1

Closed

Hooking of CreateFile fails on Win 8.1 x64

description

Hi,

when I try to hook x64 notepad on my Windows 8.1 box I get an access violation.

(11a4.500): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00007ffc4f540398 ff255acc1100 jmp qword ptr [GDI32!Pie+0x58 (00007ffc4f65cff8)] ds:00007ffc4f65cff8=__89660000081ab83f__
0:000> u
00007ffc
4f540398 ff255acc1100 jmp qword ptr [GDI32!Pie+0x58 (00007ffc4f65cff8)]
00007ffc
4f54039e e90b16caff jmp KERNEL32!CreateFileW+0x6 (00007ffc4f1e19ae)
00007ffc
4f5403a3 0000 add byte ptr [rax],al
00007ffc4f5403a5 0000 add byte ptr [rax],al
00007ffc
4f5403a7 0000 add byte ptr [rax],al
00007ffc4f5403a9 0000 add byte ptr [rax],al
00007ffc
4f5403ab 0000 add byte ptr [rax],al
00007ffc4f5403ad 0000 add byte ptr [rax],al
0:000> r
rax=00007ffc4f540278 rbx=000000d381970b70 rcx=000000d3e62bfff4
rdx=ffffffff80000000 rsi=00007ffbd8cf95a0 rdi=000000d3e62bffe8
rip=00007ffc4f540398 rsp=000000d3e2bfe2d8 rbp=000000d3e2bfe320
r8=0000000000000001 r9=0000000000000000 r10=00007ffbd8cf95f8
r11=0000000000000018 r12=0000000000000001 r13=0000000080000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
00007ffc
4f540398 ff255acc1100 jmp qword ptr [GDI32!Pie+0x58 (00007ffc4f65cff8)] ds:00007ffc4f65cff8=89660000081ab83f
0:000> u 7ffc4f540398-20
00007ffc
4f540378 4883c460 add rsp,60h
00007ffc4f54037c 0f105c24c0 movups xmm3,xmmword ptr [rsp-40h]
00007ffc
4f540381 0f105424d0 movups xmm2,xmmword ptr [rsp-30h]
00007ffc4f540386 0f104c24e0 movups xmm1,xmmword ptr [rsp-20h]
00007ffc
4f54038b 0f104424f0 movups xmm0,xmmword ptr [rsp-10h]
00007ffc4f540390 4159 pop r9
00007ffc
4f540392 4158 pop r8
00007ffc4f540394 5a pop rdx
0:000> u
00007ffc
4f540395 59 pop rcx
00007ffc4f540396 ff20 jmp qword ptr [rax]
00007ffc
4f540398 ff255acc1100 jmp qword ptr [GDI32!Pie+0x58 (00007ffc4f65cff8)]
00007ffc
4f54039e e90b16caff jmp KERNEL32!CreateFileW+0x6 (00007ffc4f1e19ae)
00007ffc
4f5403a3 0000 add byte ptr [rax],al
00007ffc4f5403a5 0000 add byte ptr [rax],al
00007ffc
4f5403a7 0000 add byte ptr [rax],al
00007ffc`4f5403a9 0000 add byte ptr [rax],al

It seems the jump target (89660000081ab83f) points to invalid memory. Looks like a 2.7 issue because I did use 2.6 without any problems. 32 bit seems to work.

Yours,
Alois Kraus
Closed Feb 15, 2014 at 7:00 AM by spazzarama
Fixed on changeset 73837

comments

wrote Feb 15, 2014 at 6:59 AM

Fixed on changeset 73837

wrote Feb 15, 2014 at 7:00 AM

Alois wrote Feb 16, 2014 at 8:37 AM

Thanks for the fast response and great work.