fjocke
asked on
Application API/asm hook
Okey, My little question goes like this. How do i inject a text on the asm mark "0x0050105C"
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.
The code for that goes like:
#include "Extend.h"
//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddd dddddddddd dddddddddd dddddddddd dddddddddd dddddddddd dddffffddd dSdddddccc ddhbcdcddd dddddhhdhd dddcdddddd ";
#ifdef __DEBUG__
//global fstream
ofstream file("4extend.log", ios::trunc);
#endif
//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
//msg box captions and messages
const char * MsgBoxCaption = "Extender",
* ErrMsgOpenProcess = "OpenProcess() failed.",
* ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
* ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
* ErrMsgVirtualProtect = "VirtualProtect() failed.";
//Server Protocol Revision
const WORD NewServerProtocolRevision = 0x0290; //656
//Server Window Name (Default: Release-1(fastest), [ServerStatus])
const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";
//our DLL state switch
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
{
//temp var for ReadProcessMemory()
SIZE_T temp = 0;
//LPVOID buffer[8];
//temp var for VirtualProtect
DWORD oldProtect = NULL;
//Get the current (applicationserv) Process ID
DWORD dwProcessID = GetCurrentProcessId();
HANDLE dwHandle = OpenProcess(PROCESS_ALL_AC CESS, false, dwProcessID);
//Checks if our Current Process (applicationserv) Handle is valid
if (!dwHandle)
{
MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "OpenProcess failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Got Process Handle " << dwHandle << ".\r\n";
#endif
}
//New Server Protocol Revision
if( !WriteProcessMemory(dwHand le, (LPVOID)(0x0050105C+1), &NewServerProtocolRevision , sizeof(NewServerProtocolRe vision), &temp) )
{
MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "WriteProcessMemory on applicationserv.0050105D failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
#endif
}
//New Server Window Name
if( !WriteProcessMemory(dwHand le, (LPVOID)(0x004907A9+1), &NewServerWindowName, sizeof(NewServerWindowName ), &temp) )
{
MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "WriteProcessMemory on applicationserv.004907AA failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
#endif
}
//if( !ReadProcessMemory(dwHandl e, (PVOID)&RecvPacketAddr, buffer, sizeof(DWORD), &temp) )
// MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
//else
//{
//
//}
//VirtualProtect for Receive Packet Function Hook
/*if( !VirtualProtect((LPVOID)(0 x19930520) , 32, PAGE_EXECUTE_READWRITE, &oldProtect) )
{
MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "VirtualProtect on applicationserv.19930520 failed. Old Protect: "
<< hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
#endif
}*/
//Receive Packet Function Hook
if( !WriteProcessMemory(dwHand le, (LPVOID)(0x0050F8F4+1), &HookReceivePacket, sizeof(&HookReceivePacket) , &temp) )
{
MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "WriteProcessMemory on applicationserv.0050F8F5 failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
<< " bytes). New call address: " << hex << HookReceivePacket << ".\r\n";
#endif
}
//UserInfo Packet Function Hook
/*
*/
break;
}
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void HookReceivePacket()
{
#ifdef __DEBUG__
file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\ r\n";
#endif
__asm
{
mov eax, 0x005509E2
//mov eax,500FF0h //call our applicationserv function
call eax
}
#ifdef __DEBUG__
file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
#endif
__asm
{
push edi //var something
push eax //var something else
call ReceivePacket //call our own packet handler
}
#ifdef __DEBUG__
file << ">>>>>> HookReceivePacket: ReceivePacket has returned. Now finishing and calling applicationserv.0050F8FC.\ r\n";
#endif
__asm
{
mov eax, [esp]
cmp byte ptr [eax], 0A8h
jbe short ESP_OK
mov byte ptr [eax], 0A8h
mov word ptr [eax-2], 1
ESP_OK:
add esp, 0Ch
push 0x0050F8FC
//retn
}
#ifdef __DEBUG__
file << "Exited HookReceivePacket. \r\n";
#endif
}
void ReceivePacket(BYTE * header, BYTE * packet)
{
#ifdef __DEBUG__
file << "Entered ReceivePacket. Header: " << &header << " Packet: " << &packet << "\r\n";
#endif
}
void HookCharInfoPacket()
{
}
void HookUserInfoPacket()
{
}
Would appricate all help on this matter
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.
