Hook recv winapi (with import by ordinal)

[continue98]

Hi. How to use polyhook to hook recv, which is by import ordinal?

[continue98]

@stevemk14ebr ?

[stevemk14ebr]

I assume you are trying to do an IAT hook. Import by ordinal is nor supported because i don't need it. If you want to look at the source and send a PR to improve the interface please do so. If you just want an inline hook just get the address of the recv and pass it to the constructor like any of the other examples

PolyHook_2_0/UnitTests/TestDetourx86.cpp

Line 181 in 1a4f551

PLH::x86Detour detour((char*)&printf, (char*)h_hookPrintf, &hookPrintfTramp, dis);

[continue98]

I am testing hook by x86 detour:

Unhandled exception thrown: read access violation.
this->m_disasm. was nullptr.

Code:

uint64_t g_hook_recv_tramp = NULL;

void hkRecv(SOCKET s, char* buf, int len, int flags)
{
	PLH::FnCast(g_hook_recv_tramp, &hkRecv)(s, buf, len, flags);
}

auto recv_addr = reinterpret_cast<uint64_t>(GetProcAddress(GetModuleHandleA("ws2_32.dll"), "recv"));
PLH::CapstoneDisassembler dis(PLH::Mode::x86);
PLH::x86Detour detour(recv_addr, (uint64_t)&hkRecv, &g_hook_recv_tramp, dis);
detour.hook();

[stevemk14ebr]

you need to keep the disassembler in scope for as long as the detour object exists. The disassembler is captured by referenced so if it's destroyed before the detour the detour will attempt to use a destroyed object.

[continue98]

you need to keep the disassembler in scope for as long as the detour object exists. The disassembler is captured by referenced so if it's destroyed before the detour the detour will attempt to use a destroyed object.

I make disassembler in global scope:

Unhandled exception thrown: read access violation.
_Ptr_user was 0xF000000.

[stevemk14ebr]

Verify the address returned by getprocaddress is valid. Otherwise you need to debug this yourself

[continue98]

Verify the address returned by getprocaddress is valid. Otherwise you need to debug this yourself

Address is valid (0x0000000076e11460). Crash in polyhook code (PLH::CapstoneDisassembler::disassemble)

[stevemk14ebr]

Can you please debug the routine and determine where exactly inside that routine the crash occurs.

[continue98]

Value by crash. Crash in capstone:

PLH::insts_t
PLH::CapstoneDisassembler::disassemble(uint64_t firstInstruction, uint64_t start, uint64_t End, const MemAccessor& accessor) {
	cs_insn* insInfo = cs_malloc(m_capHandle);
	insts_t insVec;
	m_branchMap.clear();

	uint64_t size = End - start;
	assert(size > 0);
	if (size <= 0)
		return insVec;

	// copy potentially remote memory to local buffer
	uint8_t* buf = new uint8_t[(uint32_t)size];

	// bufAddr updated by cs_disasm_iter
	uint64_t bufAddr = (uint64_t)buf;
	accessor.mem_copy((uint64_t)buf, firstInstruction, size);

	bool endHit = false;
	while (cs_disasm_iter(m_capHandle, (const uint8_t**)&bufAddr, (size_t*)&size, &start, insInfo)) {
		// Set later by 'SetDisplacementFields'
		Instruction::Displacement displacement = {};
		displacement.Absolute = 0;

		Instruction inst(insInfo->address,
						 displacement,
						 0,
						 false,
			             false,
						 insInfo->bytes,
						 insInfo->size,
						 insInfo->mnemonic,
						 insInfo->op_str,
						 m_mode);

		setDisplacementFields(inst, insInfo);
		if (endHit && !isPadBytes(inst))
			break;

		insVec.push_back(inst); // crash on push value in vector

		// searches instruction vector and updates references
		addToBranchMap(insVec, inst);

		if (isFuncEnd(inst))
			endHit = true;
	}
	delete[] buf;
	cs_free(insInfo, 1);
	return insVec;
}

[stevemk14ebr]

I cannot reproduce this

[continue98]

I am use struct member alignment 1 byte. Is it possible that this is because of this?