Author | Message | Time |
---|---|---|
PyroKid | im injecting the following code into my application using WriteProcessBytes and then rerouting WinProc to execute it (and rerouting WinProc back to where it was afterwards of course). the code is written to the base address plus an offset of 400. here is the asm code im using: void _declspec(naked) AsmCode(void) { __asm { mov eax, LOADLIBRARY mov ebx, 15h //Offset to dll filename push ebx call eax pop ebx int 3h //Breakpoint } } also, heres the code in bytes: CHAR CodePage[4096] = { 0xB8, 0x00, 0x00, 0x00, 0x00, // mov EAX, Pointer to LoadLibraryA() (DWORD) 0xBB, 0x15, 0x00, 0x00, 0x00, // mov EBX, offset to dllname to inject (DWORD) 0x53, // push EBX 0xFF, 0xD0, // call EAX 0x5b, // pop EBX 0xcc // INT 3h }; when the code crashes, it breaks on some address that i dont think should be being called (aim.004019C4). this is the code above but being shown in the debugger: 004003FF 008B 4C2404E8 ADD [BYTE DS:EBX+E804244C],CL 00400405 BB 15000000 MOV EBX,15 0040040A 53 PUSH EBX 0040040B FFD0 CALL EAX 0040040D 5B POP EBX 0040040E CC INT3 the top line doesnt look like the asm im injecting. i think im doing all this right. im writing the code in an unused spot, appending the dll filename to the end of the code, and my dll offset should be correct. yet it still crashes. does anyone have an answer to my question? btw dont get mad if i did or said something stupid i am new to this :) im using AIM for practice ;) | September 13, 2003, 9:32 PM |
TheMinistered | Are you writng all the machine code to the target process? It looks like you aren''t writing the first 5 bytes of it... Are you writing your machine code to a place in the target process that is not being used? It appears that you aren't... Try showing us the code where you call WriteProcessMemory etc | September 13, 2003, 9:43 PM |
PyroKid | i am writing it all to a blank spot in the target process. the base address+400 (which is what im writing to) is a blank spot. this is what im using to write it: // Patch in our code WriteProcessBYTES(hprocess, PatchAddress, &AsmCode, 15); // Patch in full path+filename to dll GetCurrentDirectory(255, dllFullName); strcat(dllFullName, "\\inject.dll"); // Write our DLL file to the end of our code WriteProcessBYTES(hprocess, PatchAddress+15, dllFullName, strlen(dllFullName)+1); i agree with you i think the top line is screwing up and if you look at the second line i think one of the bytes from the first line carried over to the second. when i used my memory viewer, everything looked just as i wanted it to (before winproc was intercepted and the injected code was executed). and as you probably know, write/readprocess bytes is this: ////////////////////////////////////////////////////////////////////// // WriteProcessBYTES() // ------------------------------------------------------------------- // Originally mousepads code ////////////////////////////////////////////////////////////////////// void WriteProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len) { DWORD oldprot,dummy = 0; VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot); WriteProcessMemory(hProcess, (void*) lpAddress, buf, len, 0); VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy); } ////////////////////////////////////////////////////////////////////// // ReadProcessBYTES() // ------------------------------------------------------------------- // Originally mousepads code ////////////////////////////////////////////////////////////////////// void ReadProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len) { DWORD oldprot, dummy = 0; VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot); ReadProcessMemory(hProcess, (void*) lpAddress, buf, len, 0); VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy); } | September 13, 2003, 10:04 PM |
Adron | I don't see where you set the loadlibrary address. I don't see how 0x15 would point at anything useful. You seem to have swapped nibbles if you get 8B instead of B8 in the disassembly. Note that your disassembly is starting at 4003FF instead of 400400. | September 14, 2003, 11:41 AM |
PyroKid | 0x15 should be the offset to the dllname. the line right above it is setting eax to the location of loadlibrary. | September 14, 2003, 1:39 PM |
TheMinistered | Well it looks to me like you are patching in AsmCode (which should still work in theory) and not CodePage. [code] // Patch in our code WriteProcessBYTES(hprocess, PatchAddress, &AsmCode, 15); [/code] Additionally, 0x15 will not point to anything useful... I am thinking that PatchAdress+0x15 will. Use GetProcAddress to get LoadLibraries address. Then you can write a struct at BaseAddress+??? that contains a pointer to LoadLibrary and the dll location. etc... etc... | September 14, 2003, 3:00 PM |
Adron | [quote author=TheMinistered link=board=5;threadid=2693;start=0#msg21225 date=1063551643] Additionally, 0x15 will not point to anything useful... I am thinking that PatchAdress+0x15 will. [/quote] Exactly what I was thinking! | September 14, 2003, 5:47 PM |
TheMinistered | What is the value of PatchAdress? | September 15, 2003, 12:40 AM |
St0rm.iD | [ot] Could someone give me a snippet of injecting a DLL and replacing an API call? I really can't figure it out... | September 15, 2003, 12:43 AM |
iago | [quote author=St0rm.iD link=board=5;threadid=2693;start=0#msg21281 date=1063586621] [ot] Could someone give me a snippet of injecting a DLL and replacing an API call? I really can't figure it out... [/quote] See my question on the asm forum regarding using IX86.dll files. Adron/somebody else demonstrated how to patch over some api call. [/ot] | September 15, 2003, 3:30 AM |
K | 'Twas me. https://davnit.net/bnet/vL/phpbbs/index.php?board=7;action=display;threadid=1882 | September 15, 2003, 7:18 PM |