search

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
MIT License
5.02k stars 981 forks source link

Fix: Delete payload after finish associated task #143

Closed sonyps5201314 closed 3 years ago

sonyps5201314 commented 3 years ago

Delete the payload after finish associated task, and need change the DETOUR_EXE_RESTORE_GUID's value for compatible with these dlls that compiled by old version Detours

for example, create a pair of dlls named dll_createwith_mysocks_32/64.dll, their function is hooked CreateProcess to create any new process with it. a 32bit exe(named exe_socks) use dll_createwith_mysocks_32.dll by PE import table. so it start any process will with dll_createwith_mysocks_32/64.dll. now it start a 32bit exe (named exe_vs), but exe_vs will load a dll (named dll_createwith_myluainject_32/64.dll) that build with detours and their function is hooked CreateProcess to create any new process with it. so if exe_vs start a 64bit exe, DetourCreateProcessXXX api will only restore the first IAT which modifed by dll_createwith_mysocks_32/64.dll, and dll_createwith_myluainject_32/64.dll modified IAT will not restore. because they create payload with the same GUID DETOUR_EXE_RESTORE_GUID. and Detour will do restore with the first founded payload twice. so make dll_createwith_mysocks_32/64.dll can not work ok. so we need delete the payload after the associated task finish immediately. if do like this, the payload with GUID DETOUR_EXE_RESTORE_GUID can be used by the next dll that complied by Detours.

And for compatible with these dlls that compiled by old version Detours which we don`t have source code to recompile these. so we need change DETOUR_EXE_RESTORE_GUID's value to a new value, so even these dlls can not delete the payload, because we only search the new DETOUR_EXE_RESTORE_GUID's value's payload. so the old playload things will not executed by us.

sylveon commented 3 years ago

Could this perhaps be factored out into a public DetoursFreePayload method?

sonyps5201314 commented 3 years ago

Could this perhaps be factored out into a public DetoursFreePayload method?

Yes, the official people have rights to append a new api. we do this only for solve problems as soon as possible, and have no time to wait the official people's decision.

sonyps5201314 commented 3 years ago

@bgianfo, I have rebased to only include this commit, and add a API named 'DetourFreePayload' to follow @sylveon's advice in the next commit.

sylveon commented 3 years ago

Since this PR adds special behavior with the _DEBUG macro, we might want to have Debug build configs set the _DEBUG macro now