Injecting a DLL via SetWindowsHookEx

[NicoQwertyu]

Based on a cursory look, your hook just won't work at all the way you wrote it.  For one thing, you jump to an instruction which pushes esi, but you didn't set up esi first.  Therefore, the wrong window handle will be passed to SetWindowTextA.  The original function sets esi using GetDlgItem, but your jump bypasses that.  From the look of that function, you ought to be able to call the function from the beginning.

But if I called the function from the beginning, I wouldn't be able to change what text it puts in the textbox, which was the goal I was trying to reach. 

[Kp]

But if I called the function from the beginning, I wouldn't be able to change what text it puts in the textbox, which was the goal I was trying to reach. 

Why not?  If you look at that function, the text to place in the window is passed as an argument already.  Just put a pointer to it on the stack and call the code from the beginning.

[NicoQwertyu]

If you look at that function, the text to place in the window is passed as an argument already.

Perhaps understanding what "dword ptr ss:[esp+10]" is will help..

*Google*

[Edit]

Random Google Result:

Lets take a look at our program entry point. It is defined as:

WinMain( hInstance, hPrevInstance, lpszCmdLine, nCmdShow);

Thus our program is just treated as an ordinary function with the following dword values on the stack:

[esp+16]: nCmdShow    ;value determining if the program window should be displayed normal, fullscreen or minimized
[esp+12]: lpszCmdLine ;address of the command line
[esp+8]:  0           ;always 0 in Win32
[esp+4]:  hInstance   ;instance handle of the current process
[esp+0]:  stacked EIP ;return address

So I guess dword ptr ss:[esp+10] is the argument being passed that you're talking about.  But why +10?  How is it esp+10?? 

[iago]

You need to learn how to pass argument on the stack.  It's a very important concept.  Basically, to call:
void func(int a, int b, int c);
with the arguments:
func(1, 2, 3)

it does:
push 3
push 2
push 1
call func
(by convention)

When you're in the function
[esp] = return address
[esp+4] = 1
[esp+8] = 2
esp+c] = 3

Of course, this also depends on optimizations and stuff.  If optimizations are off, esp is usually changed and ebp is what is used to access the parameters.  I'd recommend you read up on how the stack and frame pointers work.

[NicoQwertyu]

How do they get to esp+10, though?  Doesn't it go by 4's?

[MyndFyre]

How do they get to esp+10, though?  Doesn't it go by 4's?

esp+10 -- are you in hex?  That's 16 decimal.

If it's +10 and you're NOT in hex, that means that you've got a short integer being passed by value somewhere. 

[Skywing]

More likely it would mean the program is broken because every calling convention I know of keeps the stack aligned.

[K]

More likely it would mean the program is broken because every calling convention I know of keeps the stack aligned.

The compiler we use to write programs for the MC68000 has a -Zp2 option which passes shorts (and chars/bytes) as 2 bytes.

[Skywing]

More likely it would mean the program is broken because every calling convention I know of keeps the stack aligned.

The compiler we use to write programs for the MC68000 has a -Zp2 option which passes shorts (and chars/bytes) as 2 bytes.

To clarify: Every compiler-supported calling convention used by x86-Win32 that I know of.

[Adron]

How do they get to esp+10, though?  Doesn't it go by 4's?

Like others have said, it's hex. And note that you need to take into account the pushes in the function:

01004166   PUSH ESI ; here return address is [esp] and arg is [esp+4]
01004167   PUSH EDI ; here return address is [esp+4] and arg is [esp+8]
01004168   PUSH 193 ; here return address is [esp+8] and arg is [esp+c]
0100416D   PUSH DWORD PTR SS:[ESP+10] ; here return address is [esp+c] and arg is [esp+10]