none
Windows hook enumeration with Access Violation

    Question

  • Hello,

    I'm getting a Access Violation on code below in line of second printf.

    Some suggestion to solve please?

    Thank you by any suggestion.

    #include "stdafx.h" #include <iostream> #include <windows.h> #include <WinNT.h> using namespace std;

    #define TYPE_HOOK           5 typedef struct _HANDLEENTRY { PVOID phead; PVOID pOwner; BYTE bType; BYTE bFlags; WORD wUniq; } HANDLEENTRY, *PHANDLEENTRY; typedef struct _SERVERINFO { WORD wRIPFlags; WORD wSRVIFlags; WORD wRIPPID; WORD wRIPError; ULONG cHandleEntries; } SERVERINFO, *PSERVERINFO; typedef struct _SHAREDINFO { PSERVERINFO psi; PHANDLEENTRY aheList; ULONG HeEntrySize; } SHAREDINFO, *PSHAREDINFO; typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[229]; PVOID Reserved3[59]; ULONG SessionId; } PEB, *PPEB; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _TEB { NT_TIB Tib; PVOID EnvironmentPointer; CLIENT_ID Cid; PVOID ActiveRpcInfo; PVOID ThreadLocalStoragePointer; PPEB Peb; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG Win32ClientInfo[0x1F]; PVOID WOW32Reserved; ULONG CurrentLocale; ULONG FpSoftwareStatusRegister; PVOID SystemReserved1[0x36]; PVOID Spare1; ULONG ExceptionCode; ULONG SpareBytes1[0x28]; PVOID SystemReserved2[0xA]; ULONG GdiRgn; ULONG GdiPen; ULONG GdiBrush; CLIENT_ID RealClientId; PVOID GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocaleInfo; PVOID UserReserved[5]; PVOID GlDispatchTable[0x118]; ULONG GlReserved1[0x1A]; PVOID GlReserved2; PVOID GlSectionInfo; PVOID GlSection; PVOID GlTable; PVOID GlCurrentRC; PVOID GlContext; NTSTATUS LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer[0x105]; PVOID DeallocationStack; PVOID TlsSlots[0x40]; LIST_ENTRY TlsLinks; PVOID Vdm; PVOID ReservedForNtRpc; PVOID DbgSsReserved[0x2]; ULONG HardErrorDisabled; PVOID Instrumentation[0x10]; PVOID WinSockData; ULONG GdiBatchCount; ULONG Spare2; ULONG Spare3; ULONG Spare4; PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserved; } TEB, *PTEB; void EnumHooks() { HMODULE hUser = GetModuleHandle(L"user32.dll"); PSHAREDINFO gSharedInfo=NULL; PHANDLEENTRY aheList=NULL; ULONG_PTR k; gSharedInfo = (PSHAREDINFO)GetProcAddress(hUser, "gSharedInfo"); aheList = gSharedInfo->aheList; k = gSharedInfo->psi->cHandleEntries; printf("EnumHooks apparently found %Iu handles\n", k); PTEB pTeb = (PTEB)NtCurrentTeb(); UINT_PTR offset = pTeb->Win32ClientInfo[7]; for(ULONG i = 0; i < k; ++i) { HANDLEENTRY* pHandle = &aheList[i]; if(pHandle->bType != TYPE_HOOK) continue; HOOK* HookInfo = (HOOK*)((PVOID*)pHandle->phead - offset); if(HookInfo) { //printf("Found hook at %p\n", HookInfo); } } }




    • Edited by FLASHCODER Tuesday, March 21, 2017 4:05 AM
    Tuesday, March 21, 2017 3:59 AM

All replies

  • %p requires the corresponding argument to have type void*.  Add a cast and see if it helps

    If not, step through the code with the debugger and make sure all your variables have the values you expect.

    Tuesday, March 21, 2017 6:12 AM
  • %p requires the corresponding argument to have type void*.  Add a cast and see if it helps

    If not, step through the code with the debugger and make sure all your variables have the values you expect.

    @Barry-Schwarz,

    here are all returned values:

    Environment of test:

    VS2012 Ultimate, 
    Debug mode, 
    Win32 app, 
    Windows 7 x64 Home Premium.

    Tuesday, March 21, 2017 12:49 PM
  • Since ahelist is NULL, it seems that the object pointed to by gSharedInfo does not contain what you think it does.

    What makes you think the value returned by GetProcAddress is the address of a struct _SHAREDINFO?

    Tuesday, March 21, 2017 4:17 PM
  • @Barry,

    i have a new code based in this link, and this trouble was solved :-)

    Now i'm trying print the Handle of hook, but i getting a Access Violation.

