Error while Trying to Hook "TerminateProcess" Function. Target Process crashes. Can anyone help me?

Question

Debugging with visual studio 2005 The following Error Displayed :

Unhandled exception at 0x00000000 in procexp.exe: 0xC0000005: Access violation reading location 0x00000000.

And Thread Information:

2704 Win32 Thread 00000000 Normal 0

extern "C" VDLL2_API BOOL WINAPI MyTerminateProcess(HANDLE hProcess,UINT uExitCode)
{
     SetLastError(5);
     return FALSE;
}

FARPROC HookFunction(char *UserDll,FARPROC pfn,FARPROC HookFunc) 

{
    DWORD dwSizeofExportTable=0;
    DWORD dwRelativeVirtualAddress=0;
    HMODULE hm=GetModuleHandle(NULL);
    FARPROC pfnOriginalAddressToReturn;
    PIMAGE_DOS_HEADER pim=(PIMAGE_DOS_HEADER)hm;
    PIMAGE_NT_HEADERS pimnt=(PIMAGE_NT_HEADERS)((DWORD)pim + 
(DWORD)pim->e_lfanew); 
    PIMAGE_DATA_DIRECTORY 
pimdata=(PIMAGE_DATA_DIRECTORY)&(pimnt->OptionalHeader.DataDirectory);

    PIMAGE_OPTIONAL_HEADER pot=&(pimnt->OptionalHeader);
    PIMAGE_DATA_DIRECTORY 
pim2=(PIMAGE_DATA_DIRECTORY)((DWORD)pot+(DWORD)104);
    dwSizeofExportTable=pim2->Size;
    dwRelativeVirtualAddress=pim2->VirtualAddress;
    char *ascstr;
    PIMAGE_IMPORT_DESCRIPTOR 
pimexp=(PIMAGE_IMPORT_DESCRIPTOR)(pim2->VirtualAddress + (DWORD)pim);
    while(pimexp->Name)
    {
        ascstr=(char *)((DWORD)pim + (DWORD)pimexp->Name);
        if(strcmpi(ascstr,UserDll) == 0)
        {
            break;
        }
        pimexp++;
    }
    PIMAGE_THUNK_DATA 
pname=(PIMAGE_THUNK_DATA)((DWORD)pim+(DWORD)pimexp->FirstThunk);
    LPDWORD lpdw=&(pname->u1.Function);
    DWORD dwError=0;
    DWORD OldProtect=0;
    while(pname->u1.Function)
    {
        if((DWORD)pname->u1.Function == (DWORD)pfn)
        {
            lpdw=&(pname->u1.Function);

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READWRITE,&OldProtect);


            pname->u1.Function=(DWORD)HookFunc;

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READONLY,&OldProtect);

            return pfn;
        }
        pname++;

    }
    return (FARPROC)0;
}


FARPROC CallHook(void) 
{
        HMODULE hm=GetModuleHandle(TEXT("Kernel32.dll"));
    FARPROC fp=GetProcAddress(hm,"TerminateProcess");
    HMODULE hm2=GetModuleHandle(TEXT("vdll2.dll"));
    FARPROC fpHook=GetProcAddress(hm2,"MyTerminateProcess");

    dwAddOfTerminateProcess=HookFunction("Kernel32.dll",fp,fpHook);
    if(dwAddOfTerminateProcess == 0)
    {
        MessageBox(NULL,TEXT("Unable TO Hook Function."),TEXT("Parth"),MB_OK);
    }
    else
    {
        MessageBox(NULL,TEXT("Success Hooked."),TEXT("Parth"),MB_OK);
    }
    return 0;
}

Thanks in advance for any help.

004118AC mov esi,esp
004118AE push 0
004118B0 mov eax,dword ptr [hProc]
004118B3 push eax
004118B4 call dword ptr[__imp__TerminateProcess@8(4181E4h)]
004118BA cmp esi,esp

esi returned zero. why ?

score 0 · Answer 1 · answered Apr 14 '10 at 11:43

0

Don't write this kind of code yourself. Use the Detours library from Microsoft Research.

answered Apr 14 '10 at 11:43

Hans Passant

922,412
146
1,693
2,536

I know that i should not write this kind of code myself. But I am writing it for experimental purposes, and to see that I am able to write this kind of code. I want to know about the bug in the Program.Anyway,Thank you for answering my Question. – Parth Desai Apr 15 '10 at 12:13
1

You can't write code like this if you don't know how to debug it. It should be part of the experiment perhaps. Somebody else debugging this for you doesn't help you write and debug this kind of code in the future. Good luck! – Hans Passant Apr 15 '10 at 12:23
I know how to debug this kind of program and i am debugging it for last two days. But I have not found any bug so I am asking in stackoverflow .Anyway I have found some interesting information during debugging That have been added to the Question. Take a Look. – Parth Desai Apr 15 '10 at 12:54
The compiler expects the called function to preserve the value of the esi register. That's not happening for the redirected function. Not sure why, look at the assembly code of the replacement function. The compiler might have optimized it, passing the arguments through registers. Because it doesn't have external linkage perhaps. – Hans Passant Apr 15 '10 at 13:34
@HansPassant: Maybe someone would want to write `"this kind of code yourself"` to avoid restrictions of licensing terms of the Detours project -- `"Detours Express 3.0 is available for immediate download under a no-fee license for research, non-commercial, and non-production use. Detours Express may be used to prototype (but not deploy) commercial projects"` – c00000fd Dec 22 '17 at 02:39
1

Detours 4 has been published under an MIT license since 2016, covered in [the faq](https://github.com/Microsoft/Detours/wiki/FAQ). – Hans Passant Feb 19 '19 at 13:28

score 0 · Accepted Answer · edited Jul 20 '12 at 10:56

What is VDLL2_API defined as? It may be interfering with the calling convention (which is meant to be WINAPI for this function, as you write it later on the same line).

Stack problems on exit (ESI, ESP) usually indicate that you have your calling conventions mixed up. You appear to have used FARPROC consistently everywhere else, but since you know the exact prototype of the function, try typedef-ing that as the type to use instead:

typedef BOOL (WINAPI *TERMINATEPROCESS_PROC)(HANDLE, UINT);

Now use TERMINATEPROCESS_PROC everywhere instead of FARPROC.

Error while Trying to Hook "TerminateProcess" Function. Target Process crashes. Can anyone help me?

2 Answers2

Linked