Announcement

Collapse
No announcement yet.

Injection (?) Question....

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Injection (?) Question....

    I have a C++ DLL that works I would like to convert to a PB DLL.
    The function works fine in the C btw.

    What it does is hooks/injects (dunno which this really is considered)
    a function that is pointed to a functions address retrieved from PE Explorer.

    For instance: 74B4FF is the address the function we're replacing in the outside
    application. The function declares an identical version but directs the address
    of this new function to 74B4FF so when the original program uses that function,
    it calls our custom version instead.

    Orig function example: (in C++)
    Code:
    int __stdcall replacement_recvfrom(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen)
    Our custom function: (in C++)
    Code:
    typedef int (__stdcall *recvfunc)(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen);
    recvfunc oldproc;
    The two functions addresses are swapped using: (in C++)
    Code:
    void replaceref(long* loc, long what)
    {
    if(IsBadWritePtr(loc, 4))
         {
         DWORD dwOld, dw;
         VirtualProtect(loc, 4, PAGE_EXECUTE_READWRITE, &dwOld);
         oldproc=(recvfunc)(*loc);
         *(loc)=what;
         VirtualProtect(loc, 4, dwOld, &dw);
         }else
         {
         *(loc)=what;
         }
    }
    The next is the handling of our custom function:
    Code:
    int __stdcall replacement_recvfrom(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen)
    {
    	//We call the original function as we're only interested in the 
            //parameter values the original function receives.
            int res=oldproc(s,buf,len,flags,from,fromlen);
    	if (res>0)
    	{
    	cout << "Recieved info (%i"<<len<<" bytes)."<<endl;
    	return(res);
    	}
    }
    And here is where it gets initiated in the DLL
    Code:
    	case DLL_PROCESS_ATTACH:
    	//0x1234FF example base function address to replace
    		id=0;
    		AllocConsole();
    		replaceref((long*)0x1234FF,(long)replacement_recvfrom);
    How can I get this to do the same in PB? Here's how I interpret the above:
    Code:
    SUB ReplaceRef (BYREF mLoc AS LONG POINTER, BYREF what AS LONG POINTER)
        DIM dwOld AS LONG PTR
        DIM dw AS LONG PTR
        DIM oldproc AS LONG PTR
        VirtualProtect(mLoc,4,%PAGE_EXECUTE_READWRITE,dwOld)
        oldproc=mloc&  ' Since we want the ptr we do reference??
        mloc=what&   
        msgbox str$(mloc&) & " " & str$(what&)
        VirtualProtect(mloc&, 4, dwOld, dw)
    END SUB
            
    FUNCTION replacement_recvfrom(BYVAL s AS DWORD,BYVAL buf AS BYTE, BYVAL buflen AS LONG, BYVAL flags AS LONG, saFrom AS SOCKADDR, fromlen AS LONG) AS LONG
        res=recvfrom(s,buf,buflen,flags,safrom,fromlen)
        MSGBOX STR$(buflen)
    END FUNCTION
    
    FUNCTION LIBMAIN (BYVAL hInstance   AS LONG, _
                      BYVAL fwdReason   AS LONG, _
                      BYVAL lpvReserved AS LONG) AS LONG
        SELECT CASE fwdReason
        CASE %DLL_PROCESS_ATTACH
            ghInstance = hInstance
            replaceref(&H1234FF,CODEPTR(replacement_recvfrom))
        END SELECT
    END FUNCTION
    And it doesn't work (surprise!) - Any help would be greatly appreciated...

    Thanks!!

    ------------------


    [This message has been edited by Joey Burgett (edited August 24, 2005).]

  • #2
    For a start, all the LONG PTR variables are DWORDs, not pointers. Also - the ReplaceRef should look like the following...

    Code:
    SUB ReplaceRef(BYREF mLoc AS LONG, BYVAL what AS LONG)
    It is hard to read the code in your post without [ CODE ] and [ /CODE ] tags (without the spaces)

    ------------------
    contact me
    kgpsoftware.com - Free and Commercial Software
    kgpsoftware.com | Slam DBMS | PrpT Control | Other Downloads | Contact Me

    Comment


    • #3
      Also, it seems that oldproc is a global variable that stores the original procedure handle so you would need it declared as GLOBAL oldproc AS DWORD, instead of local.

      ------------------
      contact me
      kgpsoftware.com - Free and Commercial Software
      kgpsoftware.com | Slam DBMS | PrpT Control | Other Downloads | Contact Me

      Comment


      • #4
        Sorry about the [ code ] [ /code ] -- i edited the post.