    TEB struct still is the same got of this link

    typedef struct _HANDLEENTRY {
    	PVOID   phead;
    	PVOID   pOwner;
    	BYTE    bType;
    	BYTE    bFlags;
    	WORD    wUniq;
    } HANDLEENTRY, *PHANDLEENTRY;
    
    typedef struct _SERVERINFO {
    	WORD            wRIPFlags;
    	WORD            wSRVIFlags;
    	WORD            wRIPPID;
    	WORD            wRIPError;
    	ULONG           cHandleEntries;
    } SERVERINFO, *PSERVERINFO;
    
    typedef struct _SHAREDINFO {
    	PSERVERINFO  psi;
    	PHANDLEENTRY aheList;
    	ULONG   HeEntrySize;
    } SHAREDINFO, *PSHAREDINFO;
    
    typedef struct _PEB {
        BYTE Reserved1[2];
        BYTE BeingDebugged;
        BYTE Reserved2[229];
        PVOID Reserved3[59];
        ULONG SessionId;
    } PEB, *PPEB;
    
    typedef struct _CLIENT_ID
    {
        HANDLE UniqueProcess;
        HANDLE UniqueThread;
    } CLIENT_ID, *PCLIENT_ID;
    
    typedef struct _TEB
    {
        NT_TIB Tib;
        PVOID EnvironmentPointer;
        CLIENT_ID Cid;
        PVOID ActiveRpcInfo;
        PVOID ThreadLocalStoragePointer;
        PPEB Peb;
        ULONG LastErrorValue;
        ULONG CountOfOwnedCriticalSections;
        PVOID CsrClientThread;
        PVOID Win32ThreadInfo;
        ULONG Win32ClientInfo[0x1F];
        PVOID WOW32Reserved;
        ULONG CurrentLocale;
        ULONG FpSoftwareStatusRegister;
        PVOID SystemReserved1[0x36];
        PVOID Spare1;
        ULONG ExceptionCode;
        ULONG SpareBytes1[0x28];
        PVOID SystemReserved2[0xA];
        ULONG GdiRgn;
        ULONG GdiPen;
        ULONG GdiBrush;
        CLIENT_ID RealClientId;
        PVOID GdiCachedProcessHandle;
        ULONG GdiClientPID;
        ULONG GdiClientTID;
        PVOID GdiThreadLocaleInfo;
        PVOID UserReserved[5];
        PVOID GlDispatchTable[0x118];
        ULONG GlReserved1[0x1A];
        PVOID GlReserved2;
        PVOID GlSectionInfo;
        PVOID GlSection;
        PVOID GlTable;
        PVOID GlCurrentRC;
        PVOID GlContext;
        NTSTATUS LastStatusValue;
        UNICODE_STRING StaticUnicodeString;
        WCHAR StaticUnicodeBuffer[0x105];
        PVOID DeallocationStack;
        PVOID TlsSlots[0x40];
        LIST_ENTRY TlsLinks;
        PVOID Vdm;
        PVOID ReservedForNtRpc;
        PVOID DbgSsReserved[0x2];
        ULONG HardErrorDisabled;
        PVOID Instrumentation[0x10];
        PVOID WinSockData;
        ULONG GdiBatchCount;
        ULONG Spare2;
        ULONG Spare3;
        ULONG Spare4;
        PVOID ReservedForOle;
        ULONG WaitingOnLoaderLock;
        PVOID StackCommit;
        PVOID StackCommitMax;
        PVOID StackReserved;
    } TEB, *PTEB;
    
    int GetgSharedInfo()
    {
    	
    	PSHAREDINFO  gSharedInfo=NULL;  
    	HMODULE   huser32=NULL;
    	PHANDLEENTRY aheList=NULL;
    	ULONG_PTR pfnUserRegisterWowHandlers=NULL;
    	ULONG_PTR   k;
    	
    	huser32=LoadLibrary(L"user32.dll");
    	if (huser32 == NULL)
    	{
    		printf("LoadLibrary faild\n");
    		return 0;
    	}
    	pfnUserRegisterWowHandlers = (ULONG_PTR)GetProcAddress(huser32, "UserRegisterWowHandlers");
    	if(pfnUserRegisterWowHandlers ==NULL)
    	{
    		printf("UserRegisterWowHandlers faild\n");
    		return 0;
    	}
    	gSharedInfo = (PSHAREDINFO)GetProcAddress(huser32, "gSharedInfo");
    	if( gSharedInfo != NULL )
    	{
    		printf("gSharedInfo=0x%x\n",gSharedInfo);
    	}
    	aheList = gSharedInfo->aheList;  
    	k = gSharedInfo->psi->cHandleEntries;  
    
    	PTEB pTeb = (PTEB)NtCurrentTeb();
    	UINT_PTR offset = pTeb->Win32ClientInfo[7];
    
    	for(ULONG i = 0; i < k; ++i)
    	{
    		HANDLEENTRY* pHandle = &aheList[i];
    		if(pHandle->bType != TYPE_HOOK) continue;
    		HOOK* HookInfo = (HOOK*)((PVOID*)pHandle->phead - offset);
    
    		if(HookInfo)
    		{
    			printf("Found hook at %p\n", HookInfo);
    			printf("Handle of hook is: %.8X",(HOOK*)HookInfo->Handle); 
    		}
    	}
    
    	return 1;
    }


    • Edited by FLASHCODER Tuesday, March 21, 2017 4:28 PM
    Tuesday, March 21, 2017 4:27 PM
  • Look at the contents of HookInfo.  Do you really think that is the address of memory you have access to?

    What is the value of phandle->phead?  Of offset?  Are these the values you expect?

    Tuesday, March 21, 2017 9:39 PM