I patched one of the exported functions to jump to that code and when I call OutputDebugStringA or any other API it just crashes right away due to an access violation somewhere in ntdll.dll. Here is my code:
Code: Select all
format PE64 GUI start: push rcx ; this is my hook handler function, this is where the JMP lands push rdx ; saving registers push r8 push r9 push rsi push rdi call delta ; delta delta: pop rsi mov rdi, rsi and rdi, 0ffffffffffff0000h search: cmp dword [rdi], 905a4dh ; find image base jz found sub rdi, 10000h jmp search found: lea rcx, [rsi + dnshook - delta] ; load my dll xor rdx, rdx ; reserved, always zero mov r8, 800h ; flag ;call qword [rdi + 78310h] ; LoadLibraryExW (as imported in dnshook.dll at offset 78310). If i remove the comment it crashes. lea rax, [rdi + 0d940h + 5] ; offset of original function pop rdi ; restoring registers pop rsi pop r9 pop r8 pop rdx pop rcx push rbp ; these are the bytes that I copied from the original function (I have overwritten with a JMP instruction) push rbx push rsi push rdi jmp rax ; jmp back to original function dnshook du 'test.dll', 0
In the above I used LoadLibraryExA, but I tried with OutpuDebugStringA as well (it was imported by dnsapi.dll too). If I comment out the call to the API it works perfectly, but if I leave it there it crashed. In debugger everything seems perfect, I cannot think of anything else what could be the problem?
Note: in order to replace system file I updated the checksum in the PE header of my new dll and taken ownership of the old DLL and then replaced it.