[Coding] First attempt at Detours

tangodown · 03-10-2010, 10:55 PM

Hello all!

Just starting out, please be kind

Not much of a windows programmer, mostly use Fedora and g++/perl/bash at work.

Have the following code, that no matter what I attempt to inject it into the app crashes.

Asked a couple people and they said it could be my compiler options, but could not find anything telling.

Code:

#include "stdafx.h"
#include <windows.h>
#include <tchar.h>
#pragma comment(lib, "detours.lib")
#include <detours.h>
#include <iostream>
#include <fstream>
#include <string>
#include <xstring>
#include <ctime>
#include <assert.h>
using std::ofstream;
using std::ios;
using std::string;
using std::wstring;

HANDLE HookHandle = NULL;
ofstream ofile;

//DETOUR_TRAMPOLINE(VOID WINAPI InitializeCriticalSection_Trampoline(LPCRITICAL_SECTION), InitializeCriticalSection);
typedef VOID ( WINAPI* tEnterCriticalSection )( LPCRITICAL_SECTION cs );
tEnterCriticalSection InitializeCriticalSection_Trampoline;

void log(const char* msg)
{
 //  UGH! Need to clean this up, snaged it from some old g++ linux code I wrote years ago
  time_t now = time(0);
  struct tm* tm = localtime(&now);
  ofstream out( "F:\\DllLog.txt",ios::app);
  assert(out.good());
  out << tm->tm_year << '/' << tm->tm_mon << '/' << tm->tm_mday + 1900
  << ' ' << tm->tm_hour << ':' << tm->tm_min << ':' << tm->tm_sec << ": ";
  out << msg << "\n";
  out.close();
}


VOID WINAPI InitializeCriticalSection_Detour( LPCRITICAL_SECTION cs ) 
{ 
    log("Hello from Injected DLL!\n");
    return InitializeCriticalSection_Trampoline( cs );
}


BOOL APIENTRY DllMain( HMODULE hModule, DWORD Reason, LPVOID lpReserved)
{
    if (Reason == DLL_PROCESS_ATTACH)
    {
        DisableThreadLibraryCalls(GetModuleHandle(NULL));
        log("DLL_PROCESS_ATTACH!");    
        //DetourFunctionWithTrampoline( (PBYTE)InitializeCriticalSection_Trampoline, (PBYTE)InitializeCriticalSection_Detour );
        InitializeCriticalSection_Trampoline = ( tEnterCriticalSection )DetourFunction( (PBYTE)EnterCriticalSection, (PBYTE)InitializeCriticalSection_Detour );
        log("Hooked!");    
        return true;
    }
    else if (Reason == DLL_PROCESS_DETACH)
    {
        log("DLL_PROCESS_DETACH!\n");
        //DetourRemove( (PBYTE)InitializeCriticalSection_Trampoline, (PBYTE)InitializeCriticalSection_Detour );
        DetourRemove( (PBYTE)InitializeCriticalSection_Trampoline, (PBYTE)InitializeCriticalSection_Detour );
        log("unHooked!");    
    }
    return false;
}

The first log in DLL_PROCESS_ATTACH works, but after that the app crashes. I assume its due to the Hook.

Any thoughts?

Regards,

TD

**G36KV** · 03-10-2010, 11:31 PM

why do you use the old detours?

Detours - Microsoft Research
the recent version is much better than the old and the help file explains everything very well.

use Visual C++ 2008 to compile your stuff.
Microsoft Visual Studio Express - Build cutting edge Windows applications

tangodown · 03-10-2010, 11:35 PM

Will look into the latest Detours, was told that most folks use 1.5.

I have VS 2008 installed

**G36KV** · 03-11-2010, 12:05 AM

ah forgot to say, if you need help installing it, there is a nice tutorial:
hxxp://forum.gamedeception.net/threads/16178-Detours-2.1-(-how-to-get-it-running..-)?p=109027#post109027

the best thing is with the new detours you can easily check for errors, just read in the help file

Code:

LONG DetourAttach(
    PVOID * ppPointer,
    PVOID pDetour
    );

Return value
Returns NO_ERROR if successful; otherwise, returns an error code.

