Solved Hooking of a win32u function results in access violation

[Flickery]

How long you been coding/hacking?

More than a year

So I'm currently working on a dxgkrnl function hook to be able communicate with usermode using the win32u.dll wrapper.

I succeeded with the kernelmode part, so the function now redirects execution flow to my hookHandler function which can handle usermode requests.

The problem is with my usermode part, I get an access violation when I try to call the function in win32u.dll.

Here is the code (RoutineName is a placeholder for the hooked routine):

template<typename T>
__int64 call_hook(const T arg)
{
    using RoutineName = __int64(__stdcall*)(T);
    auto hooked_func = (RoutineName)GetProcAddress(LoadLibrary("win32u.dll"), "RoutineName");
    return hooked_func(arg);
}

However after loading the kdriver , the usermode program (ran as admin) crashes at this line

return hooked_func(arg);

with the exception:

Exception thrown at 0x00007FF87A4BFDDB (ntdll.dll) in UserModeProgram.exe: 0xC0000005: Access violation reading location 0x00000000000002A0.

I pretty sure this might be a permission issue or me doing some stupid things with my hook .

Any ideas?

Thanks in advance.

 

[WeakRecords]

Thanks for the answer, however how am I supposed to "load" it in C++? Isn't it already loaded?

@rzivri I already tried.

It isnt. Use LoadLibraryA("user32.dll")

 

[WeakRecords]

I guess you forgot to load user32.dll before?

 

[notgoodatall]

That actually worked. OG

However why? Is it because it handles graphical apis?

This is because win32u has a dependencie on user32. This is the case with many other system images

 

[rzirvi]

Hello, it seems that you are doing something bad in your hooked function. How are you hooking it?

 

[Flickery]

Hello, it seems that you are doing something bad in your hooked function. How are you hooking it?

I'm just patching the first bytes of the dxgkrnl func to jump to my hookHandler function.
PS: I checked if the jump address was valid and it is, it correctly redirects to my hookHandler func

 

[rzirvi]

I'm just patching the first bytes of the dxgkrnl func to jump to my hookHandler function.
PS: I checked if the jump address was valid and it is, it correctly redirects to my hookHandler func

that means you're doing something wrong in hookHandler, I'm quite surprised that you don't BSOD

 

[Flickery]

that means you're doing something wrong in hookHandler, I'm quite surprised that you don't BSOD

Actually, the hook handler isn't even called I don't think that would be the problem.

 

[rzirvi]

Actually, the hook handler isn't even called I don't think that would be the problem.

Hmm... Make sure your shellcode is correct.

 

[Flickery]

Hmm... Make sure your shellcode is correct.

I previously tried just doing a

mov rax, address
jmp rax

and I had the same error.

 

[rzirvi]

I previously tried just doing a

mov rax, address
jmp rax

and I had the same error.

try passing the address of the hook handler to the address (I'm sure you are probably doing this right now)
if that doesn't work, make a pointer that points to the hook handler and pass the address of that pointer (surprisingly this is what I had to do in my function hook!)

 

[Flickery]

I guess you forgot to load user32.dll before?

Thanks for the answer, however how am I supposed to "load" it in C++? Isn't it already loaded?

@rzivri I already tried.

 

[Flickery]

It isnt. Use LoadLibraryA("user32.dll")

That actually worked. OG

However why? Is it because it handles graphical apis?