Cygwin
-
- Posts: 6
- Joined: Tue Nov 07, 2006 2:15 pm
Cygwin
Hi,
I just discovered MadCollection and it looks very interesting to me as I would like to catch all calls to the registers.
When I compile the examples with VC, it works perfectly. When I compile with gcc under Cygwin (I use this configuration to develop my Windows software), I get a runtime error. I paste détails at the end.
Is there a special way to compile under gcc/cygwin (I can paste my Makefile if needed).
Thanks a lot for any help.
Eric.
Here is the error from Windows (can't copy/paste the details) but a dialog box says that and error occured and the progra has to be closed :
<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="test.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="madCHook.dll" SIZE="126464" CHECKSUM="0xF8E043BE" BIN_FILE_VERSION="2.2.2.0" BIN_PRODUCT_VERSION="2.2.2.0" PRODUCT_VERSION="2.2.2.0" FILE_DESCRIPTION="api hooking for 9x/nt" COMPANY_NAME="www.madshi.net" PRODUCT_NAME="madCHook" FILE_VERSION="2.2.2.0" ORIGINAL_FILENAME="madCHook.dll" INTERNAL_NAME="madCHook" LEGAL_COPYRIGHT="© www.madshi.net, all rights reserved" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.2.2.0" UPTO_BIN_PRODUCT_VERSION="2.2.2.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Anglais (États-Unis) [0x409]" />
<MATCHING_FILE NAME="test.exe" SIZE="5120" CHECKSUM="0xF131E1A7" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4A7E" LINKER_VERSION="0x10000" LINK_DATE="11/07/2006 14:25:40" UPTO_LINK_DATE="11/07/2006 14:25:40" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="1049088" CHECKSUM="0x3D112558" BIN_FILE_VERSION="5.1.2600.2945" BIN_PRODUCT_VERSION="5.1.2600.2945" PRODUCT_VERSION="5.1.2600.2945" FILE_DESCRIPTION="DLL du client API BASE Windows NT" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Système d'exploitation Microsoft® Windows®" FILE_VERSION="5.1.2600.2945 (xpsp_sp2_gdr.060704-2349)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. Tous droits réservés." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10DA67" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2945" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2945" LINK_DATE="07/05/2006 10:56:38" UPTO_LINK_DATE="07/05/2006 10:56:38" VER_LANGUAGE="Français (France) [0x40c]" />
</EXE>
</DATABASE>
I just discovered MadCollection and it looks very interesting to me as I would like to catch all calls to the registers.
When I compile the examples with VC, it works perfectly. When I compile with gcc under Cygwin (I use this configuration to develop my Windows software), I get a runtime error. I paste détails at the end.
Is there a special way to compile under gcc/cygwin (I can paste my Makefile if needed).
Thanks a lot for any help.
Eric.
Here is the error from Windows (can't copy/paste the details) but a dialog box says that and error occured and the progra has to be closed :
<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="test.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="madCHook.dll" SIZE="126464" CHECKSUM="0xF8E043BE" BIN_FILE_VERSION="2.2.2.0" BIN_PRODUCT_VERSION="2.2.2.0" PRODUCT_VERSION="2.2.2.0" FILE_DESCRIPTION="api hooking for 9x/nt" COMPANY_NAME="www.madshi.net" PRODUCT_NAME="madCHook" FILE_VERSION="2.2.2.0" ORIGINAL_FILENAME="madCHook.dll" INTERNAL_NAME="madCHook" LEGAL_COPYRIGHT="© www.madshi.net, all rights reserved" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.2.2.0" UPTO_BIN_PRODUCT_VERSION="2.2.2.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Anglais (États-Unis) [0x409]" />
<MATCHING_FILE NAME="test.exe" SIZE="5120" CHECKSUM="0xF131E1A7" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4A7E" LINKER_VERSION="0x10000" LINK_DATE="11/07/2006 14:25:40" UPTO_LINK_DATE="11/07/2006 14:25:40" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="1049088" CHECKSUM="0x3D112558" BIN_FILE_VERSION="5.1.2600.2945" BIN_PRODUCT_VERSION="5.1.2600.2945" PRODUCT_VERSION="5.1.2600.2945" FILE_DESCRIPTION="DLL du client API BASE Windows NT" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Système d'exploitation Microsoft® Windows®" FILE_VERSION="5.1.2600.2945 (xpsp_sp2_gdr.060704-2349)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. Tous droits réservés." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10DA67" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2945" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2945" LINK_DATE="07/05/2006 10:56:38" UPTO_LINK_DATE="07/05/2006 10:56:38" VER_LANGUAGE="Français (France) [0x40c]" />
</EXE>
</DATABASE>
I don't use Cygwin myself, so I can't say for sure where the problem comes from. The details you posted don't say anything about the crash, unfortunately. They only list the properties of madCHook.dll, but not where the crash occurred or what kind of crash it was.
