1

I am reverse engineering this program. Before I start, I would like to make it clear I own the program legally and do not plan to "crack" it for the purpose of redistribution.

Said program makes use quite a lot of antidebug techniques "from the book". I decided to hook GetProcAddress and log all APIs, later identifying those that might be used for Antidebugging. After using the code from this tutorial http://www.codeproject.com/Articles/30140/API-Hooking-with-MS-Detours the program eventually crashes from stack corruption. I googled and found that other people also get stack corruption when hooking GetProcAddress https://easyhook.codeplex.com/discussions/55039

My question is if hooking GetProcAddress leads to stack corruption or the program's antidebug techniques detect meddling and cause the stack corruption themselves?

farmdve
  • 786
  • 3
  • 13
  • 26

1 Answers1

1

In general, hooking GetProcAddress does not cause stack corruption. I have written several tools that do it all the time and those have worked for years on all versions of Windows from Windows 95 through Windows 8.1.

So it's probably something they are doing explicitly to annoy you ;)

500 - Internal Server Error
  • 28,327
  • 8
  • 59
  • 66
  • 3
    In addition to anti-hooking/anti-debugging, the cause may simply be a incorrect hook - wrong calling convention, wrong argument types, wrong number of arguments, etc. – nobody Jun 23 '14 at 15:39
  • Andrew was correct. My declaration of my custom GetProcAddress function had a wrong declaration. I had declared it FARPROC MyFunction, what I had to use was FARPROC WINAPI MyFunction. What is weird here is that WINAPI does mean __stdcall, and FARPROC is a typedef of a function pointer that also had WINAPI * so in essence it was double __stdcall. – farmdve Jun 23 '14 at 20:34