From 05060e8cda7fb3694cbd73ff799ad2cda24325f5 Mon Sep 17 00:00:00 2001 From: Brad Spengler Date: Mon, 10 Nov 2014 13:26:15 -0500 Subject: [PATCH] Fix a humongous bug in cuckoomon -- amazed not a single person spotted this in years. Basically, any API resolved at runtime would simply not be hooked at all because of a string matching failure -- the wcsnicmp() in the code was using names from LdrLoadDll that had .dll appended to them, the length of that name, and trying to force a comparison against dll name strings without .dll appended -- it simply would never match. So instead you'd end up with loads of Native API hooks triggering because those were the only ones it was able to put in place. Reported upstream. --- cuckoomon.c | 6 +++--- hook_special.c | 9 +++++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/cuckoomon.c b/cuckoomon.c index 91b89b6..681e16a 100644 --- a/cuckoomon.c +++ b/cuckoomon.c @@ -387,11 +387,11 @@ static hook_t g_hooks[] = { // error testing with hook_jmp_direct only #define HOOKTYPE HOOK_JMP_DIRECT -void set_hooks_dll(const wchar_t *library, int len) +void set_hooks_dll(const wchar_t *library) { for (int i = 0; i < ARRAYSIZE(g_hooks); i++) { - if(!wcsnicmp(g_hooks[i].library, library, len)) { - hook_api(&g_hooks[i], HOOKTYPE); + if(!wcsicmp(g_hooks[i].library, library)) { + hook_api(&g_hooks[i], HOOKTYPE); } } } diff --git a/hook_special.c b/hook_special.c index 588f8d6..7b85aba 100644 --- a/hook_special.c +++ b/hook_special.c @@ -24,7 +24,7 @@ along with this program. If not, see . #include "hook_sleep.h" #include "misc.h" -void set_hooks_dll(const wchar_t *library, int len); +void set_hooks_dll(const wchar_t *library); HOOKDEF2(NTSTATUS, WINAPI, LdrLoadDll, __in_opt PWCHAR PathToFile, @@ -61,7 +61,12 @@ HOOKDEF2(NTSTATUS, WINAPI, LdrLoadDll, if(NT_SUCCESS(ret)) { // unoptimized, but easy add_all_dlls_to_dll_ranges(); - set_hooks_dll(library.Buffer, library.Length >> 1); + // we ensure null termination via the COPY_UNICODE_STRING macro above, so we don't need a length + // first strip off the .dll + PWCHAR end = wcsrchr(library.Buffer, L'.'); + if (end && !wcsicmp(end, L".dll")) + *end = L'\0'; + set_hooks_dll(library.Buffer); } return ret;