More I program in Delphi, less I know.
My DLL uses the code below to hook the target .EXE functions:
Code:
library blablabla;
uses
System.SysUtils,
System.Classes,
System.Types,
AnsiStrings,
Windows,
CPUID in 'DDetours\Source\CPUID.pas',
DDetours in 'DDetours\Source\DDetours.pas',
InstDecode in 'DDetours\Source\InstDecode.pas';
{$R *.res}
///////////////////
// DLLMain
//////////////////
procedure DllInit(Reason: DWord); stdcall;
begin
case Reason of
DLL_PROCESS_ATTACH: begin
if (Pos('target', ParamStr(0)) > 0) then
begin
//Hooks
@TrampolineCreateFileA := InterceptCreate(@CreateFileA, @CreateFileA_Hooked);
@TrampolineDeviceIoControl := InterceptCreate(@DeviceIoControl, @DeviceIoControl_Hooked);
end;
end; {= DLL_PROCESS_ATTACH =}
DLL_PROCESS_DETACH: begin
InterceptRemove(@CreateFileA);
InterceptRemove(@DeviceIoControl);
end; {= DLL_PROCESS_DETACH =}
end;
end;
begin
DLLProc := TDLLProc(@DllInit);
DllInit(DLL_PROCESS_ATTACH);
end.
The target .EXE run very well, until it tries to create a thread.
A crash is throw inside ntdll.dll code callstack:
Code:
:8d575653
:77d196de ;
:77d19658 ntdll.RtlInitializeCriticalSection + 0x88
:77cf2b06 ;
:77cf2a2c ntdll.RtlExitUserThread + 0x4c
:75906a1b KERNEL32.BaseThreadInitThunk + 0x2b
:77d2ad8f ntdll.RtlInitializeExceptionChain + 0x8f
:77d2ad5a ntdll.RtlInitializeExceptionChain + 0x5a
I don't know what the hell is going on.
But in a blind shot, I commented out the DLLProc line and
voilá
Code:
begin
//DLLProc := TDLLProc(@DllInit);
DllInit(DLL_PROCESS_ATTACH);
end.
The codes sent to DLLProc doesn't make sense either:
DLLInit: 0x00000001 => DLL_PROCESS_ATTACH
DLLInit: 0x6CBE2728
DLLInit: 0x6D992728
DLLInit: 0x064DBC38
By the way, it solves my problem.
Thanks Sir.