/2006/09/27/773741.aspx). Check the high order word explicitly. – Hasturkun Jun 02 '13 at 18:14
0

See my comment. Looks like the stream just needs to be tested for being open before insertion operators (<<) are used on it.

Scott Jones
  • 2,880
  • 13
  • 19