Detours 3.0 hook GetProcAddresss()

Question

I'm using:

MS VS 10

Detours v3.0 Express

The complete source code DLL:

#include <windows.h>
#include <detours.h>
ofstream prclist ;
#pragma comment(lib,"detours.lib")
FARPROC (WINAPI * pGetProcAddress)(HMODULE hModule,LPCSTR lpProcName) = GetProcAddress;
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName);
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName)
{
    prclist << lpProcName << endl; // <- ACCESS_VIOLATION READ
    return pGetProcAddress( hModule, lpProcName);
}

BOOL APIENTRY DllMain(HINSTANCE hDLL, DWORD reason, LPVOID reserved)
{

switch(reason)
    {
        case DLL_PROCESS_ATTACH:
        {
            prclist.open("proclst.log",ios::out | ios::app );
            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
        case DLL_PROCESS_DETACH:
        {
            prclist.close();
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
   }
        return TRUE;
}

I try to view the list of functions received by GetProcAddress. But after start, the program is closed with an error: "ACCESS_VIOLATION, UNABLE_TO_READ"

Somebody can prompt how to fix it ?

Can you trap the AV in a debugger and examine the call stack, etc? — Scott Jones
Excuse, this code doesn't cause an error, I forgot to add: **prclist << lpProcName << endl; ** - It causes an error — NORM_4EL
Result: proclst.log ... DecodePointer DecodePointer EncodePointer DecodePointer DecodePointer DecodePointer EncodePointer DecodePointer DecodePointer DecodePointer IsDebuggerPresent and This application has encountered a critical error: Program: Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:604DD950 The instruction at '0x604DD950' referenced memory at '0x00000068'. The memory could not be 'read'. Press OK to terminate the application. --------------------------- ОК --------------------------- — NORM_4EL
This helps a lot. The code is dereferencing an object pointer to read a member. The pointer is null and the member is 104 bytes offset, resulting in the failure to read at 0x00000068. — Scott Jones

hmjd hmjd · Accepted Answer · 2013-06-02T15:44:50

From GetProcAddress() reference page, for lpProcName:

The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

This means it might not be a pointer to string but the replacement function always treats it at such. This is a possible cause of the access violation as it will be using an integer value (182 for example) as the starting memory address of a null terminated string.

Use HIWORD() to correct:

if (HIWORD(lpProcName))
{
    prclist << "name: " << lpProcName << std::endl;
}
else
{
    prclist << "ordinal: " << reinterpret_cast<DWORD>(lpProcName) << std::endl;
}

Detours 3.0 hook GetProcAddresss()

2 Answers