Unable to hook certain functions in DLLs which have a hotpatch applied to them on Windows 11 24H2/25H2 Enterprise #367
Description
On Windows 11 24H2/25H2, as well as Windows Server 2025 24H2 Datacenter Azure Edition, the update KB5072014 is a "hotpatch".
I have program code which has been used for several years to successfully hook multiple functions in "C:\Windows\System32\appinfo.dll", including private functions, by way of programmatically obtaining the associated PDB file and parsing it for the RVA values of the private functions. Now, however, on any system where KB5072014 has been applied, I see that "appinfo.dll" also loads "appinfo_hotpatch.dll" [from under the "C:\Windows\WinSxS" path]. Of the several private functions being hooked with MS Detours, the issue is repeatedly occurring when DetourAttach() is called for the function "AiCheckLUA". I've verified the function's RVA [offset from module base address] via debugger connection and disassembly with both IDA and Ghidra. When called, DetourAttach() returns error 487 (ERROR_INVALID_ADDRESS). After stepping into DetourAttach() and then DetourAttachEx(), I find that it's the call to VirtualProtect() which is failing and causing that error to be returned. Stepping into VirtualProtect() shows that NtProtectVirtualMemory() is failing and returning STATUS_NOT_COMMITTED.
If KB5072014 is rolled back, the problem goes away and function hooking is performed successfully.
System Informer has also been used to validate the memory protection issue, and attempts to change the memory protection from RX to RWX also fail with STATUS_NOT_COMMITTED. However, System Informer shows that the memory type is "Image: Commit".
The expected behavior is that a call to DetourAttach() should be successful if a valid function pointer value is passed to it.
Detours v4.0.1 is being used.
Please advise as to whether MS Detours needs to be modified to be able to hook functions in DLLs which have been hotpatched or if MS Detours is unable to reliably hook all functions in a DLL which has a hotpatch actively applied to it.