[SOLVED/DELETE-ABLE] Double Vision (Unmanaged API help please)

Oct 13, 2009 at 3:42 AM
Edited Oct 13, 2009 at 3:46 AM

I admit I only have a basic grasp of what Easyhook is actually up to, and I just wanted to hook a routine, and for that used the Unmanaged API pdf in order to get some idea of what I should be doing.

 

I basically copied what I saw in the pdf. And was able to hook the routines I wanted to test out. But I don't know where to put code inside the hook which I want to execute in addition to the original routine...

 

Wherever I put code, it seems to be executed twice! Presumably once for the hook, then get's hooked again somehow when calling the original routine from within the hook (which does execute afterwards)

 

The setup for a DrawText() hook in our project is like so:

 

static HOOK_TRACE_INFO hti = {NULL}; ULONG acl[1] = {0};

LhInstallHook(DrawText,XXX::DrawText,0,&hti); //lets just do this here for now

LhSetInclusiveACL(acl,1,&hti);

 

 

//WINUSERAPI
int
WINAPI
XXX::DrawText(
__in HDC hdc,
__inout_ecount(cchText) LPCSTR txt,
__in int len,
__inout LPRECT box,
__in UINT how) //DrawText() hook: easyhook.h

//int XXX::DrawText(HDC hdc, LPCTSTR txt, int len, LPRECT box, UINT how) //DrawText hook: easyhook.h
{
    std::wclog << "DrawText: " << txt << '\n';

    PVOID Backup;
    PVOID CallStack[64];
    MODULE_INFORMATION Mod;
    ULONG MethodCount;
    LhBarrierPointerToModule(0,0);
    LhBarrierCallStackTrace(CallStack,64,&MethodCount);
    LhBarrierGetCallingModule(&Mod);

    return ::DrawText(hdc,txt,len,box,how);
}

 

Whether the wclog statement is placed first in the hook, or just before the return statement from the hook, it is executed twice per each call of the hooked routine.

 

Obviously we don't want this behavior, but we don't understand what it is we're doing wrong.

 

We'd be grateful for some assistance.

 

Thanks,

 

Mick

 

 

PS: Easyhook is awesome!!

Oct 13, 2009 at 7:12 AM

Yes, Easyhook is awesome.

For many windows APIs, there are ansi version and unicode version.  Most (if not all) of the ansi API just converts the parameters to unicode and invokes the unicode counterpart.  It may explain twice log per single call.

You may need to hook both DrawTextA and DrawTextW instead of DrawText.

Oct 13, 2009 at 7:28 AM
Edited Oct 13, 2009 at 7:29 AM

I hooked both as you suggested. The double calls both come from the DrawTextA hook (what the cpp resolves DrawText to)

 

Is it possible to write a hook that doesn't end by calling the original routine? Does my code above look correct?

 

My intuition is the double hooking happens when I call the same hooked routine again and it goes back into the hook. But as I recall, I think it crashed when I did not end by returning the original routine (being hooked)

 

I'm a real rube here. There has to be an easy explanation. This is about the simplest scenario one could devise for Easyhook isn't it??

Oct 13, 2009 at 10:55 PM

Aha! I got the idea the program might be rendering one set of text for a drop shadow type effect, and sure enough there was a single pixel shadow there. I guess one pixel would've been noticeable back when the software was new, but on my really high dpi 1920x1200 portable display it was just a barely perceivable with my nose to the screen. I feel a little dumb. This should've been the first thought to occur to me.