Solved

Application API/asm hook

Posted on 2006-06-17
3
824 Views
Last Modified: 2013-11-23
Okey, My little question goes like this. How do i inject a text on the asm mark "0x0050105C"
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.

The code for that goes like:

#include "Extend.h"

//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddffffddddSdddddcccddhbcdcddddddddhhdhddddcdddddd";

#ifdef __DEBUG__
      //global fstream
      ofstream file("4extend.log", ios::trunc);
#endif

//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
      //msg box captions and messages
      const char * MsgBoxCaption = "Extender",
             * ErrMsgOpenProcess = "OpenProcess() failed.",
             * ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
             * ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
             * ErrMsgVirtualProtect = "VirtualProtect() failed.";

      //Server Protocol Revision
      const WORD NewServerProtocolRevision = 0x0290; //656
      //Server Window Name (Default: Release-1(fastest), [ServerStatus])
      const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";

      //our DLL state switch
      switch( fdwReason )
      {
            case DLL_PROCESS_ATTACH:
            {
                  //temp var for ReadProcessMemory()
                  SIZE_T temp = 0;
                  //LPVOID buffer[8];
                  //temp var for VirtualProtect
                  DWORD oldProtect = NULL;
                  
                  //Get the current (applicationserv) Process ID
                  DWORD dwProcessID = GetCurrentProcessId();
                  HANDLE dwHandle = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
                  
                  //Checks if our Current Process (applicationserv) Handle is valid
                  if (!dwHandle)
                  {
                        MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "OpenProcess failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Got Process Handle " << dwHandle << ".\r\n";
                        #endif
                  }


                  //New Server Protocol Revision
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050105C+1), &NewServerProtocolRevision, sizeof(NewServerProtocolRevision), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050105D failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
                        #endif
                  }

                  //New Server Window Name
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x004907A9+1), &NewServerWindowName, sizeof(NewServerWindowName), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.004907AA failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
                        #endif
                  }
                  
                  
                  
                  //if( !ReadProcessMemory(dwHandle, (PVOID)&RecvPacketAddr, buffer, sizeof(DWORD), &temp) )
                  //      MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                  //else
                  //{
                  //      
                  //}

                  //VirtualProtect for Receive Packet Function Hook
                  /*if( !VirtualProtect((LPVOID)(0x19930520), 32, PAGE_EXECUTE_READWRITE, &oldProtect) )
                  {
                        MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "VirtualProtect on applicationserv.19930520 failed.  Old Protect: " 
                              << hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
                        #endif
                  }*/

                  //Receive Packet Function Hook
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050F8F4+1), &HookReceivePacket, sizeof(&HookReceivePacket), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050F8F5 failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
                                     << " bytes).  New call address: " << hex << HookReceivePacket << ".\r\n";
                        #endif
                  }

                  //UserInfo Packet Function Hook
                  /*

                  */

                  break;
            }
            case DLL_THREAD_ATTACH:
                  break;      
            case DLL_THREAD_DETACH:
                  break;
            case DLL_PROCESS_DETACH:
                  break;  
      }  
      return TRUE;
}

void HookReceivePacket()
{
      #ifdef __DEBUG__
            file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\r\n";
      #endif
      __asm
      {
            mov            eax, 0x005509E2
            //mov            eax,500FF0h            //call our applicationserv function
            call      eax
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
      #endif
      __asm
      {
            push    edi      //var something
        push    eax      //var something else
            call    ReceivePacket      //call our own packet handler
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: ReceivePacket has returned.  Now finishing and calling applicationserv.0050F8FC.\r\n";
      #endif
      __asm
      {
            mov     eax, [esp]
            cmp     byte ptr [eax], 0A8h
            jbe     short ESP_OK
            mov     byte ptr [eax], 0A8h
            mov     word ptr [eax-2], 1
      ESP_OK:
            add     esp, 0Ch
            push    0x0050F8FC
            //retn
      }
      #ifdef __DEBUG__
            file << "Exited HookReceivePacket. \r\n";
      #endif
}

void ReceivePacket(BYTE * header, BYTE * packet)
{
      #ifdef __DEBUG__
            file << "Entered ReceivePacket.  Header: " << &header << " Packet: " << &packet << "\r\n";
      #endif
}

void HookCharInfoPacket()
{
      
}

void HookUserInfoPacket()
{
      
}


Would appricate all help on this matter
0
Comment
Question by:fjocke
3 Comments
 
LVL 28

Accepted Solution

by:
2266180 earned 500 total points
ID: 16929113
hm... you are not going to use this for illicit things, are you?

in any case, you can look at madshis hook components. there are some examples there on how to inject code.

you could also use the plain winapi to write to a processes memory.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Simple Delphi Question 9 90
Open a URL with Internet Explorer in a new tab (not a new window) 1 99
Multiple image collision 13 75
Firemonkey webbrowser scrollbars ? 1 41
This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question