Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PR #63] Crashes when attempting to hook LoadLibraryExW #70

Open
praydog opened this issue Apr 7, 2024 · 5 comments · May be fixed by #89
Open

[PR #63] Crashes when attempting to hook LoadLibraryExW #70

praydog opened this issue Apr 7, 2024 · 5 comments · May be fixed by #89

Comments

@praydog
Copy link
Collaborator

praydog commented Apr 7, 2024

Will update with more info. First glance looks like an exception occurs inside of trap_threads, causing a nested acquisition of the trap mutex.
@ThirteenAG
Copy link

There's also a recursion when hooking AcquireSRWLockExclusive, which, I don't know, probably nothing can be done about?

void WINAPI CustomAcquireSRWLockExclusive(PSRWLOCK SRWLock)
{
    return shAcquireSRWLockExclusive.stdcall<void>(SRWLock);
}
...
shAcquireSRWLockExclusive = safetyhook::create_inline(AcquireSRWLockExclusive, CustomAcquireSRWLockExclusive);
>	dinput8.dll!CustomAcquireSRWLockExclusive(_RTL_SRWLOCK * SRWLock)	C++	Symbols loaded.
 	msvcp140d.dll!mtx_do_lock(_Mtx_internal_imp_t * mtx, const _timespec64 * target)	C++	Non-user code. Symbols loaded.
 	msvcp140d.dll!_Mtx_lock(_Mtx_internal_imp_t * mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::_Mutex_base::lock()	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::scoped_lock<std::recursive_mutex>::scoped_lock<std::recursive_mutex>(std::recursive_mutex & _Mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::stdcall<void,_RTL_SRWLOCK *>(_RTL_SRWLOCK * <args_0>)	C++	Symbols loaded.
 	dinput8.dll!CustomAcquireSRWLockExclusive(_RTL_SRWLOCK * SRWLock)	C++	Symbols loaded.
 	msvcp140d.dll!mtx_do_lock(_Mtx_internal_imp_t * mtx, const _timespec64 * target)	C++	Non-user code. Symbols loaded.
 	msvcp140d.dll!_Mtx_lock(_Mtx_internal_imp_t * mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::_Mutex_base::lock()	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::scoped_lock<std::recursive_mutex>::scoped_lock<std::recursive_mutex>(std::recursive_mutex & _Mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::stdcall<void,_RTL_SRWLOCK *>(_RTL_SRWLOCK * <args_0>)	C++	Symbols loaded.
 	dinput8.dll!CustomAcquireSRWLockExclusive(_RTL_SRWLOCK * SRWLock)	C++	Symbols loaded.
 	msvcp140d.dll!mtx_do_lock(_Mtx_internal_imp_t * mtx, const _timespec64 * target)	C++	Non-user code. Symbols loaded.
 	msvcp140d.dll!_Mtx_lock(_Mtx_internal_imp_t * mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::_Mutex_base::lock()	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::scoped_lock<std::recursive_mutex>::scoped_lock<std::recursive_mutex>(std::recursive_mutex & _Mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::stdcall<void,_RTL_SRWLOCK *>(_RTL_SRWLOCK * <args_0>)	C++	Symbols loaded.
 	dinput8.dll!CustomAcquireSRWLockExclusive(_RTL_SRWLOCK * SRWLock)	C++	Symbols loaded.
 	msvcp140d.dll!mtx_do_lock(_Mtx_internal_imp_t * mtx, const _timespec64 * target)	C++	Non-user code. Symbols loaded.
 	msvcp140d.dll!_Mtx_lock(_Mtx_internal_imp_t * mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::_Mutex_base::lock()	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::scoped_lock<std::recursive_mutex>::scoped_lock<std::recursive_mutex>(std::recursive_mutex & _Mtx)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::destroy()	C++	Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::operator=(safetyhook::InlineHook && other)	C++	Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::InlineHook(safetyhook::InlineHook && other)	C++	Symbols loaded.
 	dinput8.dll!std::expected<safetyhook::InlineHook,safetyhook::InlineHook::Error>::expected<safetyhook::InlineHook,safetyhook::InlineHook::Error><safetyhook::InlineHook>(safetyhook::InlineHook && _Other)	C++	Non-user code. Symbols loaded.
 	dinput8.dll!safetyhook::InlineHook::create(const std::shared_ptr<safetyhook::Allocator> & allocator, void * target, void * destination)	C++	Symbols loaded.

