RegSetValueExW hook causes explorer.exe startup crash

[televes]

Hello!

Hope somebody can help me with this. I think its an easy one.

I want to hook RegSetValueExW so I wrote this code:

Code: Select all

	//"Next" function definition:
	LONG (WINAPI *RegSetValueExWNext)(HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData);

	//Callback function:
	LONG WINAPI RegSetValueExWCallback(HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData){
		if( lpValueName != NULL && _wcsicmp(L"TWAMSvrAutoRun", lpValueName) == 0)
			return ERROR_ACCESS_DENIED;
		else
			return RegSetValueExWNext(hKey, lpValueName, Reserved, dwType, lpData, cbData);
	}

	//Hook installation:
	HookAPI("Advapi32.dll", "RegSetValueExW", RegSetValueExWCallback, (PVOID*) &RegSetValueExWNext);

It works great, and does exactly what I want. But it causes crashes on some programs, specifically when starting explorer.exe (there isnt any problem when hooking an existing instance).

Am I doing something wrong?

Thanks for any help!

[madshi]

That sounds weird. Your code looks alright to me. I can only guess that for some reason Explorer.exe is calling RegSetValueExW with invalid parameters during initialization. Try adding a "IsBadReadPtr" call to check whether "lpValueName" can really be read. If that doesn't help, try commenting out the "if" in your callback and always just call the original API. Does the crash go away then?

[televes]

Hello madshi

Seems that IsBadReadPtr solved the problem.

Thank you!