[SOLVED] Application Crashes when hooked with MS Detours and Injected with Withdll.exe

Application Crashes when hooked with MS Detours and Injected with Withdll.exe

I am hooking FindNextFile() using MS Detours. I have configured the Detours library successfully and wrote a dll named "Detuors.dll" and an application named "FNFSend.exe". The following is the code:

DLL:

#include <cstdio>
#include <stdio.h>
#include <windows.h>
#include "detours.h"
#pragma comment (lib,"detours.lib")

//Prototypes
extern "C" __declspec(dllexport) BOOL (WINAPI *pFNF)(HANDLE hFindFile, LPWIN32_FIND_DATA lpFindFileData) = FindNextFile;
extern "C" __declspec(dllexport) BOOL WINAPI MyFNF(HANDLE hFindFile, LPWIN32_FIND_DATA lpFindFileData);

//Log File
FILE* pFNFLogFile;
int counter = 0;

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
    switch(Reason)
    {
        case DLL_PROCESS_ATTACH:
            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)pFNF, MyFNF);
            if(DetourTransactionCommit() == NO_ERROR)
                OutputDebugString("FNF() detoured successfully");
            else
                OutputDebugString("FNF() not detoured");
            break;
        case DLL_PROCESS_DETACH:
            DetourTransactionBegin();   //Detach
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)pFNF, MyFNF);
            DetourTransactionCommit();
            break;
        case DLL_THREAD_ATTACH:
            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)pFNF, MyFNF);
            if(DetourTransactionCommit() == NO_ERROR)
                OutputDebugString("FNF() detoured successfully");
            else
                OutputDebugString("FNF() not detoured");
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

//Open file, write contents, close it
extern "C" __declspec(dllexport) int WINAPI MyFNF(HANDLE hFindFile, LPWIN32_FIND_DATA lpFindFileData)
{
    counter ++;
    fopen_s(&pFNFLogFile, "C:\\FNFLog.txt", "a+");
    fprintf(pFNFLogFile, "%s\n", counter);
    fclose(pFNFLogFile);
    return pFNF(hFindFile, lpFindFileData);
}

Both the codes compiled successfully with no errors. The application calls FindNextFile() recursively and the dll hooks it and write the counter to a file.

I then used the tool named "withdll.exe" that is provided by detours library itself to create a process with a dll injected in it. So I injected my dll into the application using command:

withdll /d:Detuors.dll "C:\FNFSend.exe"

After injection, the function is hooked successfully, i.e. the file is made in the dirctory but suddenly the application crashes. After debugging in visual studio, I saw the exception in "output.c" as follows:

Unhandled exception at 0x6265984f (msvcr90d.dll) in FNFSend.exe: 0xC0000005:
Access violation reading location 0x00000001.

Kindly help in rectifying the problem.

Solution

%s is not a valid format string for printing out a number. Use %d instead.

By specifying %s you're telling fprintf to read the memory at address counter as a string. The first value you try calling fprintf with is 1 which is why there is an access violation at address 0x00000001.