The code for that goes like:
#include "Extend.h"
//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddd
#ifdef __DEBUG__
//global fstream
ofstream file("4extend.log", ios::trunc);
#endif
//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
//msg box captions and messages
const char * MsgBoxCaption = "Extender",
* ErrMsgOpenProcess = "OpenProcess() failed.",
* ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
* ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
* ErrMsgVirtualProtect = "VirtualProtect() failed.";
//Server Protocol Revision
const WORD NewServerProtocolRevision = 0x0290; //656
//Server Window Name (Default: Release-1(fastest), [ServerStatus])
const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";
//our DLL state switch
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
{
//temp var for ReadProcessMemory()
SIZE_T temp = 0;
//LPVOID buffer[8];
//temp var for VirtualProtect
DWORD oldProtect = NULL;
//Get the current (applicationserv) Process ID
DWORD dwProcessID = GetCurrentProcessId();
HANDLE dwHandle = OpenProcess(PROCESS_ALL_AC
//Checks if our Current Process (applicationserv) Handle is valid
if (!dwHandle)
{
MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "OpenProcess failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Got Process Handle " << dwHandle << ".\r\n";
#endif
}
//New Server Protocol Revision
if( !WriteProcessMemory(dwHand
{
MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "WriteProcessMemory on applicationserv.0050105D failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
#endif
}
//New Server Window Name
if( !WriteProcessMemory(dwHand
{
MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "WriteProcessMemory on applicationserv.004907AA failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
#endif
}
//if( !ReadProcessMemory(dwHandl
// MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
//else
//{
//
//}
//VirtualProtect for Receive Packet Function Hook
/*if( !VirtualProtect((LPVOID)(0
{
MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "VirtualProtect on applicationserv.19930520 failed. Old Protect: "
<< hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
#endif
}*/
//Receive Packet Function Hook
if( !WriteProcessMemory(dwHand
{
MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
file << "WriteProcessMemory on applicationserv.0050F8F5 failed. Error Code: " << GetLastError() << "\r\n";
}
else
{
#ifdef __DEBUG__
file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
<< " bytes). New call address: " << hex << HookReceivePacket << ".\r\n";
#endif
}
//UserInfo Packet Function Hook
/*
*/
break;
}
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void HookReceivePacket()
{
#ifdef __DEBUG__
file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\
#endif
__asm
{
mov eax, 0x005509E2
//mov eax,500FF0h //call our applicationserv function
call eax
}
#ifdef __DEBUG__
file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
#endif
__asm
{
push edi //var something
push eax //var something else
call ReceivePacket //call our own packet handler
}
#ifdef __DEBUG__
file << ">>>>>> HookReceivePacket: ReceivePacket has returned. Now finishing and calling applicationserv.0050F8FC.\
#endif
__asm
{
mov eax, [esp]
cmp byte ptr [eax], 0A8h
jbe short ESP_OK
mov byte ptr [eax], 0A8h
mov word ptr [eax-2], 1
ESP_OK:
add esp, 0Ch
push 0x0050F8FC
//retn
}
#ifdef __DEBUG__
file << "Exited HookReceivePacket. \r\n";
#endif
}
void ReceivePacket(BYTE * header, BYTE * packet)
{
#ifdef __DEBUG__
file << "Entered ReceivePacket. Header: " << &header << " Packet: " << &packet << "\r\n";
#endif
}
void HookCharInfoPacket()
{
}
void HookUserInfoPacket()
{
}
Would appricate all help on this matter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.