tags:

views:

45

answers:

1
Q: 

A crash in injected / hooked target application.

I have injected my DLL into a target application where I've hooked few WINAPI-functions as well. One of them is DrawTextExW. I'm trying to replace all 'l' letters to '!' before it prints it out. My solution works fine for a few seconds, but then the target application crashes. I really don't understand why.

Here's the function:

Edit - Working solution:

int WINAPI DetouredDrawTextExW(__in    HDC hdc,
                               __inout LPWSTR lpchText,
                               __in    int cchText,
                               __inout LPRECT lprc,
                               __in    UINT dwDTFormat,
                               __in    LPDRAWTEXTPARAMS lpDTParams)
{
    std::wstring s_wc(lpchText, cchText);

    std::replace(s_wc.begin(), s_wc.end(), L'l', L'!');

    return ::DrawTextExW(hdc, const_cast<wchar_t *>(s_wc.c_str()), 
        s_wc.length(), lprc, dwDTFormat, lpDTParams);
}

So, can somebody point it out to me what I'm doing wrong?

+1  A: 

I see that you ignore cchText, could you be receiving an non-NULL-terminated string with a positive value for cchText, resulting in reading past the end of the string into invalid memory? That error would present as a Win32 exception in the constructor of s_wc, though.

Also, you aren't checking for DT_MODIFYSTRING in the dwDTFormat parameter. If that flag is present, then ::DrawTextExW() could be overwriting invalid memory. That would present as a Win32 exception in ::DrawTextExW() or perhaps as a C++ exception in the s_wc destructor.

edit

Here's uncompiled, untested code that I believe obeys the contract of ::DrawTextExW()

int WINAPI DetouredDrawTextExW(__in    HDC hdc,
                               __inout LPWSTR lpchText,
                               __in    int cchText,
                               __inout LPRECT lprc,
                               __in    UINT dwDTFormat,
                               __in    LPDRAWTEXTPARAMS lpDTParams)
{
    std::vector<wchar_t> v_wc;
    int strSize = cchText == -1 ? wcslen(lpchText) : cchText;
    v_wc.resize(strSize + 4);
    std::copy(lpchText, lpchText + strSize, &v_wc.front());
    std::replace(v_wc.begin(), v_wc.end() - 4, L'l', L'!');

    int result = ::DrawTextExW(hdc, &v_wc.front(), 
        strSize, lprc, dwDTFormat, lpDTParams);
    if (dwDTFormat & DT_MODIFYSTRING)
    {
      std::copy(&v_wc.front(), &v_wc.front() + v_wc.size(), lpchText);
    }
}
David Gladfelter  2010-07-01 21:32:41
Thanks for reply, but you were ultimately right from the beginning. I ignored cchText. The string, according to the specs, doesn't have to be null-terminated. Therefore std::wstring(lpchText, cchText) did the trick.
nhaa123  2010-07-02 00:47:37

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS