Handle ordinals in GetProcAddress detour #66
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As it turns out, symbols exported by a DLL don't necessary have to have text symbols - but they do have a number, the symbol ordinal, which is a valid way to address and access the symbol.
GetProcAddresssupports this behaviour - in this case, the ordinal is passed as the pointer value. Which, in Doorstop's detour, still gets treated as a string, and which subsequently causeslstrcmpto segfault under some very specific conditions (i.e. when the calling module tries to resolve a procedure by its ordinal).In my case Unity 6 was accessing the
0x65ordinal ofd3d12.dll(located in system directory). (Did some poking - the symbol is named, which is weird, and named "D3D12CreateDevice", which checks out.)As per
GetProcAddressdocs, if the value of thelpProcNamepointer is an ordinal, high-word value of the pointer must be zero. This pull request addresses that quirk by insertingHIWORDmacro as an additional condition to the detour check routine.On a side note, this trend of looking up function names by their ordinals may hinder the detour.. Although doubt using ordinals is that stable. Weird.
GetProcAddressdocs: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress