Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-2004, 06:46
Teerayoot Teerayoot is offline
Friend
 
Join Date: Mar 2004
Location: ประเทศไทย
Posts: 66
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Teerayoot Reputation: 0
Can we hook some func in another process then change return address?

I want to inject dll into another process then hook some function in order to change return adreess to our code or fill hex 0xEBFE byte so we can pause there and debug that process.

Can we do this tecnique?

Last edited by Teerayoot; 09-16-2004 at 07:33.
Reply With Quote
  #2  
Old 09-16-2004, 07:51
Viasek
 
Posts: n/a
For injecting you can use ForceLibrary, createprocess with the suspend flag, inject, resume process.

Hooking a function is just a matter of calling WriteProcessMemory and correctly modifying a call/jmp to the address of your code, and returning properly. Make SURE you take care of the stack correctly.
Reply With Quote
  #3  
Old 09-17-2004, 17:18
goldenegg
 
Posts: n/a
no,micro$oft's detours is the best,using it's api
DetourCreateProcessWithDll or DetourContinueProcessWithDll
u can inject a dll into another process very easily.
it also provide some apis with which one can hook functions in a simple way.
Reply With Quote
  #4  
Old 09-19-2004, 02:59
Teerayoot Teerayoot is offline
Friend
 
Join Date: Mar 2004
Location: ประเทศไทย
Posts: 66
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Teerayoot Reputation: 0
GetProccAddress

Thank you,Viasek for infos.

Ok,anyway can we hook System api like

"NtQueryInformationProcess" that getprocaddressed in normal process?

Note : I using madcodehook very easy and painless.
Reply With Quote
  #5  
Old 09-19-2004, 22:43
thebobbby
 
Posts: n/a
Injecting a DLL into another process can be done quite easily with the regular Windows API only:
-first allocate memory in the target process with CreateRemoteThread,
-then copy some loader code and the arguments using WriteProcessMemory,
-then use CreateRemoteThread to start the loader code, which in turn calls LoadLibrary

This technique is very generic, and allows to execute any code into any process... This is useful for hooking as well, as it allows to hook only a specific process instead of the whole system....
Reply With Quote
  #6  
Old 09-21-2004, 11:12
xzz
 
Posts: n/a
E.g

in ntdll.dll
you can find return address and simple you can hook them,
the address from my ntdll.dll

;Native API
SYSTEM_CALL equ 7FFE0300h
NtAllocateVirtualMemory equ 77F5b54Eh
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I know what information return this address? byvs General Discussion 5 11-20-2015 20:57
Problem with Return Address ArC General Discussion 2 08-03-2003 16:13


All times are GMT +8. The time now is 08:20.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )