0

I'm trying to inject the DLL into my other program and hook the win32 API function SetConsoleTitle so I can read what parameters are being passed. Everything seems to work except that the strings appear to be unreadable.

When I was hooking my function (non winapi) everything worked just fine.

SetConsoleTitle export and hooked functions:

typedef BOOL(WINAPI* SetConsole)(LPCTSTR str);

BOOL SetConsoleHooked(LPCTSTR str)
{
    //im checking the string here in the vs debugger

    SetConsole s = (SetConsole)ConsoleAddress;
    return s(str);
}

"Error reading characters of string"

The string is showing as nonreadable and I don't know how to access it.

And here is my DLLMain function:

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,  // handle to DLL module
    DWORD fdwReason,     // reason for calling function
    LPVOID lpvReserved)  // reserved
{
    if (fdwReason == DLL_PROCESS_ATTACH)
    {
        HMODULE hModule = GetModuleHandle(L"SomeFile.exe");

        HandleAddress = (DWORD)hModule + (DWORD)0x51D05;
        ConsoleAddress = (DWORD)hModule + (DWORD)0x55ACA;

        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());

        DetourAttach(&(LPVOID&)ConsoleAddress, &SetConsoleHooked);

        DetourTransactionCommit();
        while (true) {}

        return true;
    }
}

And lastly function from IDA that I've been trying to hook

wohlstad
  • 12,661
  • 10
  • 26
  • 39
cevapikodferhatovica
  • 1
  • 2
  • 1
    There is no function in all of the Windows API whose actual argument is of type `LPCTSTR`. – IInspectable Aug 29 '22 at 05:44
  • https://learn.microsoft.com/en-us/windows/console/setconsoletitle is this not win32? – cevapikodferhatovica Aug 29 '22 at 14:35
  • It is, but you're confusing preprocessor massaging with actual ABI function parameter types. You are working at the ABI, but assume a preprocessor that applies [generic-text mappings](https://learn.microsoft.com/en-us/cpp/c-runtime-library/using-generic-text-mappings). So, no, there is no function export in the Win32 API (or any API for that matter) that takes a parameter of type `LPCTSTR`. That's pure preprocessor fantasy. – IInspectable Aug 29 '22 at 15:54
  • @cevapikodferhatovica in other words, there is no `SetConsoleTitle()` *function*, but there is a *preprocessor macro* by that name which maps to either the `SetConsoleTitleA()` or `SetConsoleTitleW()` function, depending on project settings. So, chances are, there is a descrepency between your DLL settings and the EXE's settings, causing you to hook `SetConsoleTitleA()` but treat it as-if it were `SetConsoleTitleW()`, or vice versa. Why are you hard-coding the `HandleAddress` and `ConsoleAddress` at all, instead of discovering them dynamically? – Remy Lebeau Aug 29 '22 at 18:29
  • I just started playing with DLL's and asm. I'm still not sure how everything works so could you explain what you mean by "discovering them dynamically". I thought I had to reverse the programs(that DLLis injected too) function addresses and then call them like that. – cevapikodferhatovica Aug 29 '22 at 19:13
  • I've tried Hooking Sleep() function and it works but the sleep time is way off from the original(normal is 100ms, hooked is 16milion). Is this problem with my hooking or some encoding error? – cevapikodferhatovica Aug 29 '22 at 20:25
  • Hard to say. Your function pointer type contains a calling convention, your hook function doesn't. These things go wrong if they don't match. Depending on how you get things wrong, it may appear to partially work (such as in your `Sleep` detour). – IInspectable Aug 30 '22 at 17:21

0 Answers0