IAT Hooking, FindNextFile in Explorer.exe

Question

4.00/5 (1 vote)

See more:

Hi,

I have been trying to hook FindNextFileW in Explorer.exe.
I have used IAT hooking and I manage to successfully change the address of FindNextfileW in the import table but when I execute the program, after the address is changed, explorer.exe restarts.
I get a message box ,Data Execution Prevention, and then explorer restarts. So I turned off the Data Execution Prevention for Explorer.exe and now I don't get any erro message and explorer doesn't restart but when I open a directory nothing happens.
Is there a problem in the definition
of myFindFirstFileExW or is there something else I am missing?

C++

BOOL myFindNextFileW (HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData);
int WINAPI DllEntryPoint(HINSTANCE hinstDll, unsigned long fdwReason,
	void* fImpLoad) {
	char lib_name[50];
	GetModuleFileName(hinstDll, lib_name, 50);
	LoadLibrary(lib_name);
	switch(fdwReason) {
	case DLL_PROCESS_ATTACH: {
	       ShowMessage("DLL_PROCESS_ATTACH");
       	       HookAPI("FindNextFileW", (DWORD)myFindNextFileW);
		}
	case DLL_PROCESS_DETACH: {
			break;
		}
	case DLL_THREAD_ATTACH: {
			break;
		}
	case DLL_THREAD_DETACH: {
			break;
		}
	}
	return(TRUE);
}

BOOL myFindNextFileW (HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData)
{
FILE *hfptr4;
	hfptr4 = fopen("c:\\hookedCP.txt", "a");
	fprintf(hfptr4, "%s", "findNextFile\n");
	fclose(hfptr4);
	ShowMessage("FindNextFileW");
	return FindNextFileW(hFindFile, (_WIN32_FIND_DATAW *)lpFindFileData);
}

Posted 4-May-12 19:33pm

lilyNaz

Updated 4-May-12 20:55pm

v6

Add a Solution

Comments

Code-o-mat 5-May-12 4:06am

Not quite sure about this, so i will not add it as a solution, just guessing, but: try adding __stdcall or WINAPI calling convention specifier to your myFindNextFileW. Another important thing here is that -as far as i can see- you are using LoadLibrary in the DLLEntryPoint which is a big NO-NO, if you read the remarks here: http://msdn.microsoft.com/en-us/library/ms886736.aspx . Instead of doing that in the entry point, start a secondary thread and use that to load your hook-dll.

Code-o-mat 5-May-12 4:40am

Another thing that comes to my mind, some time ago i was also experimenting with hooking explorer and i found out that the CreateRemoteThread method didn't work, however with SetWindowsHookEx i had much better luck. Don't know what method you use to inject your DLL, just thought i mention it...

lilyNaz 5-May-12 5:34am

Thank you.
I use createremotethread to inject my dll.
I added stdcall and I removed the code regarding loadlibrary but it still doesn't work.

Code-o-mat 5-May-12 9:48am

Are you sure the actual hooking is successful? There can be multiple reasons why your hooked method doesn't get invoked. E.g. explorer could use LoadLibrary/GetProcAddress to get access to the function instead of loading the DLL at startup and accessing the function using the IAT, or it might call into another DLL that imports FindNextFileW instead of calling it directly.

lilyNaz 6-May-12 1:00am

Yeah, I guess it wasn't invoked so I did the same for cmd.exe and this time I monitored cmd.exe in API monitor, when I typed dir, cmd crashes and I can see that MyDLL has been loaded but it returns invalid_handle _value, Error 2:The system could not find the file specified ... This time my function is definitely called

Code-o-mat 6-May-12 3:43am

Shouldn't you be using LPWIN32_FIND_DATAW instead of LPWIN32_FIND_DATA in the parameter list of your myFindNextFileW method? Since it's just a pointer which you don't seem to use for anything other then passing it along it probably wouldn't make no difference, but still...
Anyways, if you are using Visual Studio, then you can attach the debugger to cmd.exe and place a breakpoint in your method and step trough the code. You'd do this by loading your DLL's project, performing the injection and hooking as you'd do, and then in the "Debug" menu you can select "Attach to process", find the hooked process, select it, place a breakpoint in your method and then e.g. type that "dir" in the console window.

Code-o-mat 5-May-12 9:50am

If you don't use the 'Reply' link (see the top-right corner of the comments) but rahter hit the 'Have a Question or Comment' thing below then i get no email notification about the event and won't know about it.

lilyNaz 6-May-12 1:01am

Thanks by the way.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

**`Randor`** · Accepted Answer · 2012-05-09T01:10:00

Hi,

There is only a single possibility. When you get the Data Execution Prevention error message... it means that the instructions located in memory were not marked with execute access[^].

It sounds like you are using an old hook library that was written prior to 2004 and intended for use with Windows XP SP1 and below. Windows XP SP2 was released in 2004 and brought DEP and broke many of the old hook libraries that were not using the VirtualProtect function[^] to mark the memory as executable.

Best Wishes,
-David Delaune

[Updated dates and Service pack numbers]