Posts made by vtorri

vtorri

clang/llvm

vtorri

Hi, My purpose is to help the author of mpatrol to make that program as easy to use than valgrind on Windows. So i tried to look at DLL injection and API hooking. I have written a program (named valgrind :p) and a DLL to test those 2 technics. More precisely, I have:

valgrind.exe : the program that will inject the DLL below
valgrind.dll : the DLL that will be injected in an executable and that will do API hooking
valgrind_test.exe : a executable that calls a function overloaded in valgrind.dll

I have taken some bits of code here and there in CodeProject. For the DLL injection, I used the VirtualAllocEx() / CreateRemoteThread() technic. For the API hooking, I enumerate all the modules and use ImageDirectoryEntryToData(). Here are the different codes: valgrind.c

#include <stdio.h>
#include <string.h>

#include <windows.h>

typedef HMODULE (*_load_library) (const char *);
typedef BOOL (*_free_library) (HMODULE);

typedef struct _Vg Vg;

struct _Vg
{
_load_library ll;
_free_library fl;

char *dll_fullname;
int dll_length;

struct {
HANDLE process1;
HANDLE thread;
HANDLE process2;
} child;

DWORD exit_code; /* actually the base address of the mapped DLL */
};

FARPROC
_vg_symbol_get (const char *module, const char *symbol)
{
HMODULE mod;
FARPROC proc;

printf (" * loading library %s... ", module);
mod = LoadLibrary(module);
if (!mod)
{
printf("failed\n", module);
return NULL;
}
printf ("done\n");

printf (" * retrieving symbol %s... ", symbol);
proc = GetProcAddress(mod, symbol);
if (!proc)
{
printf("failed\n", symbol);
goto free_library;
}

printf ("done\n");

FreeLibrary(mod);

return proc;

free_library:
FreeLibrary(mod);

return NULL;
}

Vg *
vg_new()
{
char buf[MAX_PATH];
Vg *vg;
HMODULE kernel32;
DWORD length;

/* Check if CreateRemoteThread() is available. */
/* MSDN suggests to check the availability of a */
/* function instead of checking the Windows version. */

kernel32 = LoadLibrary("kernel32.dll");
if (!kernel32)
{
printf("no kernel32.dll found\n");
return 0;