LightHook icon indicating copy to clipboard operation
LightHook copied to clipboard
verified publisher icon SamuelTulach

LH incorrectly hooks DLLs that transition into ARM64

Open VXACDev opened this issue 1 year ago • 5 comments

Use case: Running WinARM (from MAC using Parallels for example, or a native MSFT ARM based notebook)

Module = KERNELBASE.sys Function = CreateFileW

pseudo code: HMODULE mod=(HMODULE)LoadLibraryA("kernelbase.sys") void * origPtr = GetProcAddress("CreateFileW")

... use LH to "hook" and make a call to anything that gets to CreateFileW (fopen is fine, or use CreateFileW)

calling the ORIGINAL hook will crash/fault... along the lines of:

typedef HANDLE (*pfnCFW)( ...the..args...to...CFW);

HANDLE myCreateFileW( ..args ..) { pfnCFW orig = (pfwCFW)LH.trampoline; return orig( .. args ..); <-- CRASH }

VXACDev avatar Jul 26 '24 14:07 VXACDev

a.) KernelBase.sys does not exist, KernelBase.dll does. That's a usermode module. b.) I have no idea how x86 emulation for ARM (Prism?) works on Windows. My best bet is that it does some "AOT" recompilation by lifting parts of the executable to LLVM IR, running some optimization pass and then recompiling it (I am just guessing based on the fact that I have seen a video where unoptimized debug build was faster using x86 emulation when the unoptimized native ARM build). If that's the case, then you cannot use this library at all and most likely any other library for x86 as well. You should find something for ARM instead. For API hooking though, why not to hook IAT?

SamuelTulach avatar Jul 26 '24 16:07 SamuelTulach

Right, I mean .dll.

The various reasons to not hook the import/export. (Edr/ac/anticheat/etc). Not the point though— point is it doesn’t work on ARM emulation correctly (min hook does)

Sent from Proton Mail for iOS

On Fri, Jul 26, 2024 at 11:00 AM, Samuel Tulach @.***(mailto:On Fri, Jul 26, 2024 at 11:00 AM, Samuel Tulach < wrote:

a.) KernelBase.sys does not exist, KernelBase.dll does. That's a usermode module. b.) I have no idea how x86 emulation for ARM (Prism?) works on Windows. My best bet is that it does some "AOT" recompilation by lifting parts of the executable to LLVM IR, running some optimization pass and then recompiling it (I am just guessing based on the fact that I have seen a video where unoptimized debug build was faster using x86 emulation when the unoptimized native ARM build). If that's the case, then you cannot use this library at all and most likely any other library for x86 as well. You should find something for ARM instead. For API hooking though, why not to hook IAT?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

VXACDev avatar Jul 26 '24 16:07 VXACDev

If minhook works, then there could be some issue with figuring out the correct instruction length. If that's the case, please dump the function start bytes before and after hook is installed.

SamuelTulach avatar Jul 26 '24 16:07 SamuelTulach

Lets setup a screen share/video call, and I'll let you capture what you want from a WinARM VM. -- going back and forth like this is going to just consume a lot of time and bandwidth.

Sent with Proton Mail secure email.

On Friday, July 26th, 2024 at 11:57 AM, Samuel Tulach @.***> wrote:

If minhook works, then there could be some issue with figuring out the correct instruction length. If that's the case, please dump the function start bytes before and after hook is installed.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

VXACDev avatar Jul 27 '24 00:07 VXACDev

(Oh, and yes, I have a VM setup with a tag for LightHook for the hook and a "switch" to use MinHook (which works)... so if you want to meet up to capture/visualize and test, I am more than happy to do that -- for me, since its in a git "tag" and in a VM, I'm ready-to-go when you are.

Sent with Proton Mail secure email.

On Friday, July 26th, 2024 at 7:23 PM, VXAC @.***> wrote:

Lets setup a screen share/video call, and I'll let you capture what you want from a WinARM VM. -- going back and forth like this is going to just consume a lot of time and bandwidth.

Sent with Proton Mail secure email.

On Friday, July 26th, 2024 at 11:57 AM, Samuel Tulach @.***> wrote:

If minhook works, then there could be some issue with figuring out the correct instruction length. If that's the case, please dump the function start bytes before and after hook is installed.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

VXACDev avatar Jul 27 '24 00:07 VXACDev