Announcement

**Kev Peel** · 24 Aug 2005, 07:00 PM

For a start, all the LONG PTR variables are DWORDs, not pointers. Also - the ReplaceRef should look like the following...

Code:

SUB ReplaceRef(BYREF mLoc AS LONG, BYVAL what AS LONG)

It is hard to read the code in your post without [ CODE ] and [ /CODE ] tags (without the spaces)

------------------
contact me
kgpsoftware.com - Free and Commercial Software

**Kev Peel** · 24 Aug 2005, 07:03 PM

Also, it seems that oldproc is a global variable that stores the original procedure handle so you would need it declared as GLOBAL oldproc AS DWORD, instead of local.

------------------
contact me
kgpsoftware.com - Free and Commercial Software

**Joey Burgett** · 24 Aug 2005, 07:44 PM

Sorry about the [ code ] [ /code ] -- i edited the post.

I made the changes you suggested but still nothing

------------------

**Kev Peel** · 24 Aug 2005, 07:47 PM

Thanks. Another thing you could try is adding FUNCTION = %TRUE before the end of LIBMAIN. The DLL will not load otherwise.

------------------
contact me
kgpsoftware.com - Free and Commercial Software

**Joey Burgett** · 24 Aug 2005, 08:07 PM

Actually thats in there. I just didn't copy/paste it as its a
default for the template.

Maybe if I post the working dll/exe in its entirety..

This one injects the dll.
[CODE]
#include <iostream>
#include "windows.h"
using namespace std;

void hookin(HANDLE hProcess)
{
HANDLE hThread;
char dllfilename[255];

void* threadnewarea;

DWORD hLibModule;
HMODULE hKernel32 =GetModuleHandle("Kernel32");

strcpy(dllfilename,"c:\\mydll.dll");

threadnewarea = VirtualAllocEx( hProcess, NULL, sizeof(dllfilename), MEM_COMMIT, PAGE_READWRITE );
WriteProcessMemory( hProcess, threadnewarea, (void*)dllfilename, sizeof(dllfilename), NULL );

hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress( hKernel32, "LoadLibraryA" ), threadnewarea, 0, NULL );
WaitForSingleObject( hThread, INFINITE );

GetExitCodeThread( hThread, &hLibModule );

CloseHandle( hThread );
VirtualFreeEx( hProcess, threadnewarea, sizeof(dllfilename), MEM_RELEASE );
}

PROCESS_INFORMATION pi;

int main()
{
DWORD procid;
HWND h=FindWindow(0,"ApplicationName");
GetWindowThreadProcessId(h,&procid);
pi.hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,procid);

hookin(pi.hProcess);
}

This one is the dll to be injected:

Code:

#include "windows.h"
#include <iostream>
#include <string>
#include <fstream>
using namespace std;

typedef int (__stdcall *recvfunc)(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen);
recvfunc oldproc;

void replaceref(long* loc, long what)
{
				if(IsBadWritePtr(loc, 4))
				{
					DWORD dwOld, dw;
					VirtualProtect(loc, 4, PAGE_EXECUTE_READWRITE, &dwOld);
					oldproc=(recvfunc)(*loc);
					*(loc)=what;
					cout << "\nAddress as:   %p\n"<<&loc<<" bytes)."<<endl;
					VirtualProtect(loc, 4, dwOld, &dw);
				}
				else
				{
					*(loc)=what;
					cout << "\nAddress as:   %p\n"<<&loc<<" bytes)."<<endl;
				}
}

void out(string str)
{
	DWORD dw;
	WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE),str.c_str(),str.length(),&dw,0);
}

int id;

int __stdcall replacement_recvfrom(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen)
{
	int res=oldproc(s,buf,len,flags,from,fromlen);
	if (res>0)
	{
	string st;
	st="Recieved info (";
	st+=res;
	st+=" bytes).\n";
//	out(st);
	cout << "Recieved info (%i"<<len<<" bytes)."<<endl;
	return(res);
	}
}

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		id=0;
		AllocConsole();
		replaceref((long*)0x74FFFF,(long)replacement_recvfrom);
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
    return TRUE;
}

This is my interpretation of the DLL loader in PB:

Code:

#COMPILE EXE
#DIM ALL
#INCLUDE "win32api.inc"

GLOBAL PI AS PROCESS_INFORMATION

FUNCTION PBMAIN () AS LONG

    LOCAL procID AS DWORD
    LOCAL lHwnd AS DWORD
    LOCAL hProcess AS DWORD
    lhwnd=findwindow("", "ApplicationName")
    GetWindowThreadProcessID(lhwnd, procid)
    pi.hProcess=openprocess(%process_all_access,0,procid)
    CALL hookin(pi.hprocess)

