• Welcome to Valhalla Legends Archive.
 

API hooking and code injection

Started by Banana fanna fo fanna, June 01, 2003, 08:52 PM

Previous topic - Next topic
Print
|
Go Down Pages 1 2 3
User actions

TheMinistered

#15
June 05, 2003, 05:35 PM
d2hackit would be a better reference

indulgence

#16
June 06, 2003, 02:35 PM
Skywing offered better advice...

Just check the return of the VirtualProtect function... If it is returning 0 that is bad.  Call GetLastError to check to see what exactly went wrong
<3

salty

#17
June 09, 2003, 07:11 AM Last Edit: June 09, 2003, 07:12 AM by salty
 ;DHow about reading the win32 reference  :o ? :-X

Banana fanna fo fanna

#18
June 09, 2003, 02:17 PM
Now, using Adron's loop, it isn't finding any imported functions in notepad.exe. Any suggestions? This is really difficult for me :/

Skywing

#19
June 09, 2003, 02:55 PM
Quote from: St0rm.iD on June 09, 2003, 02:17 PM
Now, using Adron's loop, it isn't finding any imported functions in notepad.exe. Any suggestions? This is really difficult for me :/
Mind posting some code?  You of all people should know that it's pretty hard to help somebody when they don't show what they're doing ;)

Banana fanna fo fanna

#20
June 09, 2003, 05:40 PM
I am pretty much using his code verbatim, but here you go.

Code Select

      for(MessageBoxFunc **x = (MessageBoxFunc**)startAddr; (DWORD)x < meminfo.RegionSize + startAddr; x++) {
         if (*x == MessageBoxA) {
            fprintf(logfile,"Replacing API call at 0x%x\n", (DWORD)x);
            *x = MyMessageBoxA;
            fprintf(logfile,"Replaced API call\n");
            replacedAPI = TRUE;
            break;
         }
      }

      VirtualProtect((LPVOID)startAddr, meminfo.RegionSize, oldProtect, &dummy);

      fprintf(logfile,"%s\n", replacedAPI ? "Replaced API call successfully." : "Unable to replace API call.");

Camel

#21
June 09, 2003, 05:46 PM
Quote from: TheMinistered on June 05, 2003, 05:35 PM
d2hackit would be a better reference
d2hackit is open source?

Adron

#22
June 09, 2003, 06:40 PM
What's meminfo? You may have to loop a few times with virtualquery to find the first non-committed page, the first few boundaries are likely to be just changes of page protection.

Banana fanna fo fanna

#23
June 09, 2003, 09:25 PM
Forgot to say, startAddr = 0x401000

meminfo is the result of VirtualQuery.

Adron

#24
June 10, 2003, 10:41 AM Last Edit: June 10, 2003, 10:45 AM by Adron
Quote from: St0rm.iD on June 09, 2003, 09:25 PM
Forgot to say, startAddr = 0x401000

meminfo is the result of VirtualQuery.

Code for meminfo? Perhaps something like:

Code Select

   HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, 0, 1104);

   void *endaddress = (void*)0x401000;
   MEMORY_BASIC_INFORMATION mbi;
   while(1) {
      VirtualQueryEx(h, endaddress, &mbi, sizeof mbi);
      printf("Memory at %08x-%08x: ", mbi.BaseAddress, (unsigned)mbi.BaseAddress + mbi.RegionSize - 1);
      switch(mbi.State) {
      case MEM_COMMIT:
         printf("Committed ");
         break;
      case MEM_RESERVE:
         printf("Reserved ");
         break;
      case MEM_FREE:
         printf("Free ");
         break;
      }
      switch(mbi.Protect) {
         case PAGE_READONLY:
            printf("READONLY");
            break;
         case PAGE_READWRITE:
            printf("READWRITE");
            break;
         case PAGE_WRITECOPY:
            printf("WRITECOPY");
            break;
         case PAGE_EXECUTE:
            printf("EXECUTE");
            break;
         case PAGE_EXECUTE_READ:
            printf("EXECUTE_READ");
            break;
         case PAGE_EXECUTE_READWRITE:
            printf("EXECUTE_READWRITE");
            break;
         case PAGE_EXECUTE_WRITECOPY:
            printf("EXECUTE_WRITECOPY");
            break;
         case PAGE_GUARD:
            printf("GUARD");
            break;
         case PAGE_NOACCESS:
            printf("NOACCESS");
            break;
         case PAGE_NOCACHE:
            printf("NOCACHE");
            break;
      }
      printf("\n");
      if(mbi.State != MEM_COMMIT)
         break;
      endaddress = (char*)mbi.BaseAddress + mbi.RegionSize;
   }
   
   printf("Suggest to search from %08x to %08x\n", 0x401000, (unsigned)endaddress - 1);


edit: display inclusive ranges (-1)

Skywing

#25
June 10, 2003, 01:34 PM
You could further refine on Adron's method by only scanning areas with the SEC_IMAGE flag, or areas with an access that allows EXECUTE.

Adron

#26
June 10, 2003, 05:06 PM
Quote from: Skywing on June 10, 2003, 01:34 PM
You could further refine on Adron's method by only scanning areas with the SEC_IMAGE flag, or areas with an access that allows EXECUTE.

That's possible. Does the import table always have to have execute access though? Seems to me like read would be enough.

Banana fanna fo fanna

#27
June 12, 2003, 04:52 PM
Loop returns 0x401000 :(

EvilCheese

#28
June 12, 2003, 09:58 PM
Quote
Loop returns 0x401000

Could you post the exact code you're using for your loop?

Arta

#29
June 13, 2003, 06:31 AM
What exactly are you trying to do? Hook an imported function by changing it's address in the IAT? If so you'll find it *much* easier to look it up properly by parsing the exe's PE header. I can post some code if you'd like.
Print
|
Go Up Pages 1 2 3
User actions