Error codes
ERROR_INVALID_BLOCK 
The function referenced is too small to be detoured. 
ERROR_INVALID_HANDLE 
The ppPointer parameter is null or points to a null pointer. 
ERROR_INVALID_OPERATION 
No pending transaction exists. 
ERROR_NOT_ENOUGH_MEMORY 
Not enough memory exists to complete the operation.

if the hook installs successfully then the problem is your app. Try to detour another API...

**learn_more** · 03-11-2010, 01:34 AM

maybe you are experiencing infinite recursion, aka your log function calling InitializeCriticalSection.
try this:

Code:

__declspec(thread) bool bLogging = false;
VOID WINAPI InitializeCriticalSection_Detour( LPCRITICAL_SECTION cs ) 
{
    if( bLogging ) return InitializeCriticalSection_Trampoline( cs );
    bLogging = true;
    log("Hello from Injected DLL!\n");
    bLogging = false;
    return InitializeCriticalSection_Trampoline( cs );
}

tangodown · 03-11-2010, 03:59 PM

That might be true, but I commented out the log part in that function and it still crashes.

I think it has to-do with the Hook line itself seeing that I am not getting "Hooked!" in the log file.

No clue how to debug a dll, time to google it..

tangodown · 03-12-2010, 09:54 PM

Ok,

After much frustration, hair pulling and general bashing head on desk I have it working

I have a test exe that has the following function

Code:

void add_log(const char* fmt, ...){ ... }

Now, if I have done my homework correctly I would need to find the address of that function with TSearch or OlyDbg (etc) in order to use it?

Or, is there a way once my DLL is injected to 'Get" a function pointer / address?

**learn_more** · 03-13-2010, 05:01 PM

Quote:

Originally Posted by tangodown

Ok,

After much frustration, hair pulling and general bashing head on desk I have it working

I have a test exe that has the following function

Code:

void add_log(const char* fmt, ...){ ... }

Now, if I have done my homework correctly I would need to find the address of that function with TSearch or OlyDbg (etc) in order to use it? 1

Or, is there a way once my DLL is injected to 'Get" a function pointer / address? 2

1: yeah pretty much.
2: a few options, if it's exported (hint: probably not in your testapp, but maybe in your real target, take a look with the tool 'depends' aka 'Dependency walker'),
if that doesnt work out you could always try pattern scanning (hint: loads of examples about it in the forum, take a look around)

tangodown · 03-20-2010, 10:17 AM

Got side tracked with work (etc) and forgot to report back

Used Olly and was able to find the address in my test c++ exe, but have been unable to find strings in a C# GUI application. It's 5AM here, will post on it after the sunrises and I get some sleep.

In any event, thanks for the help so far!

-TD

**G36KV** · 03-20-2010, 11:38 AM

Quote:

Originally Posted by tangodown

but have been unable to find strings in a C# GUI application.

You can't use Olly in a .NET (crap) app.

Use Reflector or Windows Debugger, Disassembler, Code Analyzers to debug the .NET crap

~~wav~~ · 03-22-2010, 08:43 AM

Quote:

Originally Posted by G36KV

You can't use Olly in a .NET (crap) app.

Use Reflector or Windows Debugger, Disassembler, Code Analyzers to debug the .NET crap

yes you can lolololol

**Kiwinz** · 03-22-2010, 08:48 AM

Dont see why .NET is a crap language either...

**G36KV** · 03-22-2010, 01:16 PM

Quote:

Originally Posted by wav

yes you can lolololol

no you can't, however there is a unstable plugin for olly that might work, but still not really recommended to use olly to debug .net apps.

Quote:

Dont see why .NET is a crap language either...

That is my opinion:

if you like managed code -> use/learn java, because it's open-source and real platform independent

if you don't like managed code -> C++/C/ASM

if you like scripts -> Python/Ruby/Perl

if you want to be special -> brainfuck, delphi, pascal, lisp, cobol...