As for LoadLibraryExW crash, tried to repro, but couldn't.

@cursey
Copy link
Owner

cursey commented Apr 9, 2024

There's also a recursion when hooking AcquireSRWLockExclusive, which, I don't know, probably nothing can be done about?

I might be able to code around this issue actually using a spinlock or something instead.

@ThirteenAG
Copy link

I might be able to code around this issue actually using a spinlock or something instead.

I was able to repro with GetProcAddress also:

shGetProcAddress = safetyhook::create_inline(GetProcAddress, CustomGetProcAddress);

 	kernel32.dll!_GetProcAddressStub@8()	Unknown	Symbols loaded.
 	vcruntime140d.dll!try_get_proc_address_from_first_available_module(const char * const name=0x6ca41890, const `anonymous-namespace'::module_id * const first_module_id=0x6ca41888, const `anonymous-namespace'::module_id * const last_module_id=0x6ca41890) Line 183	C++	Symbols loaded.
 	vcruntime140d.dll!try_get_function(const `anonymous-namespace'::function_id id=FlsGetValue_id, const char * const name=0x6ca41890, const `anonymous-namespace'::module_id * const first_module_id=0x6ca41888, const `anonymous-namespace'::module_id * const last_module_id=0x6ca41890) Line 211	C++	Symbols loaded.
 	vcruntime140d.dll!try_get_FlsGetValue() Line 254	C++	Symbols loaded.
 	vcruntime140d.dll!__vcrt_FlsGetValue(unsigned long fls_index=0x0000000a) Line 281	C++	Symbols loaded.
 	vcruntime140d.dll!__vcrt_getptd_noexit() Line 111	C++	Symbols loaded.
 	vcruntime140d.dll!__vcrt_getptd() Line 163	C++	Symbols loaded.
 	vcruntime140d.dll!__InternalCxxFrameHandler<__FrameHandler3>(EHExceptionRecord * pExcept=0x000a1318, EHRegistrationNode * pRN=0x000a2268, _CONTEXT * pContext=0x000a1368, void * pDC=0x000a12a4, const _s_FuncInfo * pFuncInfo=0x5e42b140, int CatchDepth=0x00000000, EHRegistrationNode * pMarkerRN=0x00000000, unsigned char recursive='\0') Line 303	C++	Symbols loaded.
 	vcruntime140d.dll!__InternalCxxFrameHandlerWrapper<__FrameHandler3>(EHExceptionRecord * pExcept=0x000a1318, EHRegistrationNode * pRN=0x000a2268, _CONTEXT * pContext=0x000a1368, void * pDC=0x000a12a4, const _s_FuncInfo * pFuncInfo=0x5e42b140, int CatchDepth=0x00000000, EHRegistrationNode * pMarkerRN=0x00000000, unsigned char recursive='\0') Line 252	C++	Symbols loaded.
>	vcruntime140d.dll!__CxxFrameHandler3(EHExceptionRecord * pExcept=0x000a1318, EHRegistrationNode * pRN=0x000a2268, void * pContext=0x000a1368, void * pDC=0x000a12a4) Line 271	C++	Symbols loaded.
 	ntdll.dll!ExecuteHandler2@20()	Unknown	Symbols loaded.
 	ntdll.dll!ExecuteHandler@20()	Unknown	Symbols loaded.
 	ntdll.dll!_KiUserExceptionDispatcher@8()	Unknown	Symbols loaded.
 	KernelBase.dll!_RaiseException@16()	Unknown	Non-user code. Symbols loaded without source information.
 	vcruntime140d.dll!_CxxThrowException(void * pExceptionObject=0x000a1f38, const _s__ThrowInfo * pThrowInfo=0x64302368) Line 82	C++	Non-user code. Symbols loaded.
 	msvcp140d.dll!std::_Throw_Cpp_error(int code=0x00000005) Line 36	C++	Symbols loaded.
 	dinput8.dll!std::_Mutex_base::lock() Line 61	C++	Symbols loaded.
 	dinput8.dll!std::scoped_lock<std::mutex>::scoped_lock<std::mutex>(std::mutex & _Mtx={...}) Line 508	C++	Symbols loaded.
 	dinput8.dll!safetyhook::TrapManager::trap_handler(_EXCEPTION_POINTERS * exp=0x000a2290) Line 1378	C++	Symbols loaded.
 	ntdll.dll!_RtlpCallVectoredHandlers@12()	Unknown	Non-user code. Symbols loaded without source information.
