Solved

Application API/asm hook

Posted on 2006-06-17
3
822 Views
Last Modified: 2013-11-23
Okey, My little question goes like this. How do i inject a text on the asm mark "0x0050105C"
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.

The code for that goes like:

#include "Extend.h"

//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddffffddddSdddddcccddhbcdcddddddddhhdhddddcdddddd";

#ifdef __DEBUG__
      //global fstream
      ofstream file("4extend.log", ios::trunc);
#endif

//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
      //msg box captions and messages
      const char * MsgBoxCaption = "Extender",
             * ErrMsgOpenProcess = "OpenProcess() failed.",
             * ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
             * ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
             * ErrMsgVirtualProtect = "VirtualProtect() failed.";

      //Server Protocol Revision
      const WORD NewServerProtocolRevision = 0x0290; //656
      //Server Window Name (Default: Release-1(fastest), [ServerStatus])
      const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";

      //our DLL state switch
      switch( fdwReason )
      {
            case DLL_PROCESS_ATTACH:
            {
                  //temp var for ReadProcessMemory()
                  SIZE_T temp = 0;
                  //LPVOID buffer[8];
                  //temp var for VirtualProtect
                  DWORD oldProtect = NULL;
                  
                  //Get the current (applicationserv) Process ID
                  DWORD dwProcessID = GetCurrentProcessId();
                  HANDLE dwHandle = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
                  
                  //Checks if our Current Process (applicationserv) Handle is valid
                  if (!dwHandle)
                  {
                        MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "OpenProcess failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Got Process Handle " << dwHandle << ".\r\n";
                        #endif
                  }


                  //New Server Protocol Revision
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050105C+1), &NewServerProtocolRevision, sizeof(NewServerProtocolRevision), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050105D failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
                        #endif
                  }

                  //New Server Window Name
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x004907A9+1), &NewServerWindowName, sizeof(NewServerWindowName), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.004907AA failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
                        #endif
                  }
                  
                  
                  
                  //if( !ReadProcessMemory(dwHandle, (PVOID)&RecvPacketAddr, buffer, sizeof(DWORD), &temp) )
                  //      MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                  //else
                  //{
                  //      
                  //}

                  //VirtualProtect for Receive Packet Function Hook
                  /*if( !VirtualProtect((LPVOID)(0x19930520), 32, PAGE_EXECUTE_READWRITE, &oldProtect) )
                  {
                        MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "VirtualProtect on applicationserv.19930520 failed.  Old Protect: " 
                              << hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
                        #endif
                  }*/

                  //Receive Packet Function Hook
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050F8F4+1), &HookReceivePacket, sizeof(&HookReceivePacket), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050F8F5 failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
                                     << " bytes).  New call address: " << hex << HookReceivePacket << ".\r\n";
                        #endif
                  }

                  //UserInfo Packet Function Hook
                  /*

                  */

                  break;
            }
            case DLL_THREAD_ATTACH:
                  break;      
            case DLL_THREAD_DETACH:
                  break;
            case DLL_PROCESS_DETACH:
                  break;  
      }  
      return TRUE;
}

void HookReceivePacket()
{
      #ifdef __DEBUG__
            file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\r\n";
      #endif
      __asm
      {
            mov            eax, 0x005509E2
            //mov            eax,500FF0h            //call our applicationserv function
            call      eax
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
      #endif
      __asm
      {
            push    edi      //var something
        push    eax      //var something else
            call    ReceivePacket      //call our own packet handler
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: ReceivePacket has returned.  Now finishing and calling applicationserv.0050F8FC.\r\n";
      #endif
      __asm
      {
            mov     eax, [esp]
            cmp     byte ptr [eax], 0A8h
            jbe     short ESP_OK
            mov     byte ptr [eax], 0A8h
            mov     word ptr [eax-2], 1
      ESP_OK:
            add     esp, 0Ch
            push    0x0050F8FC
            //retn
      }
      #ifdef __DEBUG__
            file << "Exited HookReceivePacket. \r\n";
      #endif
}

void ReceivePacket(BYTE * header, BYTE * packet)
{
      #ifdef __DEBUG__
            file << "Entered ReceivePacket.  Header: " << &header << " Packet: " << &packet << "\r\n";
      #endif
}

void HookCharInfoPacket()
{
      
}

void HookUserInfoPacket()
{
      
}


Would appricate all help on this matter
0
Comment
Question by:fjocke
3 Comments
 
LVL 28

Accepted Solution

by:
2266180 earned 500 total points
ID: 16929113
hm... you are not going to use this for illicit things, are you?

in any case, you can look at madshis hook components. there are some examples there on how to inject code.

you could also use the plain winapi to write to a processes memory.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now