[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.0

Random call makes function fail

Asked by AlbertaBeef in Assembly Programming Language, Microsoft Windows Operating Systems, Microsoft Visual C++.Net

Tags: assembly, c, injection, random call

I am trying to inject a function into a remote process and have it switch out the message handlers for a window. Unfortunately, when I execute the remote thread to start the injected function the remote program crashes. Just-in-time debugging reveals that the problem stems from a call to a location that does not exist in the process.

After disassembling my program and looking at the code for my function, I notice two 'call' operations that I did not program into it. These 'call' operations are what is causing the function to fail, as it's trying to execute a location in memory that does not exist in the remote process. Also, the assembly seems to show that it's making room for 192 bytes of local variables, where I am not using any.

Can anyone offer up an explanation why these 'call' operations would be put into my function and how to remove them? Relevant C/Assembly and what (I think) it's doing below. Thanks in advance. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:

****C****
typedef LONG (WINAPI* SETWINDOWLONG)(HWND, int, LONG);
typedef LRESULT (WINAPI* SENDMESSAGE)(HWND, UINT, WPARAM, LPARAM);
typedef LRESULT (WINAPI* CALLWINDOWPROC)(WNDPROC, HWND, UINT, WPARAM, LPARAM);
 
typedef struct _INJDATA{
	BOOL bRunning;
 
	HWND hwAssistant;
	HWND hwONscripter;
	
	SETWINDOWLONG fnSetWindowLong;
	SENDMESSAGE fnSendMessage;
	CALLWINDOWPROC fnCallWindowProc;
 
	WNDPROC OldWndProc;
	WNDPROC NewWndProc;
}INJDATA;
 
static DWORD WINAPI InjectThread(INJDATA* pData)
{
	pData->OldWndProc = (WNDPROC)pData->fnSetWindowLong(pData->hwONscripter, GWL_WNDPROC, (LONG)pData->NewWndProc);
 
	pData = (INJDATA*)0xA1B1C1D1; //This is an arbitrary value I used to locate the function in the assembly
 
	return 0;
}
 
 
 
****Assembly****
push ebp ;preserve ebp
mov ebp, esp ;move the current stack pointer to ebp
sub esp, 000000C0 ;Make enough room for 192 bytes of local variables
push ebx ;preserve ebx
push esi ;preserve esi
push edi ;preserve edi
 
lea edi, dword ptr [ebp+FFFFFF40] ;??
mov ecx, 00000030 ;??
mov eax, CCCCCCCC ;??
repz ;??
stosd ;??
mov esi, esp ;??
 
mov eax, dword ptr [ebp+08] ;move pData to eax
mov ecx, dword ptr [eax+1C] ;move pData->NewWndProc to ecx
push ecx ;push pData->NewWndProc onto stack
push FFFFFFFC ;push GWL_WNDPROC onto stack
mov edx, dword ptr [ebp+08] ;move pData to edx
mov eax, dword ptr [edx+08] ;move pdata->hwONscripter to eax
push eax ;push pData.hwONscripter onto stack
mov ecx, dword ptr [ebp+08] ;move pData to ecx
mov edx, dword ptr [ecx+0C] ;move pData->fnSetWindowLong to edx
call edx ;run pData->fnSetWindowLong
 
cmp esi, esp ;This should not be here
call 0041119F ;I did not program this
 
mov ecx, dword ptr [ebp+08] ;move pData to ecx
mov dword ptr [ecx+18], eax ;?? OldWndProc is at ecx+28
mov [ebp+08], A1B1C1D1; Set pData to arbitrary value in order to find function
 
xor eax, eax ;Clear data of eax
pop edi ;restore edi
pop esi ;restore esi
pop ebx ;restore ebx
add esp, 000000C0 ;free space allocated for local variables
 
cmp ebp, esp ;This should not be here
call 0041119F ;I did not program this
 
mov esp, ebp; restore esp
pop ebp ;restore ebp
ret 0004 ;??
[+][-]09/08/09 03:27 PM, ID: 25286704Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Assembly Programming Language, Microsoft Windows Operating Systems, Microsoft Visual C++.Net
Tags: assembly, c, injection, random call
Sign Up Now!
Solution Provided By: ShayanOH
Participating Experts: 1
Solution Grade: B
 
 
Loading Advertisement...
20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625