Check out this thread:
viewtopic.php?t=919&highlight=bcb
Maybe the problem with Cygwin is somewhat similar?
Check out this thread:
viewtopic.php?t=919&highlight=bcb
Maybe the problem with Cygwin is somewhat similar?
-
- Posts: 6
- Joined: Tue Nov 07, 2006 2:15 pm
Hi madshi,
Thanks for the ultra quick answer!
I've check the url you pasted. It doesn't seem to be the same issue.
2 comments :
- I use the dynamic link (not the static as in the other post) ;
- it compiles well and it's just a runtime issue.
Would you be able to help if I sent more details on the error ? Would you know how to get a text version of the Windows error (I can't copy the text!!!).
Thanks again,
Eric.
Thanks for the ultra quick answer!
I've check the url you pasted. It doesn't seem to be the same issue.
2 comments :
- I use the dynamic link (not the static as in the other post) ;
- it compiles well and it's just a runtime issue.
Would you be able to help if I sent more details on the error ? Would you know how to get a text version of the Windows error (I can't copy the text!!!).
Thanks again,
Eric.
What would help is if you tried to locate where the error occurs. E.g. does your application crash? Or does another process crash? Does the crash occur while you're calling HookAPI or InjectLibrary or any other madCodeHook API? Or does it occur outside of such madCodeHook calls? Also I need to know what kind of crash happened. E.g. was it an access violation or something else? At which address did it occur etc...
-
- Posts: 6
- Joined: Tue Nov 07, 2006 2:15 pm
madshi,
The error occures when I call :
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, (PVOID*) &SomeFuncNextHook);
I get the typicall windows error dialog: test.exe encoutered a problem and will be closed http://www.akompas.com/mad/1.jpg (it's in French). When I ask for details, I get the following (I can take additional snapshots if needed): http://www.akompas.com/mad/2.jpg.
Here is the code I use :
#include <windows.h>
#include "madCHook.h"
// ***************************************************************
// SomeFunc appends the 2 string parameters and returns the result
LPSTR SomeFunc (LPSTR str1, LPSTR str2)
{
return "Original result";
}
// ***************************************************************
// variable for the "next hook", which we then call in the callback function
// it must have *exactly* the same parameters and calling convention as the
// original function
// besides, it's also the parameter that you need to undo the code hook again
LPSTR (*SomeFuncNextHook)(LPSTR str1, LPSTR str2);
// this function is our hook callback function, which will receive
// all calls to the original SomeFunc function, as soon as we've hooked it
// the hook function must have *exactly* the same parameters and calling
// convention as the original function
LPSTR SomeFuncHookProc(LPSTR str1, LPSTR str2)
{
return "Hooked Result";
}
// ***************************************************************
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// InitializeMadCHook is needed only if you're using the static madCHook.lib
InitializeMadCHook();
// call the original unhooked function and display the result
MessageBox(0, SomeFunc("str1", "str2"), "\"str1\" + \"str2\"", 0);
// now we install our hook on the function ...
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, (PVOID*) &SomeFuncNextHook);
// now we install our hook on the function ...
// the to-be-hooked function must fulfill 2 rules
// (1) the asm code it must be at least 6 bytes long
// (2) there must not be a jump into the 2-6th byte anywhere in the code
// if these rules are not fulfilled the hook is not installed
// because otherwise we would risk "wild" crashes
MessageBox(0, SomeFunc("str1", "str2"), "\"str1\" + \"str2\"", 0);
// we like clean programming, don't we?
