Index
> Windows > hook my code into another process without dll hooking? |
| Author |
|
|
asmcoder
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
24 Mar 2009, 20:47 |
|
|
sleepsleep
Quote:
why not share a little bit idea, thank you. |
|||
|
24 Mar 2009, 20:55 |
|
|
LocoDelAssembly
WriteProcessMemory+CreateRemoteThread will probably do it but, what do you want to do with that hook?
|
|||
|
24 Mar 2009, 20:56 |
|
|
asmcoder
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
|
24 Mar 2009, 21:07 |
|
|
sleepsleep
there is an application that somebody sell to my client, but a button inside that application doesn't work as expected (actually, it is not working at all), so, i need to hack this application and provide that function when the user press that button.
|
|||
|
24 Mar 2009, 21:15 |
|
|
asmcoder
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:52; edited 1 time in total |
|||
|
24 Mar 2009, 21:35 |
|
|
sleepsleep
thanks for info. but i still have no solid idea yet on how to do it
if let say, my dll autorun through registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\sleeping.dll" i am confuse here, if i start the brokenapp.exe, it would auto link with my sleeping.dll, and if i start another patchapp.exe, it would link with sleeping.dll too, so, could i now subclass the brokenapp.exe from my patchapp.exe through sleeping.dll? must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ? i am confused |
|||
|
24 Mar 2009, 22:20 |
|
|
f0dder
VirtualAllocEx, WriteProcessMemory some code that calls LoadLibrary, CreateRemoteThread to execute the code. That'll get your DLL into the process, and the DLL can then be coded normally, without having to use hooks, without delta-tricks, and can use imports etc.
|
|||
|
25 Mar 2009, 00:35 |
|
|
Pinecone_
sleepsleep wrote: must the SetWindowsLong will be coded inside the dll? or it could be coded inside patchapp.exe ? SetWindowLong can be used from patchapp.exe as long as patchapp.exe knows the address of the procedure inside your dll in the address space of brokenapp.exe (base address could be found through EnumProcessModules then you could add the static offset) I think you should make a loader or patch the import table to load your dll instead of using that registry key to avoid unnecessary overhead of your dll being loaded into every process. sleepsleep wrote: i preffer simple and easy solution. If you dont mind the overhead, maybe try a system wide CBT hook, your dll will be loaded into every process and will be notified whenever any window is created, you could change the wndproc of the window you want then, and the hook will already be in the right addressing space, no need to muck around with VirtualAlloc, WriteProcessMemory or anything other than SetWindowsHookEx. Still, a loader or modified import table would avoid having to have patchapp.exe running all the time and avoid the dll being loaded in every process. |
|||
|
25 Mar 2009, 02:19 |
|
|
sleepsleep
sigh, oh men, my idea doesn't work
error 5 during SetWindowLong, ERROR_ACCESS_DENIED but shouldn't it works... men.. i code the SetWindowLong inside the dll...arghhh not working
i put an OutputDebugString on DLL_PROCESS_ATTACH, and i could see the brokenapp.exe attached to my dll. but why i still get such error? isn't it weird. |
|||
|
25 Mar 2009, 03:43 |
|
|
comrade
Can you share out the relevant part of the code?
|
|||
|
25 Mar 2009, 06:04 |
|
|
sleepsleep
Quote:
no problem at all, sharing full source here 
i change the brokenapp.exe to notepad.exe 
i use this on.reg file to on and off the AppInit_DLLs inside vm. on.reg Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\auto.dll" off.reg Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" on and off require a reboot in test machine, i do it inside vm. i use debugview.exe /c /s currently, the output i could get from debugview is like below: steps ------ 1. link up the debugview.exe /c /s 2. start c:\caller.exe 3. start notepad.exe Debugview wrote:
|
|||||||||||||||||||||||||||||||
|
25 Mar 2009, 07:42 |
|
|
sleepsleep
sigh,
i tried using the old method, cbthook on dll. and to my surprise, i get Error 5, Failed SetWindowLong too!!.... ??? ERROR_ACCESS_DENIED i don't know what is going on. full source attached, win32hook.txt = cbthook inside dll patch.txt = generic window application to install the hook. i reduced all the code to bare minimum to just produce the result of setting hook and SetWindowLong to subclass.
|
|||||||||||||||||||||
|
25 Mar 2009, 14:25 |
|
|
sleepsleep
after hours, i think i discover the one whole truth ...
u guys tries figure out |
|||
|
25 Mar 2009, 17:48 |
|
|
comrade
Processes at diffrent integrity levels? UIPI?
|
|||
|
25 Mar 2009, 18:49 |
|
|
sleepsleep
... i let out the tips,
the problem is here, looks normal, but this is where the problem lies. Code: proc DllEntryPoint hinstDLL,fdwReason,lpvReserved push [hinstDLL] pop [instH] cmp [fdwReason],DLL_PROCESS_ATTACH je .attach cmp [fdwReason],DLL_PROCESS_DETACH je .detach .exit: mov eax,TRUE ret .attach: stdcall Trim_To_Last jmp .exit .detach: jmp .exit endp amazing, this cost me few hours to detect. learn something costly.. |
|||
|
25 Mar 2009, 19:05 |
|
|
Pinecone_
i've learned that one the hard way too... several times
|
|||
|
28 Mar 2009, 10:06 |
|
|
comrade
So whats the problem?
|
|||
|
29 Mar 2009, 03:07 |
|
|
sleepsleep
Quote:
their value will change. and when using SetWindowHookEx api, we might not be using the valid hinstDLL value. and thus, ERROR_ACCESS_DENIED |
|||
|
29 Mar 2009, 10:36 |
|
< Last Thread | Next Thread > |
Forum Rules:
|