flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
asmcoder
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
![]() |
|
sleepsleep
Quote:
why not share a little bit idea, thank you. |
|||
![]() |
|
LocoDelAssembly
WriteProcessMemory+CreateRemoteThread will probably do it but, what do you want to do with that hook?
|
|||
![]() |
|
asmcoder
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
![]() |
|
sleepsleep
there is an application that somebody sell to my client, but a button inside that application doesn't work as expected (actually, it is not working at all), so, i need to hack this application and provide that function when the user press that button.
|
|||
![]() |
|
asmcoder
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
![]() |
|
sleepsleep
thanks for info. but i still have no solid idea yet on how to do it
![]() if let say, my dll autorun through registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\sleeping.dll" i am confuse here, if i start the brokenapp.exe, it would auto link with my sleeping.dll, and if i start another patchapp.exe, it would link with sleeping.dll too, so, could i now subclass the brokenapp.exe from my patchapp.exe through sleeping.dll? must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ? i am confused ![]() |
|||
![]() |
|
f0dder
VirtualAllocEx, WriteProcessMemory some code that calls LoadLibrary, CreateRemoteThread to execute the code. That'll get your DLL into the process, and the DLL can then be coded normally, without having to use hooks, without delta-tricks, and can use imports etc.
|
|||
![]() |
|
Pinecone_
sleepsleep wrote: must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ? SetWindowLong can be used from patchapp.exe as long as patchapp.exe knows the address of the procedure inside your dll in the address space of brokenapp.exe (base address could be found through EnumProcessModules then you could add the static offset) I think you should make a loader or patch the import table to load your dll instead of using that registry key to avoid unnecessary overhead of your dll being loaded into every process. sleepsleep wrote: i preffer simple and easy solution. If you dont mind the overhead, maybe try a system wide CBT hook, your dll will be loaded into every process and will be notified whenever any window is created, you could change the wndproc of the window you want then, and the hook will already be in the right addressing space, no need to muck around with VirtualAlloc, WriteProcessMemory or anything other than SetWindowsHookEx. Still, a loader or modified import table would avoid having to have patchapp.exe running all the time and avoid the dll being loaded in every process. |
|||
![]() |
|
sleepsleep
sigh, oh men, my idea doesn't work
![]() error 5 during SetWindowLong, ERROR_ACCESS_DENIED but shouldn't it works... men.. i code the SetWindowLong inside the dll...arghhh not working ![]() i put an OutputDebugString on DLL_PROCESS_ATTACH, and i could see the brokenapp.exe attached to my dll. but why i still get such error? isn't it weird. |
|||
![]() |
|
comrade
Can you share out the relevant part of the code?
|
|||
![]() |
|
sleepsleep
Quote:
no problem at all, sharing full source here ![]() i change the brokenapp.exe to notepad.exe ![]() i use this on.reg file to on and off the AppInit_DLLs inside vm. on.reg Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\auto.dll" off.reg Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" on and off require a reboot in test machine, i do it inside vm. i use debugview.exe /c /s currently, the output i could get from debugview is like below: steps ------ 1. link up the debugview.exe /c /s 2. start c:\caller.exe 3. start notepad.exe Debugview wrote:
|
|||||||||||||||||||||||||||||||
![]() |
|
sleepsleep
sigh,
i tried using the old method, cbthook on dll. and to my surprise, i get Error 5, Failed SetWindowLong too!!.... ??? ERROR_ACCESS_DENIED i don't know what is going on. full source attached, win32hook.txt = cbthook inside dll patch.txt = generic window application to install the hook. i reduced all the code to bare minimum to just produce the result of setting hook and SetWindowLong to subclass.
|
|||||||||||||||||||||
![]() |
|
sleepsleep
after hours, i think i discover the one whole truth ...
u guys tries figure out ![]() |
|||
![]() |
|
comrade
Processes at diffrent integrity levels? UIPI?
|
|||
![]() |
|
sleepsleep
... i let out the tips,
the problem is here, looks normal, but this is where the problem lies. Code: proc DllEntryPoint hinstDLL,fdwReason,lpvReserved push [hinstDLL] pop [instH] cmp [fdwReason],DLL_PROCESS_ATTACH je .attach cmp [fdwReason],DLL_PROCESS_DETACH je .detach .exit: mov eax,TRUE ret .attach: stdcall Trim_To_Last jmp .exit .detach: jmp .exit endp amazing, this cost me few hours to detect. learn something costly.. |
|||
![]() |
|
Pinecone_
i've learned that one the hard way too... several times
![]() |
|||
![]() |
|
comrade
So whats the problem?
|
|||
![]() |
|
sleepsleep
Quote:
their value will change. and when using SetWindowHookEx api, we might not be using the valid hinstDLL value. and thus, ERROR_ACCESS_DENIED |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.