• Welcome to Valhalla Legends Archive.
 

API hooking and code injection

Started by Banana fanna fo fanna, June 01, 2003, 08:52 PM

Previous topic - Next topic
Print
|
Go Down Pages 1 2 3
User actions

Brolly

#30
August 03, 2003, 04:44 PM
Yes, the IAT has to have execute.
It's a collection of jumps to the actual APIs.

Skywing

#31
August 04, 2003, 01:07 AM
Quote from: Brolly on August 03, 2003, 04:44 PM
Yes, the IAT has to have execute.
It's a collection of jumps to the actual APIs.
IIRC,  the IAT is indirected through by those jumps.  The actual jumps themselves are typically located in .text.

Banana fanna fo fanna

#32
August 06, 2003, 02:54 PM
Ah, thanks for resurrecting :)

Here's my code.

Code Select

fprintf(logfile,"Replacing API call...\n");

      DWORD oldProtect;
      DWORD dummy;
      DWORD startAddr = 0x401000;
      DWORD endAddr = 0x401000;
      MEMORY_BASIC_INFORMATION meminfo;
      BOOL replacedAPI = FALSE;
      //HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

      //VirtualQuery((LPVOID)startAddr,&meminfo,sizeof(meminfo));

      //fprintf(logfile,"Page size is 0x%x\n",meminfo.RegionSize);
      // scan the region of memory after 0x401000 until we hit stuff that isnt readable or empty
      while (1) {
         VirtualQuery((LPVOID)endAddr,&meminfo,sizeof(meminfo));

         if (meminfo.Protect != PAGE_EXECUTE)
            break;

         endAddr = (DWORD)meminfo.BaseAddress + meminfo.RegionSize;
      }

      VirtualProtect((LPVOID)startAddr, meminfo.RegionSize, PAGE_READWRITE,&oldProtect);
      fprintf(logfile,"searching 0x%x to 0x%x.\n",startAddr,endAddr);
      //VirtualProtectEx(hProcess, (LPVOID)startAddr, meminfo.RegionSize, PAGE_READWRITE,&oldProtect); // thanks d2hackit
      //for(MessageBoxFunc **x = (MessageBoxFunc**)startAddr; (DWORD)x < meminfo.RegionSize + startAddr; x++) {
      for(MessageBoxFunc **x = (MessageBoxFunc**)startAddr; (DWORD)x < endAddr; x++) {
         if (*x == MessageBoxA) {
            fprintf(logfile,"Replacing API call at 0x%x\n", (DWORD)x);
            *x = MyMessageBoxA;
            fprintf(logfile,"Replaced API call\n");
            replacedAPI = TRUE;
            break;
         }
      }

      VirtualProtect((LPVOID)startAddr, meminfo.RegionSize, oldProtect, &dummy);
      //VirtualProtectEx(hProcess, (LPVOID)startAddr, meminfo.RegionSize, oldProtect, &dummy);

      fprintf(logfile,"%s\n", replacedAPI ? "Replaced API call successfully." : "Unable to replace API call.");

Print
|
Go Up Pages 1 2 3
User actions