Page 1 of 1

[AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 29 Jan 2019, 16:36
by malcev
https://autohotkey.com/board/topic/85304-solvedget-other-processs-working-dir/page-3#entry544650
If We run this script without entering full path to AutoHotkey.dll then target program will crash on x64 bit.
Tested on AHK_L.
Does not work:

Code: Select all

Run notepad.exe,,,PID
rThread:=InjectAhkDll(PID, "AutoHotkey.dll","#Persistent`nMsgBox % A_WorkingDir")
InjectAhkDll(PID,dll:="AutoHotkey.dll",script:=0, deleteThread := false)
{
   ...
}
Work:

Code: Select all

Run notepad.exe,,,PID
rThread:=InjectAhkDll(PID, A_ScriptDir "\AutoHotkey.dll","#Persistent`nMsgBox % A_WorkingDir")
InjectAhkDll(PID,dll:="AutoHotkey.dll",script:=0, deleteThread := false)
{
   ...
}

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 29 Jan 2019, 19:45
by malcev
This Your code also does not work:
https://autohotkey.com/board/topic/85304-solvedget-other-processs-working-dir/page-4
It does nothing on x64 and hangs other process on x32.
Can You please correct it?
Thank You!

Main Script for AutoHotkey.exe :

Code: Select all

Process,Exist, notepad.exe
If !PID:=ErrorLevel
  Run notepad.exe,,,PID
Loop % A_AhkPath
  A_AhkDir:=A_LoopFileDir
FileRead,HookScript,HookScript.ahk
rThread:=InjectAhkDll(PID,A_AhkDir "\AutoHotkeyMini.dll",HookScript)
MsgBox Press Ok to unload AutoHotkey.dll from Remote Process
HookScript.ahk for AutoHotkey.dll:

Code: Select all

#Persistent
OnExit,UnHook
If !HookFunction("user32.dll", "MessageBoxExW", MyMessageBoxExW:=RegisterCallback("MessageBoxExW","",5), hMessageBoxExW)
  MsgBox Function could not be hooked
Return

UnHook:
UnHookFunction("user32.dll", "MessageBoxExW", hMessageBoxExW)
ExitApp


MessageBoxExW(hwnd,lpText,lpCaption,uType,uId){
  global MyMessageBoxExW,hMessageBoxExW
  title:=StrGet(lpCaption,"UTF-16")
  text:=StrGet(lpText,"UTF-16")
  UnHookFunction("user32.dll", "MessageBoxExW", hMessageBoxExW)
  ret:=DllCall("MessageBoxExW","PTR",hwnd,"Str",text "`n`nYour MessageBoxExW has been hooked!","Str",title,"UInt",uType,"Short",uId)
  HookFunction("user32.dll", "MessageBoxExW", MyMessageBoxExW, hMessageBoxExW)
  return ret
}


HookFunction(lpModule, lpFuncName, lpFunction, ByRef lpBackup){
  static MEM_FREE:=65536,MEM_COMMIT:=4096,MEM_RESERVE:=8192,PAGE_EXECUTE_READWRITE:=64,MEM_DECOMMIT:=16384
  
  hProcess:=DllCall("GetCurrentProcess","PTR")    ,   hModule := DllCall("GetModuleHandle","Str",lpModule,"PTR")
  ; Get module and function address
	hFunc := DllCall("GetProcAddress","PTR",hModule,"AStr", lpFuncName,"PTR")
  
  ; Create jmp to use
	jmp:=Struct("Byte[6]",[0xe9,0x00,0x00,0x00,0x00,0xc3])
  
  VarSetCapacity(lpBackup,6) ; make sure we have enough memory allocated
  ; Backup current jmp
	DllCall("ReadProcessMemory","PTR",hProcess,"PTR", hFunc, "PTR", &lpBackup,"UInt", 6,"PTR", 0)

  ; Set addres in jmp
	NumPut((lpFunction - hFunc - 5) & 0xFFFFFFFF ,jmp[]+1,"Uint")
  
