Cygwin

contains all delphi packages mentioned below
Post Reply
rico_le_fou
Posts: 6
Joined: Tue Nov 07, 2006 2:15 pm

Cygwin

Post by rico_le_fou »

Hi,

I just discovered MadCollection and it looks very interesting to me as I would like to catch all calls to the registers.

When I compile the examples with VC, it works perfectly. When I compile with gcc under Cygwin (I use this configuration to develop my Windows software), I get a runtime error. I paste détails at the end.

Is there a special way to compile under gcc/cygwin (I can paste my Makefile if needed).

Thanks a lot for any help.
Eric.

Here is the error from Windows (can't copy/paste the details) but a dialog box says that and error occured and the progra has to be closed :

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="test.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="madCHook.dll" SIZE="126464" CHECKSUM="0xF8E043BE" BIN_FILE_VERSION="2.2.2.0" BIN_PRODUCT_VERSION="2.2.2.0" PRODUCT_VERSION="2.2.2.0" FILE_DESCRIPTION="api hooking for 9x/nt" COMPANY_NAME="www.madshi.net" PRODUCT_NAME="madCHook" FILE_VERSION="2.2.2.0" ORIGINAL_FILENAME="madCHook.dll" INTERNAL_NAME="madCHook" LEGAL_COPYRIGHT="© www.madshi.net, all rights reserved" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.2.2.0" UPTO_BIN_PRODUCT_VERSION="2.2.2.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Anglais (États-Unis) [0x409]" />
<MATCHING_FILE NAME="test.exe" SIZE="5120" CHECKSUM="0xF131E1A7" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4A7E" LINKER_VERSION="0x10000" LINK_DATE="11/07/2006 14:25:40" UPTO_LINK_DATE="11/07/2006 14:25:40" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="1049088" CHECKSUM="0x3D112558" BIN_FILE_VERSION="5.1.2600.2945" BIN_PRODUCT_VERSION="5.1.2600.2945" PRODUCT_VERSION="5.1.2600.2945" FILE_DESCRIPTION="DLL du client API BASE Windows NT" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Système d'exploitation Microsoft® Windows®" FILE_VERSION="5.1.2600.2945 (xpsp_sp2_gdr.060704-2349)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. Tous droits réservés." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10DA67" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2945" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2945" LINK_DATE="07/05/2006 10:56:38" UPTO_LINK_DATE="07/05/2006 10:56:38" VER_LANGUAGE="Français (France) [0x40c]" />
</EXE>
</DATABASE>
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I don't use Cygwin myself, so I can't say for sure where the problem comes from. The details you posted don't say anything about the crash, unfortunately. They only list the properties of madCHook.dll, but not where the crash occurred or what kind of crash it was.

Check out this thread:

viewtopic.php?t=919&highlight=bcb

Maybe the problem with Cygwin is somewhat similar?
rico_le_fou
Posts: 6
Joined: Tue Nov 07, 2006 2:15 pm

Post by rico_le_fou »

Hi madshi,

Thanks for the ultra quick answer!

I've check the url you pasted. It doesn't seem to be the same issue.

2 comments :

- I use the dynamic link (not the static as in the other post) ;
- it compiles well and it's just a runtime issue.

Would you be able to help if I sent more details on the error ? Would you know how to get a text version of the Windows error (I can't copy the text!!!).

Thanks again,
Eric.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

What would help is if you tried to locate where the error occurs. E.g. does your application crash? Or does another process crash? Does the crash occur while you're calling HookAPI or InjectLibrary or any other madCodeHook API? Or does it occur outside of such madCodeHook calls? Also I need to know what kind of crash happened. E.g. was it an access violation or something else? At which address did it occur etc...
rico_le_fou
Posts: 6
Joined: Tue Nov 07, 2006 2:15 pm

Post by rico_le_fou »

madshi,

The error occures when I call :

HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, (PVOID*) &SomeFuncNextHook);

I get the typicall windows error dialog: test.exe encoutered a problem and will be closed http://www.akompas.com/mad/1.jpg (it's in French). When I ask for details, I get the following (I can take additional snapshots if needed): http://www.akompas.com/mad/2.jpg.