// so we cleanly unhook again
UnhookCode((PVOID*) &SomeFuncNextHook);
// FinalizeMadCHook is needed only if you're using the static madCHook.lib
FinalizeMadCHook();
return true;
}
Thanks again!
Eric.
The error occures when I call :
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, (PVOID*) &SomeFuncNextHook);
I get the typicall windows error dialog: test.exe encoutered a problem and will be closed http://www.akompas.com/mad/1.jpg (it's in French). When I ask for details, I get the following (I can take additional snapshots if needed): http://www.akompas.com/mad/2.jpg.
Here is the code I use :
#include <windows.h>
#include "madCHook.h"
// ***************************************************************
// SomeFunc appends the 2 string parameters and returns the result
LPSTR SomeFunc (LPSTR str1, LPSTR str2)
{
return "Original result";
}
// ***************************************************************
// variable for the "next hook", which we then call in the callback function
// it must have *exactly* the same parameters and calling convention as the
// original function
// besides, it's also the parameter that you need to undo the code hook again
LPSTR (*SomeFuncNextHook)(LPSTR str1, LPSTR str2);
// this function is our hook callback function, which will receive
// all calls to the original SomeFunc function, as soon as we've hooked it
// the hook function must have *exactly* the same parameters and calling
// convention as the original function
LPSTR SomeFuncHookProc(LPSTR str1, LPSTR str2)
{
return "Hooked Result";
}
// ***************************************************************
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// InitializeMadCHook is needed only if you're using the static madCHook.lib
InitializeMadCHook();
// call the original unhooked function and display the result
MessageBox(0, SomeFunc("str1", "str2"), "\"str1\" + \"str2\"", 0);
// now we install our hook on the function ...
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, (PVOID*) &SomeFuncNextHook);
// now we install our hook on the function ...
// the to-be-hooked function must fulfill 2 rules
// (1) the asm code it must be at least 6 bytes long
// (2) there must not be a jump into the 2-6th byte anywhere in the code
// if these rules are not fulfilled the hook is not installed
// because otherwise we would risk "wild" crashes
MessageBox(0, SomeFunc("str1", "str2"), "\"str1\" + \"str2\"", 0);
// we like clean programming, don't we?
// so we cleanly unhook again
UnhookCode((PVOID*) &SomeFuncNextHook);
// FinalizeMadCHook is needed only if you're using the static madCHook.lib
FinalizeMadCHook();
return true;
}
Thanks again!
Eric.
-
- Posts: 6
- Joined: Tue Nov 07, 2006 2:15 pm
madshi,
I checked the link again.
I don"t think this is just a syntax issue. Changing from one syntax to the other really means something different. When I look at the function prototype :
madCHookApi(BOOL) HookCode(
PVOID pCode,
PVOID pCallbackFunc,
PVOID *pNextHook,
#ifdef __cplusplus
DWORD dwFlags = 0
#else
DWORD dwFlags
#endif
);
I really need a PVOID* to retrieve the value after the function call. But still, I tried all the possible syntax and cast and I always get the same error.
By the way, what's the meaning of the DWORD dwFlags ?
Thanks,
Eric.
I checked the link again.
I don"t think this is just a syntax issue. Changing from one syntax to the other really means something different. When I look at the function prototype :
madCHookApi(BOOL) HookCode(
PVOID pCode,
PVOID pCallbackFunc,
PVOID *pNextHook,
#ifdef __cplusplus
DWORD dwFlags = 0
#else
DWORD dwFlags
#endif
);
I really need a PVOID* to retrieve the value after the function call. But still, I tried all the possible syntax and cast and I always get the same error.
By the way, what's the meaning of the DWORD dwFlags ?
Thanks,
Eric.
Does this also crash?
What does your question about "dwFlags" mean? If you want to know which flags you can use, just check the documentation. Or did you mean to ask something different?
Code: Select all
PVOID test = NULL;
HookCode ((PVOID) SomeFunc, (PVOID) SomeFuncHookProc, &test);
-
- Posts: 6
- Joined: Tue Nov 07, 2006 2:15 pm
-
- Posts: 6
- Joined: Tue Nov 07, 2006 2:15 pm