  ; allocate memory for jmp
  If !hMem:=DllCall("VirtualAlloc","PTR",0,"Uint",6,"Uint",MEM_COMMIT|MEM_RESERVE,"Uint",PAGE_EXECUTE_READWRITE)
    Return
  
  ;	copy new jmp
  DllCall("RtlMoveMemory","PTR",hMem,"PTR", jmp[],"PTR", 6) 
  
  ; overwrite jmp
	if !DllCall("WriteProcessMemory","PTR",hProcess,"PTR", hFunc,"PTR", hMem,"Uint", 6,"UInt", 0){
    DllCall("VirtualFree","PTR",hMem,"Uint",6,"Uint",MEM_FREE|MEM_DECOMMIT)
    return
  }
  DllCall("VirtualFree","PTR",hMem,"Uint",6,"Uint",MEM_FREE|MEM_DECOMMIT)
	return hFunc
}

UnHookFunction(lpModule, lpFuncName, ByRef lpBackup){
  static MEM_FREE:=65536,MEM_COMMIT:=4096,MEM_RESERVE:=8192,PAGE_EXECUTE_READWRITE:=64
	hFunc := DllCall("GetProcAddress","PTR",DllCall("GetModuleHandle","Str",lpModule,"PTR"),"AStr", lpFuncName,"PTR")
  ; allocate memory for backup jmp
  If !hMem:=DllCall("VirtualAlloc","PTR",0,"Uint",6,"Uint",MEM_COMMIT|MEM_RESERVE,"Uint",PAGE_EXECUTE_READWRITE)
    Return
  DllCall("RtlMoveMemory","PTR",hMem,"PTR", &lpBackup,"PTR", 6) 
  
  ret :=DllCall("WriteProcessMemory","PTR",DllCall("GetCurrentProcess","PTR"),"PTR", hFunc,"PTR", hMem,"Uint", 6,"PTR", 0)
  DllCall("VirtualFree","PTR",hMem,"Uint",6,"Uint",MEM_FREE|MEM_DECOMMIT)
  
	return FALSE
}

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 10 Feb 2019, 08:26
by HotKeyIt
It is not compatible with 64-bit.
In 32-bit make sure the target process is 32-bit too!
It works fine for me in 32-bit.

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 10 Feb 2019, 13:41
by malcev
Just tested one more time.
I run notepad from C:\Windows\SysWOW64
Then I run TaskManager to see it that it is 32 bit and copy it PID.
For example it is 6596.
AutoHotkeyMini.dll - also 32 bit.
Then I run this code:

Code: Select all

f11::
FileRead,HookScript,HookScript.ahk
rThread:=InjectAhkDll(6596,A_ScriptDir "\AutoHotkeyMini.dll",HookScript)
MsgBox Press Ok to unload AutoHotkey.dll from Remote Process
After that I press F11 and notepad crashes.
Windows 7 64bit, ahk_l 32 bit.

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 10 Feb 2019, 14:15
by HotKeyIt
I see that is same for me, but when I run it on Notepad2 (32-bit) for example it works.
I have no idea why it does not work on the Notepad, can you try it on a different 32-bit process?

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 10 Feb 2019, 21:30
by malcev
Notepad2 works OK.
Calc, Paint - crash.

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 11 Feb 2019, 02:34
by HotKeyIt
If you find a c++ source code that works I can take a look if I can implement that.

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 13 Feb 2019, 21:53
by malcev

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 21 Feb 2019, 22:13
by HotKeyIt
Yes, I am using it in AutoHotkey_H MemoryModule, I think I could implement it in AutoHotkey_H but not for AutoHotkey_L, when I find time I will take a look.

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 05 Mar 2019, 20:34
by HotKeyIt

Re: [AHK v1] Bug: InjectAhkDll() crashes target process on x64 without full path to AutoHotkey.dll

Posted: 05 Mar 2019, 23:18
by malcev
I just change for working with AHK_L:

Code: Select all

me32 := Struct(_MODULEENTRY32)
to:

Code: Select all

me32 := new _Struct(_MODULEENTRY32)
But nothing has changed.
I see the same behavior as in 1 and in 2 posts.