        I made the changes you suggested but still nothing



        ------------------

        Comment


        • #5
          Thanks. Another thing you could try is adding FUNCTION = %TRUE before the end of LIBMAIN. The DLL will not load otherwise.

          ------------------
          contact me
          kgpsoftware.com - Free and Commercial Software
          kgpsoftware.com | Slam DBMS | PrpT Control | Other Downloads | Contact Me

          Comment


          • #6
            Actually thats in there. I just didn't copy/paste it as its a
            default for the template.

            Maybe if I post the working dll/exe in its entirety..

            This one injects the dll.
            [CODE]
            #include <iostream>
            #include "windows.h"
            using namespace std;

            void hookin(HANDLE hProcess)
            {
            HANDLE hThread;
            char dllfilename[255];

            void* threadnewarea;

            DWORD hLibModule;
            HMODULE hKernel32 =GetModuleHandle("Kernel32");

            strcpy(dllfilename,"c:\\mydll.dll");

            threadnewarea = VirtualAllocEx( hProcess, NULL, sizeof(dllfilename), MEM_COMMIT, PAGE_READWRITE );
            WriteProcessMemory( hProcess, threadnewarea, (void*)dllfilename, sizeof(dllfilename), NULL );


            hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress( hKernel32, "LoadLibraryA" ), threadnewarea, 0, NULL );
            WaitForSingleObject( hThread, INFINITE );

            GetExitCodeThread( hThread, &hLibModule );

            CloseHandle( hThread );
            VirtualFreeEx( hProcess, threadnewarea, sizeof(dllfilename), MEM_RELEASE );
            }

            PROCESS_INFORMATION pi;

            int main()
            {
            DWORD procid;
            HWND h=FindWindow(0,"ApplicationName");
            GetWindowThreadProcessId(h,&procid);
            pi.hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,procid);

            hookin(pi.hProcess);
            }

            This one is the dll to be injected:
            Code:
            #include "windows.h"
            #include <iostream>
            #include <string>
            #include <fstream>
            using namespace std;
            
            typedef int (__stdcall *recvfunc)(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen);
            recvfunc oldproc;
            
            void replaceref(long* loc, long what)
            {
            				if(IsBadWritePtr(loc, 4))
            				{
            					DWORD dwOld, dw;
            					VirtualProtect(loc, 4, PAGE_EXECUTE_READWRITE, &dwOld);
            					oldproc=(recvfunc)(*loc);
            					*(loc)=what;
            					cout << "\nAddress as:   %p\n"<<&loc<<" bytes)."<<endl;
            					VirtualProtect(loc, 4, dwOld, &dw);
            				}
            				else
            				{
            					*(loc)=what;
            					cout << "\nAddress as:   %p\n"<<&loc<<" bytes)."<<endl;
            				}
            }
            
            void out(string str)
            {
            	DWORD dw;
            	WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE),str.c_str(),str.length(),&dw,0);
            }
            
            int id;
            
            int __stdcall replacement_recvfrom(SOCKET s,char *buf,int len,int flags,struct sockaddr *from,int *fromlen)
            {
            	int res=oldproc(s,buf,len,flags,from,fromlen);
            	if (res>0)
            	{
            	string st;
            	st="Recieved info (";
            	st+=res;
            	st+=" bytes).\n";
            //	out(st);
            	cout << "Recieved info (%i"<<len<<" bytes)."<<endl;
            	return(res);
            	}
            }
            
            BOOL APIENTRY DllMain( HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
            {
            	switch (ul_reason_for_call)
            	{
            	case DLL_PROCESS_ATTACH:
            		id=0;
            		AllocConsole();
            		replaceref((long*)0x74FFFF,(long)replacement_recvfrom);
            	case DLL_THREAD_ATTACH:
            	case DLL_THREAD_DETACH:
            	case DLL_PROCESS_DETACH:
            		break;
            	}
                return TRUE;
            }
            This is my interpretation of the DLL loader in PB:
            Code:
            #COMPILE EXE
            #DIM ALL
            #INCLUDE "win32api.inc"
            
            GLOBAL PI AS PROCESS_INFORMATION
            
            FUNCTION PBMAIN () AS LONG
            
                LOCAL procID AS DWORD
                LOCAL lHwnd AS DWORD
                LOCAL hProcess AS DWORD
                lhwnd=findwindow("", "ApplicationName")
                GetWindowThreadProcessID(lhwnd, procid)
                pi.hProcess=openprocess(%process_all_access,0,procid)
                CALL hookin(pi.hprocess)
            
