Failed to create hook on SHGetSpecialFolderPathW

[axojhf]

SHGetSpecialFolderPathW is a function of Shell32.dll, I tried to hook but it failed (using PLH::x64Detour) I switched to minhook and it worked. I'm not sure if I'm not using PolyHook in the right way

LOG

[+] Info: m_fnAddress: 0x00007ffe13566480

[+] Info: Original function:
7ffe13566480 [7]: 48 ff 25 01 0f 66 00                    jmp qword ptr ds:[0x00007FFE13BC7388] -> 7ffe135b6974
7ffe13566487 [1]: cc                                      int3 int3

[+] Info: Chosen detour scheme: VALLOC2

[+] Info: Prologue to overwrite:
7ffe135b6974 [7]: 48 8d 05 0d 0a 61 00                    lea rax, ds:[0x00007FFE13BC7388] -> 7ffe13bc7388     

[+] Info: Instructions needing translation:
7ffe135b6974 [7]: 48 8d 05 0d 0a 61 00                    lea rax, ds:[0x00007FFE13BC7388] -> 7ffe13bc7388     

[+] Info: Trampoline address: 0x0000014f00b00280
[+] Info: Translation:
lea rsp, [rsp - 0x80]
push rbx
push r15
mov r15, 0x00007ffe13bc7388
mov rbx, [r15]
lea rax, rbx
pop r15
pop rbx
push rax
mov rax, 0x0000014f00b00287
xchg [rsp], rax
ret 0x0080

[!] Error: AsmTK error: InvalidInstruction

[stevemk14ebr]

This is a translation error, I will fix. lea rax, rbx is invalid, the lea rax, ds:[0x00007FFE13BC7388] is equivalent to

mov rax, 0x00007FFE13BC7388

which is what should have been generated here.

What does minhook generate? I'm betting it does not handle this relocation and instead attempts to ensure the trampoline is allocated within 2GB.

[stevemk14ebr]

this is fixed with 8eab02d9bb4af06bb4786ec5ab979aa5200b8b7b! I will push to vcpkg in the coming days, but no promises when.

[axojhf]

Thanks, I hadn't carefully analysed the minhook code, I was just looking for a modern c++ library to replace it.

[stevemk14ebr]

Minhook is fine but you'll likely find other cases where it will fail. I expect I handle more complex relocations