Here is the code I use :

#include <windows.h>
#include "madCHook.h"

// ***************************************************************

// SomeFunc appends the 2 string parameters and returns the result
LPSTR SomeFunc (LPSTR str1, LPSTR str2)
{
return "Original result";
}

// ***************************************************************

// variable for the "next hook", which we then call in the callback function
// it must have *exactly* the same parameters and calling convention as the
// original function
// besides, it's also the parameter that you need to undo the code hook again
LPSTR (*SomeFuncNextHook)(LPSTR str1, LPSTR str2);

// this function is our hook callback function, which will receive
// all calls to the original SomeFunc function, as soon as we've hooked it
// the hook function must have *exactly* the same parameters and calling
// convention as the original function
LPSTR SomeFuncHookProc(LPSTR str1, LPSTR str2)
{
return "Hooked Result";
}

// ***************************************************************

int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// InitializeMadCHook is needed only if you're using the static madCHook.lib
InitializeMadCHook();

// call the original unhooked function and display the result
MessageBox(0, SomeFunc("str1", "str2"), "\"str1\" + \"str2\"", 0);
// now we install our hook on the function ...
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, (PVOID*) &SomeFuncNextHook);
// now we install our hook on the function ...
// the to-be-hooked function must fulfill 2 rules
// (1) the asm code it must be at least 6 bytes long
// (2) there must not be a jump into the 2-6th byte anywhere in the code
// if these rules are not fulfilled the hook is not installed
// because otherwise we would risk "wild" crashes
MessageBox(0, SomeFunc("str1", "str2"), "\"str1\" + \"str2\"", 0);
// we like clean programming, don't we?
// so we cleanly unhook again
UnhookCode((PVOID*) &SomeFuncNextHook);

// FinalizeMadCHook is needed only if you're using the static madCHook.lib
FinalizeMadCHook();

return true;
}


Thanks again!
Eric.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Please check the thread I linked to. I think the chance is about 70% that the problem there also applies here. It seems that every C++ compiler wants a different syntax. At least BCB and VC differ. Probably Cygwin differs, too.
rico_le_fou
Posts: 6
Joined: Tue Nov 07, 2006 2:15 pm

Post by rico_le_fou »

madshi,

I checked the link again.
I don"t think this is just a syntax issue. Changing from one syntax to the other really means something different. When I look at the function prototype :
madCHookApi(BOOL) HookCode(
PVOID pCode,
PVOID pCallbackFunc,
PVOID *pNextHook,
#ifdef __cplusplus
DWORD dwFlags = 0
#else
DWORD dwFlags
#endif
);


I really need a PVOID* to retrieve the value after the function call. But still, I tried all the possible syntax and cast and I always get the same error.

By the way, what's the meaning of the DWORD dwFlags ?

Thanks,
Eric.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Does this also crash?

Code: Select all

PVOID test = NULL;
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, &test);
What does your question about "dwFlags" mean? If you want to know which flags you can use, just check the documentation. Or did you mean to ask something different?
rico_le_fou
Posts: 6
Joined: Tue Nov 07, 2006 2:15 pm

Post by rico_le_fou »

Yeap, same crash :(

About dwFlags, I meant to ask what was the purpose and values for that field, which I couldn't find in the documentation.
I'll look again.

Eric.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Ok, I can only guess that there's something wrong with the calling convention or something like that. I see no other reason why calling HookAPI should crash with Cygwin, when the same code doesn't crash with VC and BCB. Maybe Cygwin doesn't understand the madCHook.h file correctly?
rico_le_fou
Posts: 6
Joined: Tue Nov 07, 2006 2:15 pm

Post by rico_le_fou »

madshi,

I'll try to tweak things and if I come up with a solution, I'll let you know.

Thanks for the time you spent helping me.
Eric.
Post Reply