C++ WriteProcessMemory makes MessageBox crash the programm


i want to write a little AntiHack and i have a problem with one part of it. The idea was to prevent from dll injecting by hooking the LdrLoadDll from NTDLL.DLL. I found a function by googling which do this:

// function call: BlockAPI(m_hProc, "NTDLL.DLL", "LdrLoadDll");    
bool zProtect::BlockAPI(HANDLE hProcess, char* libName, char* apiName)
    BYTE pRet[]={ 0x31, 0xC0, // XOR eax, eax
                    0xC3 };    // RET
    VOID *pAddr = NULL;
    bool bRet = FALSE;
    DWORD dwRet = 0;

    hLib = LoadLibrary(libName);
        pAddr = (VOID*)GetProcAddress(hLib, apiName);
        DWORD dwback;
        if(!VirtualProtectEx(hProcess, (LPVOID)pAddr, sizeof(pRet), PAGE_EXECUTE_READWRITE, &dwback))
            return false;
        if(WriteProcessMemory(hProcess, (LPVOID)pAddr, &pRet, sizeof (pRet), &dwRet)) 
                bRet = TRUE;
        if(!VirtualProtectEx(hProcess, (LPVOID)pAddr, sizeof(pRet), dwback, &dwback))
            return false;
   return bRet;

It's working fine, BUT MessageBox(NULL, msg, "DETECTED", MB_OK); crashes if it is excuted after BlockApi(..);

Ausnahme (erste Chance) bei 0x75312113 (user32.dll) in DLLTester.exe: 0xC0000005: Zugriffsverletzung beim Lesen an Position 0x0000002D Unbehandelte Ausnahme bei 0x75312113 (user32.dll) in DLLTester.exe: 0xC000041D: Ausnahmefehler während eines Benutzerrückrufs

Thanks, lolxdfly

Edit: I found out, that before the crash with the MessageBox happen the previous call is the Sleep(1000); from my detecting thread!

Old Problem (Crash in Release Mode) was fixed!

asked on Stack Overflow Jan 24, 2015 by lolxdfly • edited Jan 25, 2015 by lolxdfly

1 Answer


It is very simple...

Whoever calls LoadLibrary, will crash. Why MessageBox causes loading a DLL? No idea... maybe it wants to load some resource DLL for the icon.

(by Pavel A)

I'll try to replace the LdrLoadDll function with a function, which checks every loaded dll with GetModuleHandle. (I dont know if this is possible!)

Edit: For those, who wants to know: The MessageBox(...); loads



answered on Stack Overflow Jan 26, 2015 by lolxdfly • edited Jan 28, 2015 by lolxdfly

User contributions licensed under CC BY-SA 3.0