Detours icon indicating copy to clipboard operation
Detours copied to clipboard
verified publisher icon microsoft

Windows 11 ARM64 Processor x86, x64 COM API Hook Crash.

Open kimjw0820 opened this issue 2 years ago • 4 comments

Windows 11 ARM64 Processor x86, x64 COM Hook Crash. We tested using the latest sources. (main - 2022-08-16 commit) [Surface pro 9 Microsoft SQ3 3.00 GHz Windows 11 ARM64]

[success]

On Windows 11 ARM64, x64 processes are emulated. Therefore, ARM, ARM64, x86, and x64 processes operate in the ARM64 environment. There is no problem with win32 API Hooking of x86 and x64 processes in the ARM64 environment. image

[crash]

The problem occurs when hooking the COM API of x86 and x64 processes in an ARM64 environment. Crash when running Detours samples/commem. image

code - samples/commem/commem.cpp

https://github.com/microsoft/Detours/blob/734ac64899c44933151c1335f6ef54a590219221/samples/commem/commem.cpp#L95C4-L95C4

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)RealIStreamWrite, MineIStreamWrite);
DetourTransactionCommit();

printf("commem: Calling Write w/o after attach.\n");

li.QuadPart = 1;
hr = pStream->lpVtbl->Write(pStream, &li, sizeof(li), NULL);  // <-- crash

ERROR_CODE: (NTSTATUS) 0xc000001d - { }

Is there anything else I need to do to hook COM API of x86,x64 process in ARM64 environment?

kimjw0820 avatar Jul 12 '23 04:07 kimjw0820

We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)

honkstar1 avatar Nov 26 '24 20:11 honkstar1

We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)

We have been solving the problem by using VMT Hooking method without Detours for COM API so far to bypass the problem. However, we have recently discovered XFG(Microsoft eXtended Flow Guard) protected API and analyzed that certain APIs cannot be controlled with that method. VMT Hooking method was sufficient to control CFG(Control Flow Guard) protected COM API, but it cannot control XFG protected COM API. I think that in order to control x86, x64 COM API of ARM64, it is necessary to use Detours and directly modify the Detours code.

Microsoft eXtended Flow Guard eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019.[29]

XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target function's stored hash. [30][31]

https://en.wikipedia.org/wiki/Control-flow_integrity#Microsoft_eXtended_Flow_Guard

kimjw0820 avatar Dec 06 '24 01:12 kimjw0820

This may have been fixed with the recent ARM64EC related changes.

BissetJ avatar Jun 20 '25 23:06 BissetJ

This may have been fixed with the recent ARM64EC related changes.

Sadly, it seems not work. Here is my test result (using the latest main branch, commit 9764cebcb1a75940e68fa83d6730ffaf0f669401, VS2022): Image Only ARM64 build works. x86, x64, ARM64EC exited with 0xC000001D.

RatinCN avatar Sep 05 '25 08:09 RatinCN