Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2020, 14:07
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Delphi threading problem

I have a executable that was written in Delphi 2007.
My DLL is written in Delphi 10.2

I'm using Delphi Detours Library to hook some functions.

Everything was fine when a old DLL is used.

But, I don't know why, now the target is throwing Access Violations when it try to create a thread.

After some deep digging, I found that any call from BeginThread to windows CreateThread is throwing Access Violation.

Is something about SysInit ThreadWrapper.

Anyone can give me some light?
Reply With Quote
  #2  
Old 04-27-2020, 06:40
chessgod101's Avatar
chessgod101 chessgod101 is online now
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Make sure you are using the correct calling convention for your thread function. If you are using BeginThread, you cannot define the function as a STDCALL. BeginThread is basically a workaround for your thread function to use the delphi calling convention. My personal suggestion and preference for x86 is to use the standard WinAPI CreateThread and define your thread function as follows.

Function MyThreadFunction(p:Pointer):Cardinal; STDCALL;
Begin
//dostuff
Result:=0;
End;
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
The Following 2 Users Say Thank You to chessgod101 For This Useful Post:
phroyt (04-28-2020), Rasmus (04-27-2020)
  #3  
Old 04-28-2020, 10:51
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Red face

More I program in Delphi, less I know.

My DLL uses the code below to hook the target .EXE functions:

Code:
library blablabla;

uses
  System.SysUtils,
  System.Classes,
  System.Types,
  AnsiStrings,
  Windows,
  CPUID in 'DDetours\Source\CPUID.pas',
  DDetours in 'DDetours\Source\DDetours.pas',
  InstDecode in 'DDetours\Source\InstDecode.pas';

{$R *.res}

///////////////////
// DLLMain
//////////////////
procedure DllInit(Reason: DWord); stdcall;
begin
  case Reason of
    DLL_PROCESS_ATTACH: begin
      if (Pos('target', ParamStr(0)) > 0) then
      begin
        //Hooks
        @TrampolineCreateFileA := InterceptCreate(@CreateFileA, @CreateFileA_Hooked);
        @TrampolineDeviceIoControl := InterceptCreate(@DeviceIoControl, @DeviceIoControl_Hooked);
      end;

    end; {= DLL_PROCESS_ATTACH =}

    DLL_PROCESS_DETACH: begin
      InterceptRemove(@CreateFileA);
      InterceptRemove(@DeviceIoControl);
    end; {= DLL_PROCESS_DETACH =}
  end;
end;

begin
  DLLProc := TDLLProc(@DllInit);
  DllInit(DLL_PROCESS_ATTACH);
end.
The target .EXE run very well, until it tries to create a thread.
A crash is throw inside ntdll.dll code callstack:

Code:
:8d575653 
:77d196de ; 
:77d19658 ntdll.RtlInitializeCriticalSection + 0x88
:77cf2b06 ; 
:77cf2a2c ntdll.RtlExitUserThread + 0x4c
:75906a1b KERNEL32.BaseThreadInitThunk + 0x2b
:77d2ad8f ntdll.RtlInitializeExceptionChain + 0x8f
:77d2ad5a ntdll.RtlInitializeExceptionChain + 0x5a
I don't know what the hell is going on.
But in a blind shot, I commented out the DLLProc line and voilá

Code:
begin
  //DLLProc := TDLLProc(@DllInit);
  DllInit(DLL_PROCESS_ATTACH);
end.
The codes sent to DLLProc doesn't make sense either:

DLLInit: 0x00000001 => DLL_PROCESS_ATTACH
DLLInit: 0x6CBE2728
DLLInit: 0x6D992728
DLLInit: 0x064DBC38


By the way, it solves my problem.

Thanks Sir.

Last edited by phroyt; 04-28-2020 at 10:52. Reason: Thanks
Reply With Quote
  #4  
Old 05-01-2020, 16:11
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 342
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
Yes, confict/bug in DllEntryPoint function of your Delphi code.
When a thread created, system will call DllEntryPoint function with param DLL_THREAD_ATTACHED
Reply With Quote
The Following User Says Thank You to TQN For This Useful Post:
phroyt (05-03-2020)
  #5  
Old 05-03-2020, 07:51
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Talking

That's the point.

I always thought it worked like this.

But unknown code are sent

Code:
DLLInit: 0x00000001 => DLL_PROCESS_ATTACH
DLLInit: 0x6CBE2728
DLLInit: 0x6D992728
DLLInit: 0x064DBC38
The normal values are:
Code:
  DLL_PROCESS_ATTACH = 1;
  {$EXTERNALSYM DLL_PROCESS_ATTACH}
  DLL_THREAD_ATTACH = 2;
  {$EXTERNALSYM DLL_THREAD_ATTACH}
  DLL_THREAD_DETACH = 3;
  {$EXTERNALSYM DLL_THREAD_DETACH}
  DLL_PROCESS_DETACH = 0;
  {$EXTERNALSYM DLL_PROCESS_DETACH}
The first one (DLL_PROCESS_ATTACH) is called by myself on BEGIN section.

Code:
begin
  //DLLProc := TDLLProc(@DllInit);
  DllInit(DLL_PROCESS_ATTACH);
end.
I tested moving this code to Unit Initialization Section and works like a charm too.

Like you said, probably a DLLProc erratic behavior.

Thanks
Reply With Quote
  #6  
Old 05-05-2020, 13:03
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 342
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
You can refer two documents:
1. http://docs.embarcadero.com/products/rad_studio/delphiAndcpp2009/HelpUpdate2/EN/html/delphivclwin32/System_DLLProc.html
2. https://www.delphipraxis.net/47406-dll-entry-function.html
Best regards,
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
OllyDbg is not good at supporting breakpoints in multi-threading environment BlackWhite General Discussion 6 08-10-2017 20:43
Keygenning With Delphi: Useful Delphi Functions and Tips chessgod101 General Discussion 5 01-05-2015 23:02
Delphi Encryption Compendium v3.0 Problem winndy General Discussion 1 02-18-2006 10:12
Modifying Kernel Mode Driver for Hyper Threading aldente General Discussion 8 08-13-2004 10:11


All times are GMT +8. The time now is 23:43.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )