0

I have a hook on kernel32.dll's Writefile command. The hook is being triggered, however, I am not able to read the buffer contents.

Goal: Msgbox shows the contents of the buffer being sent to the com port.

Issue: The msgbox is printing a seemingly-random series of numbers, which I am assuming is the memory address, instead of the actual contents of lpBuffer.

C++ code:

void hookedFunc(HANDLE hfile, LPCVOID * lpBuffer, DWORD nNumberBytesToWrite, LPWORD lpNumberofBytesWritten, LPOVERLAPPED lpOverlapped) {

    char *pString = reinterpret_cast<char *>(lpBuffer);

    //Msgbox - arg 1//////////////////////////////////////////////////////////////////////////////
    WCHAR szTest[45];
    swprintf_s(szTest, 45, L"%d|\n", pString);
    MessageBox(NULL, szTest, L"BUFFER CONTENTS", MB_OK);
    swprintf_s(szTest, 45, L"%d", nNumberBytesToWrite);
    MessageBox(NULL, szTest, L"TEST", MB_OK);

}
user1698144
  • 754
  • 4
  • 13
  • 36

2 Answers2

1

LPCVOID is a pointer (to a constant), lpBuffer is a pointer to that pointer. I imagine 

const char* pString = reinterpret_cast<const char *>(*lpBuffer);

is what you want.

Captain Giraffe
  • 14,407
  • 6
  • 39
  • 67
1

In your sample, szTest will contain garbage because

swprintf_s(szTest, 45, L"%d|\n", pString);

says interpret pString as an integer (thanks to %d) and convert that integer to ascii and store it at szTest

So yes, you're printing an address, but possibly only part of it.

Addendum:

Captain Giraffe's answer points out another bug: You're looking at the wrong place for the string.

Community
  • 1
  • 1
user4581301
  • 33,082
  • 7
  • 33
  • 54
  • Changing %d to %s causes the program to crash – user1698144 Oct 15 '16 at 21:04
  • @user1698144 Couple reasons for that. One's the bug Captain Giraffe points out in their answer, and the other is the `_s` functions default to aborting the program if the input is bad rather than trying to limp on after undefined behaviour. You have two bugs, not one. – user4581301 Oct 15 '16 at 22:28
  • Well, the sole purpose of the program is to find that value. After implementing Griaffe's fix, the msgbox does output, but it is all gibberish.Looks like the same Chinese character repeated over and over – user1698144 Oct 15 '16 at 23:15
  • Time to fire up the debugger and see what's really going on. What is in that buffer? Seeing as it is a pointer to a pointer are you sure that something is supposed to be there? Usually when you see a pointer to a pointer as a parameter, the function is expected to supply a pointer for someone else. – user4581301 Oct 15 '16 at 23:28
  • The buffer is supposed to contain a command to the serial port(0x0A, 0xA0, 0x50, 0x05). Looking at the pointer in VS debugger, shows it is pointing to the mem address 0x0c5cdb20. The issue seems to be with my casting and output to the msgbox? – user1698144 Oct 15 '16 at 23:38
  • Edit: Looking a the memory in debug, everything is correct. the writetofile function I am hooking writes to a log file, before it writes to the comport. – user1698144 Oct 16 '16 at 16:35