Jump to content
Moopler Closing Read more... ×
Moopler
Sign in to follow this  
Evelynn

Help ASM code injection with DLL in C++

Recommended Posts

Hello, I'm trying to learn Assembly code injection using C++
I did get the following working:
 
- Use VirtualProtect(); to set the memory address to PAGE_EXECUTE_READWRITE
- Use WriteProcessMemory();  to write my new Assembly operation and overwrite the old one
 
But I do have some questions:
 
- Is it possible to allocate new process memory using a DLL? for example using VirtualAllocEx();
- If I want to inject an entirly new function instead of overwriting an existing operation how do I know where in the memory I can/have to put it
- Let's say for example my address is :
 
 
0047F474 - DEC EAX
 
I would want to replace that with a JMP to my new function, and at the end of my function JMP back to the old address+1
Would this be right?:
 
DWORD oldaddr = 0x0047F474;
DWORD newaddr;
 
void asmcode() {
__asm{
         JMP newaddr
  }
}
 
WriteProcessMemory(hProcess, (LPVOID)oldaddr, asmcode, sizeof(asmcode), 0);
 
void myfunc() {
__asm{
         INC EAX
         JMP oldaddr+1
  }
}
 
WriteProcessMemory(hProcess, (LPVOID)newaddr, myfunc, sizeof(myfunc), 0);
Also, how would I know where newaddr points to if I dont manually give it an address?
Would that be by using: int test = &newaddr; ??
If anyone could help me I would be grateful-
Thanks!
Edited by Evelynn

Share this post


Link to post

yeah you can allocate new process memory, use this example

DWORD hookaddy = 0x0047F474;

DWORD useless;

VirtualProtect((LPVOID)hookaddy, 5, PAGE_EXECUTE_READWRITE, &useless);
        *(BYTE *)hookaddy = 0xE9; // JMP
        *(int *)(hookaddy + 1) = (int)myfunc- (int)hookaddy - 5; //the func address

void myfunc() {
__asm{
         INC EAX
         JMP oldaddr+1
  }
}

it will rewrite your hook address to JMP to your Func that you wrote in ASM.

hopefully i made it easier to understand :drop:

 

Edited by melonisme
  • Like 1

Share this post


Link to post
8 minutes ago, melonisme said:

yeah you can allocate new process memory, use this example

DWORD hookaddy = 0x0047F474;

DWORD useless;

VirtualProtect((LPVOID)hookaddy, 5, PAGE_EXECUTE_READWRITE, &useless);
        *(BYTE *)hookaddy = 0xE9; // JMP
        *(int *)(hookaddy + 1) = (int)myfunc- (int)hookaddy - 5; //the func address


void myfunc() {
__asm{
         INC EAX
         JMP oldaddr+1
  }
}

it will rewrite your hook address to JMP to your Func that you wrote in ASM.

hopefully i made it easier to understand :drop:

 

Thanks a lot for giving me this example, but could you explain how this works:

*(int *)(hookaddy +1) = (int)myfunc-(int)hookaddy-5;

I read somewhere that 0xE9 = JMP and 0xE8 = CALL

Im fairly new to all of this I actually just started doing this kind of stuff a few days back.

 

Share this post


Link to post

There's no reason to use WriteProcessMemory if you're accessing from a DLL. DLLs can not run on their own, and depends on a .EXE to load them. This results in the DLL being a part of the EXE's memory-space, so you won't have to use WriteProcessMemory (as it is designed to let you access other processes memory-spaces). You can simply assume you're in a process of your own, and access whatever data the EXE contains.

  • Like 3

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×