Solved

Application API/asm hook

Posted on 2006-06-17
3
829 Views
Last Modified: 2013-11-23
Okey, My little question goes like this. How do i inject a text on the asm mark "0x0050105C"
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.

The code for that goes like:

#include "Extend.h"

//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddffffddddSdddddcccddhbcdcddddddddhhdhddddcdddddd";

#ifdef __DEBUG__
      //global fstream
      ofstream file("4extend.log", ios::trunc);
#endif

//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
      //msg box captions and messages
      const char * MsgBoxCaption = "Extender",
             * ErrMsgOpenProcess = "OpenProcess() failed.",
             * ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
             * ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
             * ErrMsgVirtualProtect = "VirtualProtect() failed.";

      //Server Protocol Revision
      const WORD NewServerProtocolRevision = 0x0290; //656
      //Server Window Name (Default: Release-1(fastest), [ServerStatus])
      const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";

      //our DLL state switch
      switch( fdwReason )
      {
            case DLL_PROCESS_ATTACH:
            {
                  //temp var for ReadProcessMemory()
                  SIZE_T temp = 0;
                  //LPVOID buffer[8];
                  //temp var for VirtualProtect
                  DWORD oldProtect = NULL;
                  
                  //Get the current (applicationserv) Process ID
                  DWORD dwProcessID = GetCurrentProcessId();
                  HANDLE dwHandle = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
                  
                  //Checks if our Current Process (applicationserv) Handle is valid
                  if (!dwHandle)
                  {
                        MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "OpenProcess failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Got Process Handle " << dwHandle << ".\r\n";
                        #endif
                  }


                  //New Server Protocol Revision
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050105C+1), &NewServerProtocolRevision, sizeof(NewServerProtocolRevision), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050105D failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
                        #endif
                  }

                  //New Server Window Name
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x004907A9+1), &NewServerWindowName, sizeof(NewServerWindowName), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.004907AA failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
                        #endif
                  }
                  
                  
                  
                  //if( !ReadProcessMemory(dwHandle, (PVOID)&RecvPacketAddr, buffer, sizeof(DWORD), &temp) )
                  //      MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                  //else
                  //{
                  //      
                  //}

                  //VirtualProtect for Receive Packet Function Hook
                  /*if( !VirtualProtect((LPVOID)(0x19930520), 32, PAGE_EXECUTE_READWRITE, &oldProtect) )
                  {
                        MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "VirtualProtect on applicationserv.19930520 failed.  Old Protect: " 
                              << hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
                        #endif
                  }*/

                  //Receive Packet Function Hook
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050F8F4+1), &HookReceivePacket, sizeof(&HookReceivePacket), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050F8F5 failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
                                     << " bytes).  New call address: " << hex << HookReceivePacket << ".\r\n";
                        #endif
                  }

                  //UserInfo Packet Function Hook
                  /*

                  */

                  break;
            }
            case DLL_THREAD_ATTACH:
                  break;      
            case DLL_THREAD_DETACH:
                  break;
            case DLL_PROCESS_DETACH:
                  break;  
      }  
      return TRUE;
}

void HookReceivePacket()
{
      #ifdef __DEBUG__
            file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\r\n";
      #endif
      __asm
      {
            mov            eax, 0x005509E2
            //mov            eax,500FF0h            //call our applicationserv function
            call      eax
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
      #endif
      __asm
      {
            push    edi      //var something
        push    eax      //var something else
            call    ReceivePacket      //call our own packet handler
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: ReceivePacket has returned.  Now finishing and calling applicationserv.0050F8FC.\r\n";
      #endif
      __asm
      {
            mov     eax, [esp]
            cmp     byte ptr [eax], 0A8h
            jbe     short ESP_OK
            mov     byte ptr [eax], 0A8h
            mov     word ptr [eax-2], 1
      ESP_OK:
            add     esp, 0Ch
            push    0x0050F8FC
            //retn
      }
      #ifdef __DEBUG__
            file << "Exited HookReceivePacket. \r\n";
      #endif
}

void ReceivePacket(BYTE * header, BYTE * packet)
{
      #ifdef __DEBUG__
            file << "Entered ReceivePacket.  Header: " << &header << " Packet: " << &packet << "\r\n";
      #endif
}

void HookCharInfoPacket()
{
      
}

void HookUserInfoPacket()
{
      
}


Would appricate all help on this matter
0
Comment
Question by:fjocke
3 Comments
 
LVL 28

Accepted Solution

by:
2266180 earned 500 total points
ID: 16929113
hm... you are not going to use this for illicit things, are you?

in any case, you can look at madshis hook components. there are some examples there on how to inject code.

you could also use the plain winapi to write to a processes memory.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question