 	ntdll.dll!RtlDispatchException()	Unknown	Non-user code. Symbols loaded without source information.
 	ntdll.dll!_KiUserExceptionDispatcher@8()	Unknown	Non-user code. Symbols loaded without source information.
 	kernel32.dll!_GetProcAddressStub@8()	Unknown	Non-user code. Symbols loaded without source information.
 	vcruntime140d.dll!try_get_proc_address_from_first_available_module(const char * const name=0x6ca41890, const `anonymous-namespace'::module_id * const first_module_id=0x6ca41888, const `anonymous-namespace'::module_id * const last_module_id=0x6ca41890) Line 183	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!try_get_function(const `anonymous-namespace'::function_id id=FlsGetValue_id, const char * const name=0x6ca41890, const `anonymous-namespace'::module_id * const first_module_id=0x6ca41888, const `anonymous-namespace'::module_id * const last_module_id=0x6ca41890) Line 211	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!try_get_FlsGetValue() Line 254	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__vcrt_FlsGetValue(unsigned long fls_index=0x0000000a) Line 281	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__vcrt_getptd_noexit() Line 111	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__vcrt_getptd() Line 163	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__InternalCxxFrameHandler<__FrameHandler3>(EHExceptionRecord * pExcept=0x000a3114, EHRegistrationNode * pRN=0x000a4e00, _CONTEXT * pContext=0x000a3164, void * pDC=0x000a309c, const _s_FuncInfo * pFuncInfo=0x5e42b140, int CatchDepth=0x00000000, EHRegistrationNode * pMarkerRN=0x00000000, unsigned char recursive='\0') Line 303	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__InternalCxxFrameHandlerWrapper<__FrameHandler3>(EHExceptionRecord * pExcept=0x000a3114, EHRegistrationNode * pRN=0x000a4e00, _CONTEXT * pContext=0x000a3164, void * pDC=0x000a309c, const _s_FuncInfo * pFuncInfo=0x5e42b140, int CatchDepth=0x00000000, EHRegistrationNode * pMarkerRN=0x00000000, unsigned char recursive='\0') Line 252	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__CxxFrameHandler3(EHExceptionRecord * pExcept=0x000a3114, EHRegistrationNode * pRN=0x000a4e00, void * pContext=0x000a3164, void * pDC=0x000a309c) Line 271	C++	Non-user code. Symbols loaded.
 	ntdll.dll!ExecuteHandler2@20()	Unknown	Non-user code. Symbols loaded without source information.
 	ntdll.dll!ExecuteHandler@20()	Unknown	Non-user code. Symbols loaded without source information.
 	ntdll.dll!_KiUserExceptionDispatcher@8()	Unknown	Non-user code. Symbols loaded without source information.
 	kernel32.dll!_GetProcAddressStub@8()	Unknown	Non-user code. Symbols loaded without source information.
 	vcruntime140d.dll!try_get_proc_address_from_first_available_module(const char * const name=0x6ca41890, const `anonymous-namespace'::module_id * const first_module_id=0x6ca41888, const `anonymous-namespace'::module_id * const last_module_id=0x6ca41890) Line 183	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!try_get_function(const `anonymous-namespace'::function_id id=FlsGetValue_id, const char * const name=0x6ca41890, const `anonymous-namespace'::module_id * const first_module_id=0x6ca41888, const `anonymous-namespace'::module_id * const last_module_id=0x6ca41890) Line 211	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!try_get_FlsGetValue() Line 254	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__vcrt_FlsGetValue(unsigned long