• Welcome to Valhalla Legends Archive.
 

Injecting a DLL via SetWindowsHookEx

Started by NicoQwertyu, November 15, 2004, 06:28 PM

Previous topic - Next topic

NicoQwertyu

Quote from: Kp on November 17, 2004, 05:25 PM
Based on a cursory look, your hook just won't work at all the way you wrote it.  For one thing, you jump to an instruction which pushes esi, but you didn't set up esi first.  Therefore, the wrong window handle will be passed to SetWindowTextA.  The original function sets esi using GetDlgItem, but your jump bypasses that.  From the look of that function, you ought to be able to call the function from the beginning.

But if I called the function from the beginning, I wouldn't be able to change what text it puts in the textbox, which was the goal I was trying to reach.  :-\

Kp

Quote from: NicoQwertyu on November 17, 2004, 10:28 PMBut if I called the function from the beginning, I wouldn't be able to change what text it puts in the textbox, which was the goal I was trying to reach.  :-\

Why not?  If you look at that function, the text to place in the window is passed as an argument already.  Just put a pointer to it on the stack and call the code from the beginning.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

NicoQwertyu

#32
Quote
If you look at that function, the text to place in the window is passed as an argument already.

Perhaps understanding what "dword ptr ss:[esp+10]" is will help..

*Google*

[Edit]

Random Google Result:
Quote
Lets take a look at our program entry point. It is defined as:

WinMain( hInstance, hPrevInstance, lpszCmdLine, nCmdShow);

Thus our program is just treated as an ordinary function with the following dword values on the stack:

[esp+16]: nCmdShow    ;value determining if the program window should be displayed normal, fullscreen or minimized
[esp+12]: lpszCmdLine ;address of the command line
[esp+8]:  0           ;always 0 in Win32
[esp+4]:  hInstance   ;instance handle of the current process
[esp+0]:  stacked EIP ;return address


So I guess dword ptr ss:[esp+10] is the argument being passed that you're talking about.  But why +10?  How is it esp+10??  :-[

iago

You need to learn how to pass argument on the stack.  It's a very important concept.  Basically, to call:
void func(int a, int b, int c);
with the arguments:
func(1, 2, 3)

it does:
push 3
push 2
push 1
call func
(by convention)

When you're in the function
[esp] = return address
[esp+4] = 1
[esp+8] = 2
esp+c] = 3

Of course, this also depends on optimizations and stuff.  If optimizations are off, esp is usually changed and ebp is what is used to access the parameters.  I'd recommend you read up on how the stack and frame pointers work.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*



MyndFyre

Quote from: NicoQwertyu on November 18, 2004, 08:39 AM
How do they get to esp+10, though?  Doesn't it go by 4's?

esp+10 -- are you in hex?  That's 16 decimal.

If it's +10 and you're NOT in hex, that means that you've got a short integer being passed by value somewhere.  :)
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Skywing

More likely it would mean the program is broken because every calling convention I know of keeps the stack aligned.

K

Quote from: Skywing on November 18, 2004, 12:59 PM
More likely it would mean the program is broken because every calling convention I know of keeps the stack aligned.

The compiler we use to write programs for the MC68000 has a -Zp2 option which passes shorts (and chars/bytes) as 2 bytes. ;)

Skywing

Quote from: K on November 19, 2004, 06:25 PM
Quote from: Skywing on November 18, 2004, 12:59 PM
More likely it would mean the program is broken because every calling convention I know of keeps the stack aligned.

The compiler we use to write programs for the MC68000 has a -Zp2 option which passes shorts (and chars/bytes) as 2 bytes. ;)
To clarify: Every compiler-supported calling convention used by x86-Win32 that I know of.

Adron

Quote from: NicoQwertyu on November 18, 2004, 08:39 AM
How do they get to esp+10, though?  Doesn't it go by 4's?

Like others have said, it's hex. And note that you need to take into account the pushes in the function:

01004166   PUSH ESI ; here return address is [esp] and arg is [esp+4]
01004167   PUSH EDI ; here return address is [esp+4] and arg is [esp+8]
01004168   PUSH 193 ; here return address is [esp+8] and arg is [esp+c]
0100416D   PUSH DWORD PTR SS:[ESP+10] ; here return address is [esp+c] and arg is [esp+10]


|