Solved

Application API/asm hook

Posted on 2006-06-17
3
819 Views
Last Modified: 2013-11-23
Okey, My little question goes like this. How do i inject a text on the asm mark "0x0050105C"
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.

The code for that goes like:

#include "Extend.h"

//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddffffddddSdddddcccddhbcdcddddddddhhdhddddcdddddd";

#ifdef __DEBUG__
      //global fstream
      ofstream file("4extend.log", ios::trunc);
#endif

//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
      //msg box captions and messages
      const char * MsgBoxCaption = "Extender",
             * ErrMsgOpenProcess = "OpenProcess() failed.",
             * ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
             * ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
             * ErrMsgVirtualProtect = "VirtualProtect() failed.";

      //Server Protocol Revision
      const WORD NewServerProtocolRevision = 0x0290; //656
      //Server Window Name (Default: Release-1(fastest), [ServerStatus])
      const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";

      //our DLL state switch
      switch( fdwReason )
      {
            case DLL_PROCESS_ATTACH:
            {
                  //temp var for ReadProcessMemory()
                  SIZE_T temp = 0;
                  //LPVOID buffer[8];
                  //temp var for VirtualProtect
                  DWORD oldProtect = NULL;
                  
                  //Get the current (applicationserv) Process ID
                  DWORD dwProcessID = GetCurrentProcessId();
                  HANDLE dwHandle = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
                  
                  //Checks if our Current Process (applicationserv) Handle is valid
                  if (!dwHandle)
                  {
                        MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "OpenProcess failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Got Process Handle " << dwHandle << ".\r\n";
                        #endif
                  }


                  //New Server Protocol Revision
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050105C+1), &NewServerProtocolRevision, sizeof(NewServerProtocolRevision), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050105D failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
                        #endif
                  }

                  //New Server Window Name
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x004907A9+1), &NewServerWindowName, sizeof(NewServerWindowName), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.004907AA failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
                        #endif
                  }
                  
                  
                  
                  //if( !ReadProcessMemory(dwHandle, (PVOID)&RecvPacketAddr, buffer, sizeof(DWORD), &temp) )
                  //      MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                  //else
                  //{
                  //      
                  //}

                  //VirtualProtect for Receive Packet Function Hook
                  /*if( !VirtualProtect((LPVOID)(0x19930520), 32, PAGE_EXECUTE_READWRITE, &oldProtect) )
                  {
                        MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "VirtualProtect on applicationserv.19930520 failed.  Old Protect: "
                              << hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
                        #endif
                  }*/

                  //Receive Packet Function Hook
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050F8F4+1), &HookReceivePacket, sizeof(&HookReceivePacket), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050F8F5 failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
                                     << " bytes).  New call address: " << hex << HookReceivePacket << ".\r\n";
                        #endif
                  }

                  //UserInfo Packet Function Hook
                  /*

                  */

                  break;
            }
            case DLL_THREAD_ATTACH:
                  break;      
            case DLL_THREAD_DETACH:
                  break;
            case DLL_PROCESS_DETACH:
                  break;  
      }  
      return TRUE;
}

void HookReceivePacket()
{
      #ifdef __DEBUG__
            file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\r\n";
      #endif
      __asm
      {
            mov            eax, 0x005509E2
            //mov            eax,500FF0h            //call our applicationserv function
            call      eax
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
      #endif
      __asm
      {
            push    edi      //var something
        push    eax      //var something else
            call    ReceivePacket      //call our own packet handler
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: ReceivePacket has returned.  Now finishing and calling applicationserv.0050F8FC.\r\n";
      #endif
      __asm
      {
            mov     eax, [esp]
            cmp     byte ptr [eax], 0A8h
            jbe     short ESP_OK
            mov     byte ptr [eax], 0A8h
            mov     word ptr [eax-2], 1
      ESP_OK:
            add     esp, 0Ch
            push    0x0050F8FC
            //retn
      }
      #ifdef __DEBUG__
            file << "Exited HookReceivePacket. \r\n";
      #endif
}

void ReceivePacket(BYTE * header, BYTE * packet)
{
      #ifdef __DEBUG__
            file << "Entered ReceivePacket.  Header: " << &header << " Packet: " << &packet << "\r\n";
      #endif
}

void HookCharInfoPacket()
{
      
}

void HookUserInfoPacket()
{
      
}


Would appricate all help on this matter
0
Comment
Question by:fjocke
3 Comments
 
LVL 28

Accepted Solution

by:
ciuly earned 500 total points
Comment Utility
hm... you are not going to use this for illicit things, are you?

in any case, you can look at madshis hook components. there are some examples there on how to inject code.

you could also use the plain winapi to write to a processes memory.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now