            END FUNCTION
            
            SUB hookin(hprc AS DWORD)
                LOCAL hThread AS DWORD
                LOCAL DLLFilename AS ASCIIZ * 17
                LOCAL TheNewArea AS DWORD
                LOCAL hLibModule AS DWORD
                LOCAL hKernel32 AS DWORD
                hkernel32=getmodulehandle("KERNEL32.dll")
                dllfilename="INJECTUPDATE.DLL"
            
                TheNewArea=virtualallocex(hprc,BYVAL %null,LEN(dllfilename),%mem_commit,%PAGE_READWRITE)
                writeprocessmemory(hprc,thenewarea,dllfilename,LEN(dllfilename),0)
                hThread = CreateRemoteThread(hPrc, BYVAL %Null, 0, GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), thenewarea, 0, 0)
                WaitForSingleObject(hThread, %INFINITE)
                GetExitCodeThread(hthread,hlibmodule)
            
                CloseHandle(hThread)
                VirtualFreeEx(hPrc, hkernel32, 0, %MEM_RELEASE)
                CloseHandle(hPrc)
            END SUB
            And finally, the DLL
            Code:
            #COMPILE DLL
            #DIM ALL
            
            %USEMACROS = 1
            #INCLUDE "Win32API.inc"
            #INCLUDE "W2_32.inc"
            
            GLOBAL ghInstance AS DWORD
            
            DECLARE FUNCTION recvfunc (BYVAL s AS DWORD, buf AS ANY, BYVAL buflen AS LONG, BYVAL flags AS LONG, saFrom AS SOCKADDR, fromlen AS LONG) AS LONG
            GLOBAL res AS LONG
            GLOBAL OldProc AS DWORD
            
            SUB ReplaceRef (BYREF mLoc AS LONG, what AS LONG)
                DIM dwOld AS DWORD
                DIM dw AS  DWORD
                MSGBOX STR$(mloc) & " " & STR$(what)
                VirtualProtect(mLoc,4,%PAGE_EXECUTE_READWRITE,dwOld)
                oldproc=mloc&
                @mloc=what
                VirtualProtect(mloc, 4, dwOld, dw)
            END SUB
            
            FUNCTION replacement_recvfrom(BYVAL s AS DWORD,BYVAL buf AS BYTE, BYVAL buflen AS LONG, BYVAL flags AS LONG, saFrom AS SOCKADDR, fromlen AS LONG) AS LONG
                res=recvfrom(s,buf,buflen,flags,safrom,fromlen)
                DIM st AS STRING
                st="Recieved info ("
                st=st & STR$(res)
                st=st & " bytes).\n"
                MSGBOX STR$(buflen)
                FUNCTION=res
            END FUNCTION
            
            FUNCTION LIBMAIN (BYVAL hInstance   AS LONG, _
                              BYVAL fwdReason   AS LONG, _
                              BYVAL lpvReserved AS LONG) AS LONG
                SELECT CASE fwdReason
                CASE %DLL_PROCESS_ATTACH
                    ghInstance = hInstance
                    MSGBOX STR$(CODEPTR(replacement_recvfrom))
                    replaceref(&H74FFFF,CODEPTR(replacement_recvfrom))
                    FUNCTION = 1   'success!
                CASE %DLL_PROCESS_DETACH
                    FUNCTION = 1   'success!
                CASE %DLL_THREAD_ATTACH
                    FUNCTION = 1   'success!
                CASE %DLL_THREAD_DETACH
                    FUNCTION = 1   'success!
                END SELECT
            END FUNCTION
            ------------------


            [This message has been edited by Joey Burgett (edited August 24, 2005).]

            Comment


            • #7
              There must be a third program that creates a window titled "ApplicationName". I can't get the DLL to work without it.

              ------------------
              contact me
              kgpsoftware.com - Free and Commercial Software
              kgpsoftware.com | Slam DBMS | PrpT Control | Other Downloads | Contact Me

              Comment


              • #8
                Yeah the actual program this is being injected into

                Guess i'm screwed

                Anything that uses recvfrom from ws2_32. Just use PE Explorer to
                see the memory address in the exe that function is located, change
                the address in replaceref and change the application name to the name
                of the exe with the function.


                [This message has been edited by Joey Burgett (edited August 24, 2005).]

                Comment


                • #9
                  I've seen other versions of accomplishing what I'm trying to do.

                  Seeing as PB supports inline ASM, can anyone tell me the
                  inline ASM i'd need to replace the outside programs function with
                  the address of mine? (and vicaversa)

                  Thanks!

                  ------------------

                  Comment

                  Working...
                  X