1

I am using EasyHook to inject a DLL into a 64bit application. The basic hooking seems to work but as soon as the DLL calls the "LhInstallHook" method the injected application crashes. I think that I have found the right address/offset for the desired function. Therefore I suspect some off my code (in the DLL) beeing corrupt.

Injector: 

NTSTATUS nt = RhInjectLibrary(
    processId,      // The process to inject into
    0,              // ThreadId to wake up upon injection
    EASYHOOK_INJECT_DEFAULT,
    NULL,           // 32-bit
    dllToInject,    // 64-bit only
    NULL,           // data to send to injected DLL entry point
    NULL            // size of data to send
);

DLL:

struct Player {
    _BYTE gap0[128];
    __int64 saleStats;
    _BYTE gap88[104];
    int health;
    int units;
};

typedef __int64 func(Player*, int);
func* FunctionBase = (func*)0x7FF7E4513F3D;    // Function address found by debugging assembly

__int64 FunctionHook(Player *playerRef, int unitsToAdd);
__int64 FunctionHook(Player *playerRef, int unitsToAdd)
{
    Beep(500, 500);                             // Beep to signal success
    return FunctionBase(playerRef, unitsToAdd); // Execute base
}

NTSTATUS result = LhInstallHook( // This is the point where the host crashes
    (void*)0x7FF7E4513F3D,       // Function to hook
    FunctionHook,                // delegate
    NULL,                        // callback
    &hHook);                     // handler

I think that my use of the address/offset is wrong but I wasn't able to find resources on that.

Xenira
  • 81
  • 7
  • 1
    Hard-coding a function address is begging for trouble; why not just use `GetProcAddress()`? – MrEricSir Aug 16 '16 at 23:46
  • @MrEricSir this might be a dumb question but GetProcAddress requires the name of the function I want to call. But the only thing I have is the offset location of that function. I have read that it might be a good approach to just find the entry point with GetProcAddress and calculate the functions from the offset. What would be the smartest thing to do? – Xenira Aug 17 '16 at 05:44
  • 1
    I'm not entirely clear what you're asking. This type of hook is typically used to override a DLL's public API. If that's not what you're attempting this may not be a good approach. – MrEricSir Aug 17 '16 at 06:22
  • @MrEricSir I am trying to extend a game that has no official modding support. Could you point me in the right direction of what to do if there is no public API? – Xenira Aug 17 '16 at 07:18
  • @Xenira hooking non public APIs can be quite difficult, especially if you also have to reverse engineer the method signature. Be sure you have the calling convention and method signature exactly right. – Justin Stenning Nov 02 '16 at 07:06

0 Answers0