fls_index=0x0000000a) Line 281	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__vcrt_getptd_noexit() Line 111	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__vcrt_getptd() Line 163	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__InternalCxxFrameHandler<__FrameHandler3>(EHExceptionRecord * pExcept=0x000a3eb0, EHRegistrationNode * pRN=0x000a4e00, _CONTEXT * pContext=0x000a3f00, void * pDC=0x000a3e3c, const _s_FuncInfo * pFuncInfo=0x5e42b140, int CatchDepth=0x00000000, EHRegistrationNode * pMarkerRN=0x00000000, unsigned char recursive='\0') Line 303	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__InternalCxxFrameHandlerWrapper<__FrameHandler3>(EHExceptionRecord * pExcept=0x000a3eb0, EHRegistrationNode * pRN=0x000a4e00, _CONTEXT * pContext=0x000a3f00, void * pDC=0x000a3e3c, const _s_FuncInfo * pFuncInfo=0x5e42b140, int CatchDepth=0x00000000, EHRegistrationNode * pMarkerRN=0x00000000, unsigned char recursive='\0') Line 252	C++	Non-user code. Symbols loaded.
 	vcruntime140d.dll!__CxxFrameHandler3(EHExceptionRecord * pExcept=0x000a3eb0, EHRegistrationNode * pRN=0x000a4e00, void * pContext=0x000a3f00, void * pDC=0x000a3e3c) Line 271	C++	Non-user code. Symbols loaded.
 	ntdll.dll!ExecuteHandler2@20()	Unknown	Non-user code. Symbols loaded without source information.
 	ntdll.dll!ExecuteHandler@20()	Unknown	Non-user code. Symbols loaded without source information.
 	ntdll.dll!_KiUserExceptionDispatcher@8()	Unknown	Non-user code. Symbols loaded without source information.
 	KernelBase.dll!_RaiseException@16()	Unknown	Non-user code. Symbols loaded without source information.
 	vcruntime140d.dll!_CxxThrowException(void * pExceptionObject=0x000a4ad0, const _s__ThrowInfo * pThrowInfo=0x64302368) Line 82	C++	Non-user code. Symbols loaded.
 	msvcp140d.dll!std::_Throw_Cpp_error(int code=0x00000005) Line 36	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::_Mutex_base::lock() Line 61	C++	Non-user code. Symbols loaded.
 	dinput8.dll!std::scoped_lock<std::mutex>::scoped_lock<std::mutex>(std::mutex & _Mtx={...}) Line 508	C++	Non-user code. Symbols loaded.
 	dinput8.dll!safetyhook::TrapManager::trap_handler(_EXCEPTION_POINTERS * exp=0x000a4e28) Line 1378	C++	Symbols loaded.
...

@fklfkl fklfkl mentioned this issue Jul 16, 2024
Open
@BruhRain
Copy link

BruhRain commented Dec 7, 2024

I get the same issue hooking NtMapViewOfSection

@Burnt-o
Copy link

Burnt-o commented Jan 23, 2025

It looks like the issue is hooking any function that happens to be on the same memory page as VirtualProtect, since trap_threads calls that between setting the trap and removing it. I can tell you at least that for me this happens to include LoadLibraryExW and a couple dozen other random Kernel32 funcs. You can use VirtualQuery to check where that page is and DbgHelp::SymEnumSymbols to find all the functions on that same page. But I suspect the list of affected functions will depend on your machine.

Burnt-o added a commit to Burnt-o/safetyhook that referenced this issue Jan 24, 2025
@Burnt-o
Fix LoadLibraryExW hooking crash
8fd3c9e 
Closes [cursey#70](cursey#70). Adds check if from/to address is on same page as VirtualProtect, if so use PAGE_EXECUTE_READWRITE (ie no trapping) instead.
@Burnt-o Burnt-o linked a pull request Jan 24, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix LoadLibraryExW hooking crash Burnt-o/safetyhook
5 participants
@praydog @ThirteenAG @cursey @Burnt-o @BruhRain