• Welcome to Valhalla Legends Archive.
 

API hooking and code injection

Started by Banana fanna fo fanna, June 01, 2003, 08:52 PM

Previous topic - Next topic

TheMinistered

d2hackit would be a better reference

indulgence

Skywing offered better advice...

Just check the return of the VirtualProtect function... If it is returning 0 that is bad.  Call GetLastError to check to see what exactly went wrong
<3

salty

#17
 ;DHow about reading the win32 reference  :o ? :-X

Banana fanna fo fanna

Now, using Adron's loop, it isn't finding any imported functions in notepad.exe. Any suggestions? This is really difficult for me :/

Skywing

Quote from: St0rm.iD on June 09, 2003, 02:17 PM
Now, using Adron's loop, it isn't finding any imported functions in notepad.exe. Any suggestions? This is really difficult for me :/
Mind posting some code?  You of all people should know that it's pretty hard to help somebody when they don't show what they're doing ;)

Banana fanna fo fanna

I am pretty much using his code verbatim, but here you go.


      for(MessageBoxFunc **x = (MessageBoxFunc**)startAddr; (DWORD)x < meminfo.RegionSize + startAddr; x++) {
         if (*x == MessageBoxA) {
            fprintf(logfile,"Replacing API call at 0x%x\n", (DWORD)x);
            *x = MyMessageBoxA;
            fprintf(logfile,"Replaced API call\n");
            replacedAPI = TRUE;
            break;
         }
      }

      VirtualProtect((LPVOID)startAddr, meminfo.RegionSize, oldProtect, &dummy);

      fprintf(logfile,"%s\n", replacedAPI ? "Replaced API call successfully." : "Unable to replace API call.");

Camel


Adron

What's meminfo? You may have to loop a few times with virtualquery to find the first non-committed page, the first few boundaries are likely to be just changes of page protection.

Banana fanna fo fanna

Forgot to say, startAddr = 0x401000

meminfo is the result of VirtualQuery.

Adron

#24
Quote from: St0rm.iD on June 09, 2003, 09:25 PM
Forgot to say, startAddr = 0x401000

meminfo is the result of VirtualQuery.

Code for meminfo? Perhaps something like:


   HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, 0, 1104);

   void *endaddress = (void*)0x401000;
   MEMORY_BASIC_INFORMATION mbi;
   while(1) {
      VirtualQueryEx(h, endaddress, &mbi, sizeof mbi);
      printf("Memory at %08x-%08x: ", mbi.BaseAddress, (unsigned)mbi.BaseAddress + mbi.RegionSize - 1);
      switch(mbi.State) {
      case MEM_COMMIT:
         printf("Committed ");
         break;
      case MEM_RESERVE:
         printf("Reserved ");
         break;
      case MEM_FREE:
         printf("Free ");
         break;
      }
      switch(mbi.Protect) {
         case PAGE_READONLY:
            printf("READONLY");
            break;
         case PAGE_READWRITE:
            printf("READWRITE");
            break;
         case PAGE_WRITECOPY:
            printf("WRITECOPY");
            break;
         case PAGE_EXECUTE:
            printf("EXECUTE");
            break;
         case PAGE_EXECUTE_READ:
            printf("EXECUTE_READ");
            break;
         case PAGE_EXECUTE_READWRITE:
            printf("EXECUTE_READWRITE");
            break;
         case PAGE_EXECUTE_WRITECOPY:
            printf("EXECUTE_WRITECOPY");
            break;
         case PAGE_GUARD:
            printf("GUARD");
            break;
         case PAGE_NOACCESS:
            printf("NOACCESS");
            break;
         case PAGE_NOCACHE:
            printf("NOCACHE");
            break;
      }
      printf("\n");
      if(mbi.State != MEM_COMMIT)
         break;
      endaddress = (char*)mbi.BaseAddress + mbi.RegionSize;
   }
   
   printf("Suggest to search from %08x to %08x\n", 0x401000, (unsigned)endaddress - 1);


edit: display inclusive ranges (-1)

Skywing

You could further refine on Adron's method by only scanning areas with the SEC_IMAGE flag, or areas with an access that allows EXECUTE.

Adron

Quote from: Skywing on June 10, 2003, 01:34 PM
You could further refine on Adron's method by only scanning areas with the SEC_IMAGE flag, or areas with an access that allows EXECUTE.

That's possible. Does the import table always have to have execute access though? Seems to me like read would be enough.

Banana fanna fo fanna


EvilCheese

Quote
Loop returns 0x401000

Could you post the exact code you're using for your loop?

Arta

What exactly are you trying to do? Hook an imported function by changing it's address in the IAT? If so you'll find it *much* easier to look it up properly by parsing the exe's PE header. I can post some code if you'd like.

|