From af2ba72f397727362b3da6c32c7fe4760f08a10d Mon Sep 17 00:00:00 2001 From: Akash Mozumdar Date: Mon, 23 Mar 2020 19:37:11 -0600 Subject: [PATCH] fix stack overflow --- texthook/engine/native/pchooks.cc | 2 +- texthook/main.cc | 7 ++----- texthook/main.h | 2 +- texthook/texthook.cc | 18 +++++++++--------- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/texthook/engine/native/pchooks.cc b/texthook/engine/native/pchooks.cc index 2069f13..0f4cecd 100644 --- a/texthook/engine/native/pchooks.cc +++ b/texthook/engine/native/pchooks.cc @@ -300,7 +300,7 @@ void PcHooks::hookOtherPcFunctions() if (HMODULE module = GetModuleHandleW(L"OLEAUT32.dll")) { NEW_MODULE_HOOK(module, SysAllocString, s_arg1, 0, 0, 0, USING_UNICODE|USING_STRING, 0) - NEW_MODULE_HOOK(module, SysAllocStringLen, s_arg1, 0, 0, 0, USING_UNICODE|USING_STRING, s_arg2 / arg_sz) + NEW_MODULE_HOOK(module, SysAllocStringLen, s_arg1, 0, 0, 0, USING_UNICODE|USING_STRING|KNOWN_UNSTABLE, s_arg2 / arg_sz) } } diff --git a/texthook/main.cc b/texthook/main.cc index 390ed03..91f159a 100644 --- a/texthook/main.cc +++ b/texthook/main.cc @@ -86,13 +86,10 @@ DWORD WINAPI Pipe(LPVOID) FreeLibraryAndExitThread(GetModuleHandleW(ITH_DLL), 0); } -void TextOutput(ThreadParam tp, BYTE* text, int len) +void TextOutput(ThreadParam tp, BYTE (*buffer)[PIPE_BUFFER_SIZE], int len) { - if (len < 0) return; - if (len > PIPE_BUFFER_SIZE - sizeof(tp)) len = PIPE_BUFFER_SIZE - sizeof(tp); - BYTE buffer[PIPE_BUFFER_SIZE] = {}; + if (len < 0 || len > PIPE_BUFFER_SIZE - sizeof(tp)) ConsoleOutput("Textractor: something went very wrong (invalid length %d at hook address %I64d)", len, tp.addr); *(ThreadParam*)buffer = tp; - memcpy(buffer + sizeof(tp), text, len); WriteFile(hookPipe, buffer, sizeof(tp) + len, DUMMY, nullptr); } diff --git a/texthook/main.h b/texthook/main.h index af6c383..e610037 100644 --- a/texthook/main.h +++ b/texthook/main.h @@ -7,7 +7,7 @@ #include "common.h" #include "types.h" -void TextOutput(ThreadParam tp, BYTE* text, int len); +void TextOutput(ThreadParam tp, BYTE (*buffer)[PIPE_BUFFER_SIZE], int len); void ConsoleOutput(LPCSTR text, ...); void NotifyHookFound(HookParam hp, wchar_t* text); void NotifyHookRemove(uint64_t addr, LPCSTR name); diff --git a/texthook/texthook.cc b/texthook/texthook.cc index a5ee808..d2dceb7 100644 --- a/texthook/texthook.cc +++ b/texthook/texthook.cc @@ -92,6 +92,7 @@ namespace { // unnamed int this_offset = 50, send_offset = 60, original_offset = 126; #endif + thread_local BYTE buffer[PIPE_BUFFER_SIZE]; enum { TEXT_BUFFER_SIZE = PIPE_BUFFER_SIZE - sizeof(ThreadParam) }; } // unnamed namespace @@ -114,6 +115,7 @@ bool TextHook::Insert(HookParam hp, DWORD set_flag) // - dwDataBase: the stack address void TextHook::Send(uintptr_t dwDataBase) { + BYTE(*buffer)[PIPE_BUFFER_SIZE] = &::buffer, *pbData = *buffer + sizeof(ThreadParam); _InterlockedIncrement(&useCount); __try { @@ -145,9 +147,8 @@ void TextHook::Send(uintptr_t dwDataBase) dwCount = GetLength(dwDataBase, dwDataIn); } - if (dwCount == 0) goto done; + if (dwCount <= 0) goto done; if (dwCount > TEXT_BUFFER_SIZE) dwCount = TEXT_BUFFER_SIZE; - BYTE pbData[TEXT_BUFFER_SIZE]; if (hp.length_offset == 1) { dwDataIn &= 0xffff; if ((hp.type & BIG_ENDIAN) && (dwDataIn >> 8)) dwDataIn = _byteswap_ushort(dwDataIn & 0xffff); @@ -160,7 +161,7 @@ void TextHook::Send(uintptr_t dwDataBase) if (hp.type & (NO_CONTEXT | FIXING_SPLIT)) dwRetn = 0; - TextOutput({ GetCurrentProcessId(), address, dwRetn, dwSplit }, pbData, dwCount); + TextOutput({ GetCurrentProcessId(), address, dwRetn, dwSplit }, buffer, dwCount); #else // _WIN32 if (hp.type & HOOK_EMPTY) goto done; // jichi 10/24/2014: dummy hook only for dynamic hook int count = 0; @@ -176,9 +177,8 @@ void TextHook::Send(uintptr_t dwDataBase) data += hp.padding; count = GetLength(dwDataBase, data); - if (count == 0) goto done; + if (count <= 0) goto done; if (count > TEXT_BUFFER_SIZE) count = TEXT_BUFFER_SIZE; - BYTE pbData[TEXT_BUFFER_SIZE]; if (hp.length_offset == 1) { data &= 0xffff; @@ -190,7 +190,7 @@ void TextHook::Send(uintptr_t dwDataBase) if (hp.type & (NO_CONTEXT | FIXING_SPLIT)) tp.ctx = 0; - TextOutput(tp, pbData, count); + TextOutput(tp, buffer, count); #endif // _WIN64 } __except (EXCEPTION_EXECUTE_HANDLER) @@ -232,14 +232,14 @@ bool TextHook::InsertHookCode() void TextHook::Read() { - BYTE buffer[TEXT_BUFFER_SIZE] = {}; int dataLen = 1; + BYTE(*buffer)[PIPE_BUFFER_SIZE] = &::buffer, *pbData = *buffer + sizeof(ThreadParam); __try { - while (WaitForSingleObject(readerEvent, 500) == WAIT_TIMEOUT) if (memcmp(buffer, location, dataLen) != 0) if (int currentLen = HookStrlen((BYTE*)location)) + while (WaitForSingleObject(readerEvent, 500) == WAIT_TIMEOUT) if (memcmp(pbData, location, dataLen) != 0) if (int currentLen = HookStrlen((BYTE*)location)) { dataLen = min(currentLen, TEXT_BUFFER_SIZE); - memcpy(buffer, location, dataLen); + memcpy(pbData, location, dataLen); TextOutput({ GetCurrentProcessId(), address, 0, 0 }, buffer, dataLen); } }