Heap corruption when hooking GetFileAttributes - possible bug?

May 30, 2012 at 3:43 AM
Edited May 30, 2012 at 3:57 AM

Hello

I am getting a crash when attempting to hook GetFileAttributes (upon the creation of the hook itself). I have been using hooks for many other calls successfully for about 6 months without troubles, so it seems there is a bug or something unusual about this particular call.

I have uploaded a repro which attempts to hook this in notepad: https://docs.google.com/open?id=0B8Ex66-fCs63akVqRWxMdjNRVzQ (I should note that this is using 2.7 alpha 3)

Now my question is: is this a problem with my code or with EasyHook? This is really holding me back on my current project - any help would be greatly appreciated.

Thanks 

Coordinator
Jun 2, 2012 at 4:41 AM

Thanks for the repro, I'll take a look at it sometime in the next week.

Cheers,

J

Jun 10, 2012 at 10:59 PM

Hello Spazz,

 

were you able to reproduce this?

Coordinator
Jun 12, 2012 at 1:14 AM

Not yet sorry - been a bit busy :)

Will try to get to it this week...

Jun 22, 2012 at 4:09 AM

How's this coming along? :)

Coordinator
Jun 22, 2012 at 3:05 PM
Edited Jun 22, 2012 at 3:06 PM

I can reproduce the problem. I'm thinking that the method is not hookable (Win7 64-bit in my case).

I was however able to hook ntdll.dll NtQueryAttributesFile (which is what gets called ultimately anyway). So this should solve your problem.

 

                var hook = LocalHook.Create(
                    LocalHook.GetProcAddress("ntdll.dll", "NtQueryAttributesFile"),
                    new NativeMethods.DNtQueryAttributesFile(NtGetFileAttributes),
                    this);
...
        static int NtGetFileAttributes(IntPtr ObjectAttributes,
            out IntPtr FileInformation)
        {
            return NativeMethods.NtQueryAttributesFile(ObjectAttributes, out FileInformation);
        }


...
        [DllImport("ntdll.dll")]
        public static extern int NtQueryAttributesFile(
            IntPtr ObjectAttributes,
            out IntPtr FileInformation);

        [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
        public delegate int DNtQueryAttributesFile(IntPtr ObjectAttributes,
            out IntPtr FileInformation);

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        [return: MarshalAs(UnmanagedType.Bool)]
        public delegate bool DGetFileAttributesEx(string lpFileName,
           GET_FILEEX_INFO_LEVELS fInfoLevelId, IntPtr lpFileInformation);