END FUNCTION

SUB hookin(hprc AS DWORD)
    LOCAL hThread AS DWORD
    LOCAL DLLFilename AS ASCIIZ * 17
    LOCAL TheNewArea AS DWORD
    LOCAL hLibModule AS DWORD
    LOCAL hKernel32 AS DWORD
    hkernel32=getmodulehandle("KERNEL32.dll")
    dllfilename="INJECTUPDATE.DLL"

    TheNewArea=virtualallocex(hprc,BYVAL %null,LEN(dllfilename),%mem_commit,%PAGE_READWRITE)
    writeprocessmemory(hprc,thenewarea,dllfilename,LEN(dllfilename),0)
    hThread = CreateRemoteThread(hPrc, BYVAL %Null, 0, GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), thenewarea, 0, 0)
    WaitForSingleObject(hThread, %INFINITE)
    GetExitCodeThread(hthread,hlibmodule)

    CloseHandle(hThread)
    VirtualFreeEx(hPrc, hkernel32, 0, %MEM_RELEASE)
    CloseHandle(hPrc)
END SUB

And finally, the DLL

Code:

#COMPILE DLL
#DIM ALL

%USEMACROS = 1
#INCLUDE "Win32API.inc"
#INCLUDE "W2_32.inc"

GLOBAL ghInstance AS DWORD

DECLARE FUNCTION recvfunc (BYVAL s AS DWORD, buf AS ANY, BYVAL buflen AS LONG, BYVAL flags AS LONG, saFrom AS SOCKADDR, fromlen AS LONG) AS LONG
GLOBAL res AS LONG
GLOBAL OldProc AS DWORD

SUB ReplaceRef (BYREF mLoc AS LONG, what AS LONG)
    DIM dwOld AS DWORD
    DIM dw AS  DWORD
    MSGBOX STR$(mloc) & " " & STR$(what)
    VirtualProtect(mLoc,4,%PAGE_EXECUTE_READWRITE,dwOld)
    oldproc=mloc&
    @mloc=what
    VirtualProtect(mloc, 4, dwOld, dw)
END SUB

FUNCTION replacement_recvfrom(BYVAL s AS DWORD,BYVAL buf AS BYTE, BYVAL buflen AS LONG, BYVAL flags AS LONG, saFrom AS SOCKADDR, fromlen AS LONG) AS LONG
    res=recvfrom(s,buf,buflen,flags,safrom,fromlen)
    DIM st AS STRING
    st="Recieved info ("
    st=st & STR$(res)
    st=st & " bytes).\n"
    MSGBOX STR$(buflen)
    FUNCTION=res
END FUNCTION

FUNCTION LIBMAIN (BYVAL hInstance   AS LONG, _
                  BYVAL fwdReason   AS LONG, _
                  BYVAL lpvReserved AS LONG) AS LONG
    SELECT CASE fwdReason
    CASE %DLL_PROCESS_ATTACH
        ghInstance = hInstance
        MSGBOX STR$(CODEPTR(replacement_recvfrom))
        replaceref(&H74FFFF,CODEPTR(replacement_recvfrom))
        FUNCTION = 1   'success!
    CASE %DLL_PROCESS_DETACH
        FUNCTION = 1   'success!
    CASE %DLL_THREAD_ATTACH
        FUNCTION = 1   'success!
    CASE %DLL_THREAD_DETACH
        FUNCTION = 1   'success!
    END SELECT
END FUNCTION

------------------

[This message has been edited by Joey Burgett (edited August 24, 2005).]

**Kev Peel** · 24 Aug 2005, 08:37 PM

There must be a third program that creates a window titled "ApplicationName". I can't get the DLL to work without it.

------------------
contact me
kgpsoftware.com - Free and Commercial Software

**Joey Burgett** · 24 Aug 2005, 08:39 PM

Yeah the actual program this is being injected into

Guess i'm screwed

Anything that uses recvfrom from ws2_32. Just use PE Explorer to
see the memory address in the exe that function is located, change
the address in replaceref and change the application name to the name
of the exe with the function.

[This message has been edited by Joey Burgett (edited August 24, 2005).]

**Joey Burgett** · 25 Aug 2005, 10:33 PM

I've seen other versions of accomplishing what I'm trying to do.

Seeing as PB supports inline ASM, can anyone tell me the
inline ASM i'd need to replace the outside programs function with
the address of mine? (and vicaversa)

Thanks!

------------------

Announcement

Injection (?) Question....

Injection (?) Question....

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment