• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 836
  • Last Modified:

Application API/asm hook

Okey, My little question goes like this. How do i inject a text on the asm mark "0x0050105C"
In this case 0x0050105C contains a version number. So what i want is a dll code that replaces that value with 0x0290.
I got the c++ source for this, but i thought sharing a delphi solution would be cool too.

The code for that goes like:

#include "Extend.h"

//global vars
const char * UserInfoPacketFormat = "cdddddSdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddffffddddSdddddcccddhbcdcddddddddhhdhddddcdddddd";

#ifdef __DEBUG__
      //global fstream
      ofstream file("4extend.log", ios::trunc);
#endif

//DLLMain
DllExport BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
      //msg box captions and messages
      const char * MsgBoxCaption = "Extender",
             * ErrMsgOpenProcess = "OpenProcess() failed.",
             * ErrMsgReadProcessMemory = "ReadProcessMemory() failed.",
             * ErrMsgWriteProcessMemory = "WriteProcessMemory() failed.",
             * ErrMsgVirtualProtect = "VirtualProtect() failed.";

      //Server Protocol Revision
      const WORD NewServerProtocolRevision = 0x0290; //656
      //Server Window Name (Default: Release-1(fastest), [ServerStatus])
      const WCHAR * NewServerWindowName = L"Extender 2.1 [me@me.com]";

      //our DLL state switch
      switch( fdwReason )
      {
            case DLL_PROCESS_ATTACH:
            {
                  //temp var for ReadProcessMemory()
                  SIZE_T temp = 0;
                  //LPVOID buffer[8];
                  //temp var for VirtualProtect
                  DWORD oldProtect = NULL;
                  
                  //Get the current (applicationserv) Process ID
                  DWORD dwProcessID = GetCurrentProcessId();
                  HANDLE dwHandle = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
                  
                  //Checks if our Current Process (applicationserv) Handle is valid
                  if (!dwHandle)
                  {
                        MessageBoxA(NULL, ErrMsgOpenProcess, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "OpenProcess failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Got Process Handle " << dwHandle << ".\r\n";
                        #endif
                  }


                  //New Server Protocol Revision
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050105C+1), &NewServerProtocolRevision, sizeof(NewServerProtocolRevision), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050105D failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050105D with new Server Protocol Revision [" << NewServerProtocolRevision << "].\r\n";
                        #endif
                  }

                  //New Server Window Name
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x004907A9+1), &NewServerWindowName, sizeof(NewServerWindowName), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.004907AA failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.004907AA with new Server Window Name.\r\n";
                        #endif
                  }
                  
                  
                  
                  //if( !ReadProcessMemory(dwHandle, (PVOID)&RecvPacketAddr, buffer, sizeof(DWORD), &temp) )
                  //      MessageBoxA(NULL, ErrMsgReadProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                  //else
                  //{
                  //      
                  //}

                  //VirtualProtect for Receive Packet Function Hook
                  /*if( !VirtualProtect((LPVOID)(0x19930520), 32, PAGE_EXECUTE_READWRITE, &oldProtect) )
                  {
                        MessageBoxA(NULL, ErrMsgVirtualProtect, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "VirtualProtect on applicationserv.19930520 failed.  Old Protect: " 
                              << hex << oldProtect << " Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Set protection on applicationserv.19930520 from " << hex << oldProtect << " to " << PAGE_EXECUTE_READWRITE << ".\r\n";
                        #endif
                  }*/

                  //Receive Packet Function Hook
                  if( !WriteProcessMemory(dwHandle, (LPVOID)(0x0050F8F4+1), &HookReceivePacket, sizeof(&HookReceivePacket), &temp) )
                  {
                        MessageBoxA(NULL, ErrMsgWriteProcessMemory, MsgBoxCaption, MB_OK || MB_ICONSTOP);
                        file << "WriteProcessMemory on applicationserv.0050F8F5 failed.  Error Code: " << GetLastError() << "\r\n";
                  }
                  else
                  {
                        #ifdef __DEBUG__
                              file << "Wrote applicationserv.0050F8F5 with ReceivePacket Hook (" << temp
                                     << " bytes).  New call address: " << hex << HookReceivePacket << ".\r\n";
                        #endif
                  }

                  //UserInfo Packet Function Hook
                  /*

                  */

                  break;
            }
            case DLL_THREAD_ATTACH:
                  break;      
            case DLL_THREAD_DETACH:
                  break;
            case DLL_PROCESS_DETACH:
                  break;  
      }  
      return TRUE;
}

void HookReceivePacket()
{
      #ifdef __DEBUG__
            file << "Entered HookReceivePacket: now calling applicationserv.005509E2.\r\n";
      #endif
      __asm
      {
            mov            eax, 0x005509E2
            //mov            eax,500FF0h            //call our applicationserv function
            call      eax
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: now calling ReceivePacket.\r\n";
      #endif
      __asm
      {
            push    edi      //var something
        push    eax      //var something else
            call    ReceivePacket      //call our own packet handler
      }
      #ifdef __DEBUG__
            file << ">>>>>> HookReceivePacket: ReceivePacket has returned.  Now finishing and calling applicationserv.0050F8FC.\r\n";
      #endif
      __asm
      {
            mov     eax, [esp]
            cmp     byte ptr [eax], 0A8h
            jbe     short ESP_OK
            mov     byte ptr [eax], 0A8h
            mov     word ptr [eax-2], 1
      ESP_OK:
            add     esp, 0Ch
            push    0x0050F8FC
            //retn
      }
      #ifdef __DEBUG__
            file << "Exited HookReceivePacket. \r\n";
      #endif
}

void ReceivePacket(BYTE * header, BYTE * packet)
{
      #ifdef __DEBUG__
            file << "Entered ReceivePacket.  Header: " << &header << " Packet: " << &packet << "\r\n";
      #endif
}

void HookCharInfoPacket()
{
      
}

void HookUserInfoPacket()
{
      
}


Would appricate all help on this matter
0
fjocke
Asked:
fjocke
1 Solution
 
2266180Commented:
hm... you are not going to use this for illicit things, are you?

in any case, you can look at madshis hook components. there are some examples there on how to inject code.

you could also use the plain winapi to write to a processes memory.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now