0

I want to replace the LoadLibrary functions to prevent the loading of blacklisted dlls that might be injected.

I copied the sample code from _win32.cpp for the LoadLibrary functions I will need. I used LoadLibraryW, LoadLibraryExW, LoadLibraryA and LoadLibraryExA. Only showing one call as they are all the same but the function name.

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());

LONG l = DetourDetach(&(PVOID&)Real_LoadLibraryA, Mine_LoadLibraryA);
if (l != 0)
{
  __debugbreak();
}

PVOID* ppbFailedPointer = nullptr;
LONG error = DetourTransactionCommitEx(&ppbFailedPointer);
if (error != 0)
{
  __debugbreak();
}

DetourDetach always returns ERROR_INVALID_BLOCK. I can run the samples fine, but they are all examples of injecting code using a dll.

M. Twombley
  • 65
  • 7
  • 1
    It is a documented error code, "function too small". Which isn't too surprising, LoadLibraryA() doesn't do much but convert its argument. You'd better detour LoadLibraryW(), the real one. Which then also detours the LoadLibraryA() compatibility shim, catching both is surely what you'd want. – Hans Passant Sep 29 '19 at 13:16
  • I tried LoadLibraryExW, LoadLibraryW and LoadLibraryExA. All return the same error. I only showed the one function since all are the same but the function names. – M. Twombley Sep 29 '19 at 13:23
  • Why would you not edit the question with this info?? Next likely reason is that it is already patched, anti-malware is highly interested in anybody messing with this winapi function for example. – Hans Passant Sep 29 '19 at 13:30

1 Answers1

0

Thanks, anyone for looking, it was my stupid mistake. I called DetourDetach when I should have been calling DetourAttach.

I have it working now.

M. Twombley
  • 65
  • 7