problem with CopyFunction

c++ / delphi package - dll injection and api hooking

problem with CopyFunction

Postby Bevan Collins » Thu Nov 19, 2020 3:42 am

Hi,

can someone please help me?
I am having a problem with CopyFunction from madCodeHook4 in the following test code where 6760 is the pid of notepad.exe:
Code: Select all
#include <windows.h>
#include <madchook.h>

DWORD WINAPI remoteProcess(LPVOID) {
  return 1;
}

int main() {
  InitializeMadCHook();

  HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 6760);
  if (process) {
    DWORD result = 0;
    BOOL rc = RemoteExecute(process, &remoteProcess, &result, nullptr, 0); // works 100%

    PVOID remote_proc_buffer = nullptr;
    auto remote_proc = CopyFunction(&remoteProcess, process, FALSE, &remote_proc_buffer);
    if (remote_proc)
      MessageBoxA(0, "ok!", "", MB_OK);
    else
      MessageBoxA(0, "not ok!", "", MB_OK);
  }

  FinalizeMadCHook();
}


for x86, CopyFunction seems to work. For x64 CopyFunction either crashes or fails with GetLastError 1455 even though RemoteExecute always succeeds.

Thanks
Bevan Collins
 
Posts: 24
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Fri Nov 20, 2020 3:43 am

Hello,

I'll make some time tomorrow to check into this. Thanks!

--Iconic
iconic
Site Admin
 
Posts: 971
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby madshi » Fri Nov 20, 2020 11:40 am

FWIW, here's an extract of the source code:

Code: Select all
SYSTEMS_API BOOL WINAPI RemoteExecute(HANDLE hProcess, PFN_REMOTE_EXECUTE_FUNCTION pFunction, DWORD *pFunctionResult, LPVOID pParameters, DWORD size)
{
  BOOL result = false;
  LPVOID pBuffer;
  LPVOID pProc = CopyFunction(pFunction, hProcess, false, &pBuffer);
  if (pProc != NULL)
  {
    ...
  }
  return result;
}

So considering this, it seems weird that RemoteExecute would always work for you, but CopyFunction would not?
madshi
Site Admin
 
Posts: 10301
Joined: Sun Mar 21, 2004 5:25 pm

Re: problem with CopyFunction

Postby Bevan Collins » Fri Nov 20, 2020 6:51 pm

Similar issue? viewtopic.php?f=5&t=27462

When building for x86, I have to link with madCHook32mt.lib and madCHook32.lib for CopyFunction. For other functions I only need to link with madCHook32mt.lib. Not sure if it's related.
Bevan Collins
 
Posts: 24
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Tue Nov 24, 2020 5:05 am

Hello,

I've tested here on Win 7 x64 SP1 with both target builds of the same .exe (32-bit and 64-bit) and then tried both instances (32-bit and 64-bit) of Notepad to see if it was something related to WOW64 <-> Native execution but it doesn't appear to be. In any case it all worked perfectly fine for me here on my end. I used VS 2015 Community Edition to test and the latest MCH version. What version of MCH are you using?

The exact code I used (your code minus a small mod or two) is below:

Code: Select all
#include "stdafx.h"
#include <Windows.h>
#include "madchook.h"

#pragma comment(lib, "legacy_stdio_definitions.lib") // VS 2015 Community Edition needs this
#ifdef _WIN64
#pragma comment(lib, "madchook64.lib") // md (but renamed)
#else
#pragma comment(lib, "madchook32.lib")
#endif


DWORD WINAPI remoteProcess(LPVOID) {
   return 1;
}


#define PID 504 // change to whatever Notepad's PID is


int _tmain(int argc, _TCHAR* argv[])
{
   InitializeMadCHook();

   HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, PID);
   if (process) {
      DWORD result = 0;
      BOOL rc = RemoteExecute(process, &remoteProcess, &result, nullptr, 0);
      PVOID remote_proc_buffer = nullptr;
      auto remote_proc = CopyFunction(&remoteProcess, process, FALSE, &remote_proc_buffer);
      if (remote_proc)
         MessageBoxA(0, "ok!", "", MB_OK);
      else
         MessageBoxA(0, "not ok!", "", MB_OK);
      CloseHandle(process);
   }

   FinalizeMadCHook();

   return 0;
}



--Iconic
iconic
Site Admin
 
Posts: 971
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby iconic » Tue Nov 24, 2020 5:33 am

I’ll test on Windows 10 later today and see if there is any change.

—Iconic
iconic
Site Admin
 
Posts: 971
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby Bevan Collins » Tue Nov 24, 2020 8:41 am

I'm using MCH 4.1.3 (madCHook64mt.lib), Windows 10 20H2, VisualStudio 16.8.2
Bevan Collins
 
Posts: 24
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Tue Nov 24, 2020 9:10 pm

Hi Bevan,

I've rerun the demo on Windows 10 x64 20H2 and tested a 64-bit .exe compiled with madCHook64mt.lib - it continues to work as expected without issue here. I tested 3x with both the WOW64 version of Notepad as well as the Native 64-bit version of Notepad. Did you want me to upload my pre-built binary (.exe) for you in case you'd like to test on your end? I've allowed you to input the process id in the current test demo through the console window.

--Iconic
iconic
Site Admin
 
Posts: 971
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 23 guests