flat assembler
Message board for the users of flat assembler.
Index
> Windows > hook my code into another process without dll hooking? |
Author |
|
asmcoder 24 Mar 2009, 20:47
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
24 Mar 2009, 20:47 |
|
sleepsleep 24 Mar 2009, 20:55
Quote:
why not share a little bit idea, thank you. |
|||
24 Mar 2009, 20:55 |
|
LocoDelAssembly 24 Mar 2009, 20:56
WriteProcessMemory+CreateRemoteThread will probably do it but, what do you want to do with that hook?
|
|||
24 Mar 2009, 20:56 |
|
asmcoder 24 Mar 2009, 21:07
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
24 Mar 2009, 21:07 |
|
sleepsleep 24 Mar 2009, 21:15
there is an application that somebody sell to my client, but a button inside that application doesn't work as expected (actually, it is not working at all), so, i need to hack this application and provide that function when the user press that button.
|
|||
24 Mar 2009, 21:15 |
|
asmcoder 24 Mar 2009, 21:35
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
24 Mar 2009, 21:35 |
|
sleepsleep 24 Mar 2009, 22:20
thanks for info. but i still have no solid idea yet on how to do it
if let say, my dll autorun through registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\sleeping.dll" i am confuse here, if i start the brokenapp.exe, it would auto link with my sleeping.dll, and if i start another patchapp.exe, it would link with sleeping.dll too, so, could i now subclass the brokenapp.exe from my patchapp.exe through sleeping.dll? must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ? i am confused |
|||
24 Mar 2009, 22:20 |
|
f0dder 25 Mar 2009, 00:35
VirtualAllocEx, WriteProcessMemory some code that calls LoadLibrary, CreateRemoteThread to execute the code. That'll get your DLL into the process, and the DLL can then be coded normally, without having to use hooks, without delta-tricks, and can use imports etc.
|
|||
25 Mar 2009, 00:35 |
|
Pinecone_ 25 Mar 2009, 02:19
sleepsleep wrote: must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ? SetWindowLong can be used from patchapp.exe as long as patchapp.exe knows the address of the procedure inside your dll in the address space of brokenapp.exe (base address could be found through EnumProcessModules then you could add the static offset) I think you should make a loader or patch the import table to load your dll instead of using that registry key to avoid unnecessary overhead of your dll being loaded into every process. sleepsleep wrote: i preffer simple and easy solution. If you dont mind the overhead, maybe try a system wide CBT hook, your dll will be loaded into every process and will be notified whenever any window is created, you could change the wndproc of the window you want then, and the hook will already be in the right addressing space, no need to muck around with VirtualAlloc, WriteProcessMemory or anything other than SetWindowsHookEx. Still, a loader or modified import table would avoid having to have patchapp.exe running all the time and avoid the dll being loaded in every process. |
|||
25 Mar 2009, 02:19 |
|
sleepsleep 25 Mar 2009, 03:43
sigh, oh men, my idea doesn't work
error 5 during SetWindowLong, ERROR_ACCESS_DENIED but shouldn't it works... men.. i code the SetWindowLong inside the dll...arghhh not working i put an OutputDebugString on DLL_PROCESS_ATTACH, and i could see the brokenapp.exe attached to my dll. but why i still get such error? isn't it weird. |
|||
25 Mar 2009, 03:43 |
|
comrade 25 Mar 2009, 06:04
Can you share out the relevant part of the code?
|
|||
25 Mar 2009, 06:04 |
|
sleepsleep 25 Mar 2009, 07:42
Quote:
no problem at all, sharing full source here i change the brokenapp.exe to notepad.exe i use this on.reg file to on and off the AppInit_DLLs inside vm. on.reg Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\auto.dll" off.reg Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" on and off require a reboot in test machine, i do it inside vm. i use debugview.exe /c /s currently, the output i could get from debugview is like below: steps ------ 1. link up the debugview.exe /c /s 2. start c:\caller.exe 3. start notepad.exe Debugview wrote:
|
|||||||||||||||||||||||||||||||
25 Mar 2009, 07:42 |
|
sleepsleep 25 Mar 2009, 14:25
sigh,
i tried using the old method, cbthook on dll. and to my surprise, i get Error 5, Failed SetWindowLong too!!.... ??? ERROR_ACCESS_DENIED i don't know what is going on. full source attached, win32hook.txt = cbthook inside dll patch.txt = generic window application to install the hook. i reduced all the code to bare minimum to just produce the result of setting hook and SetWindowLong to subclass.
|
|||||||||||||||||||||
25 Mar 2009, 14:25 |
|
sleepsleep 25 Mar 2009, 17:48
after hours, i think i discover the one whole truth ...
u guys tries figure out |
|||
25 Mar 2009, 17:48 |
|
comrade 25 Mar 2009, 18:49
Processes at diffrent integrity levels? UIPI?
|
|||
25 Mar 2009, 18:49 |
|
sleepsleep 25 Mar 2009, 19:05
... i let out the tips,
the problem is here, looks normal, but this is where the problem lies. Code: proc DllEntryPoint hinstDLL,fdwReason,lpvReserved push [hinstDLL] pop [instH] cmp [fdwReason],DLL_PROCESS_ATTACH je .attach cmp [fdwReason],DLL_PROCESS_DETACH je .detach .exit: mov eax,TRUE ret .attach: stdcall Trim_To_Last jmp .exit .detach: jmp .exit endp amazing, this cost me few hours to detect. learn something costly.. |
|||
25 Mar 2009, 19:05 |
|
Pinecone_ 28 Mar 2009, 10:06
i've learned that one the hard way too... several times
|
|||
28 Mar 2009, 10:06 |
|
comrade 29 Mar 2009, 03:07
So whats the problem?
|
|||
29 Mar 2009, 03:07 |
|
sleepsleep 29 Mar 2009, 10:36
Quote:
their value will change. and when using SetWindowHookEx api, we might not be using the valid hinstDLL value. and thus, ERROR_ACCESS_DENIED |
|||
29 Mar 2009, 10:36 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.