search

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
MIT License
5.29k stars 1.02k forks source link

Windows 11 ARM64 Processor x86, x64 COM API Hook Crash. #292

Open kimjw0820 opened 1 year ago

kimjw0820 commented 1 year ago

Windows 11 ARM64 Processor x86, x64 COM Hook Crash. We tested using the latest sources. (main - 2022-08-16 commit) [Surface pro 9 Microsoft SQ3 3.00 GHz Windows 11 ARM64]

[success]

On Windows 11 ARM64, x64 processes are emulated. Therefore, ARM, ARM64, x86, and x64 processes operate in the ARM64 environment. There is no problem with win32 API Hooking of x86 and x64 processes in the ARM64 environment. image

[crash]

The problem occurs when hooking the COM API of x86 and x64 processes in an ARM64 environment. Crash when running Detours samples/commem. image

code - samples/commem/commem.cpp

https://github.com/microsoft/Detours/blob/734ac64899c44933151c1335f6ef54a590219221/samples/commem/commem.cpp#L95C4-L95C4

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)RealIStreamWrite, MineIStreamWrite);
DetourTransactionCommit();

printf("commem: Calling Write w/o after attach.\n");

li.QuadPart = 1;
hr = pStream->lpVtbl->Write(pStream, &li, sizeof(li), NULL);  // <-- crash

ERROR_CODE: (NTSTATUS) 0xc000001d - { }

Is there anything else I need to do to hook COM API of x86,x64 process in ARM64 environment?

honkstar1 commented 2 days ago

We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)