im injecting the following code into my application using WriteProcessBytes and then rerouting WinProc to execute it (and rerouting WinProc back to where it was afterwards of course). the code is written to the base address plus an offset of 400. here is the asm code im using:

void _declspec(naked) AsmCode(void)
{
   __asm {
mov   eax, LOADLIBRARY
mov   ebx, 15h //Offset to dll filename

push   ebx
call   eax
pop   ebx

int   3h   //Breakpoint
   }
}


also, heres the code in bytes:

CHAR CodePage[4096] =
{   0xB8, 0x00, 0x00, 0x00, 0x00,   // mov EAX, Pointer to LoadLibraryA() (DWORD)
   0xBB, 0x15, 0x00, 0x00, 0x00,   // mov EBX, offset to dllname to inject (DWORD)
   0x53,                     // push EBX
   0xFF, 0xD0,                  // call EAX
   0x5b,                     // pop EBX
   0xcc                     // INT 3h
};


when the code crashes, it breaks on some address that i dont think should be being called (aim.004019C4). this is the code above but being shown in the debugger:

004003FF 008B 4C2404E8 ADD [BYTE DS:EBX+E804244C],CL
00400405 BB 15000000 MOV EBX,15
0040040A 53 PUSH EBX
0040040B FFD0 CALL EAX
0040040D 5B POP EBX
0040040E CC INT3


the top line doesnt look like the asm im injecting. i think im doing all this right. im writing the code in an unused spot, appending the dll filename to the end of the code, and my dll offset should be correct. yet it still crashes. does anyone have an answer to my question? btw dont get mad if i did or said something stupid i am new to this :)

im using AIM for practice ;)

Are you writng all the machine code to the target process? It looks like you aren''t writing the first 5 bytes of it...

Are you writing your machine code to a place in the target process that is not being used? It appears that you aren't...

Try showing us the code where you call WriteProcessMemory etc

i am writing it all to a blank spot in the target process. the base address+400 (which is what im writing to) is a blank spot.

this is what im using to write it:

// Patch in our code
WriteProcessBYTES(hprocess, PatchAddress, &AsmCode, 15);
      
// Patch in full path+filename to dll
GetCurrentDirectory(255, dllFullName);
strcat(dllFullName, "\\inject.dll");

// Write our DLL file to the end of our code
WriteProcessBYTES(hprocess, PatchAddress+15, dllFullName, strlen(dllFullName)+1);

i agree with you i think the top line is screwing up and if you look at the second line i think one of the bytes from the first line carried over to the second. when i used my memory viewer, everything looked just as i wanted it to (before winproc was intercepted and the injected code was executed).

and as you probably know, write/readprocess bytes is this:
//////////////////////////////////////////////////////////////////////
// WriteProcessBYTES()
// -------------------------------------------------------------------
// Originally mousepads code
//////////////////////////////////////////////////////////////////////
void WriteProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len)
{
   DWORD oldprot,dummy = 0;
   VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot);
   WriteProcessMemory(hProcess, (void*) lpAddress, buf, len, 0);
   VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy);
}

//////////////////////////////////////////////////////////////////////
// ReadProcessBYTES()
// -------------------------------------------------------------------
// Originally mousepads code
//////////////////////////////////////////////////////////////////////
void ReadProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len)
{
   DWORD oldprot, dummy = 0;
   VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot);
   ReadProcessMemory(hProcess, (void*) lpAddress, buf, len, 0);
   VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy);
}

I don't see where you set the loadlibrary address.

I don't see how 0x15 would point at anything useful.

You seem to have swapped nibbles if you get 8B instead of B8 in the disassembly.

Note that your disassembly is starting at 4003FF instead of 400400.

0x15 should be the offset to the dllname. the line right above it is setting eax to the location of loadlibrary.

Well it looks to me like you are patching in AsmCode (which should still work in theory) and not CodePage.
[code]
// Patch in our code
WriteProcessBYTES(hprocess, PatchAddress, &AsmCode, 15);
[/code]

Additionally, 0x15 will not point to anything useful... I am thinking that PatchAdress+0x15 will. Use GetProcAddress to get LoadLibraries address. Then you can write a struct at BaseAddress+??? that contains a pointer to LoadLibrary and the dll location. etc... etc...

[quote author=TheMinistered link=board=5;threadid=2693;start=0#msg21225 date=1063551643]
Additionally, 0x15 will not point to anything useful... I am thinking that PatchAdress+0x15 will.
[/quote]

Exactly what I was thinking!

What is the value of PatchAdress?

[ot]

Could someone give me a snippet of injecting a DLL and replacing an API call? I really can't figure it out...

[quote author=St0rm.iD link=board=5;threadid=2693;start=0#msg21281 date=1063586621]
[ot]

Could someone give me a snippet of injecting a DLL and replacing an API call? I really can't figure it out...
[/quote]

See my question on the asm forum regarding using IX86.dll files. Adron/somebody else demonstrated how to patch over some api call.

[/ot]

'Twas me.
https://davnit.net/bnet/vL/phpbbs/index.php?board=7;action=display;threadid=1882