 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
 Posted: Wed Jun 24, 2009 10:27 am Post subject: Inline hooking of an external process? |
 |
|
| Well I allocated memory then wrote the hook which will jump back to the api. But I am stuck, because it still crashes. HAOOOOOO.
|
|
| Back to top |
|
 |
DoomsDay
Grandmaster Cheater
 Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Wed Jun 24, 2009 10:55 am Post subject: |
|
|
It would be easier if we'll have a piece of code to look at.
Are you sure you are avoiding relative jumps\calls bugs?
Are you writing the return pointer(as raw data) to the hook? or just the code?
Are you sure you're writing to a writable page?
Are you sure the page is marked exeutable?
Did you try to debug the app while injecting your code?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Wed Jun 24, 2009 11:45 am Post subject: |
|
|
| show code else we don't know which of your errors caused the crash
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Jun 24, 2009 11:52 am Post subject: |
|
|
| Code: | #include <tchar.h>
#include <windows.h>
#include <psapi.h>
#pragma comment(lib, "psapi.lib")
DWORD FindProcess( LPCTSTR lpcszFileName )
{
LPDWORD lpdwProcessIds;
LPTSTR lpszBaseName;
HANDLE hProcess;
DWORD i, cdwProcesses, dwProcessId = 0;
lpdwProcessIds = (LPDWORD)HeapAlloc(GetProcessHeap(), 0, 4096);
if (lpdwProcessIds != NULL)
{
if (EnumProcesses(lpdwProcessIds, 4096, &cdwProcesses))
{
lpszBaseName = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, MAX_PATH*sizeof(TCHAR));
if (lpszBaseName != NULL)
{
cdwProcesses /= sizeof(DWORD);
for (i = 0; i < cdwProcesses; i++)
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, lpdwProcessIds[i]);
if (hProcess != NULL)
{
if (GetModuleBaseName(hProcess, NULL, lpszBaseName, MAX_PATH) > 0)
{
if (!lstrcmpi(lpszBaseName, lpcszFileName))
{
dwProcessId = lpdwProcessIds[i];
CloseHandle(hProcess);
break;
}
}
CloseHandle(hProcess);
}
}
HeapFree(GetProcessHeap(), 0, (LPVOID)lpszBaseName);
}
}
HeapFree(GetProcessHeap(), 0, (LPVOID)lpdwProcessIds);
}
return dwProcessId;
}
DWORD dwMessageBoxA = (DWORD)MessageBoxA+5;
void __declspec(naked) MessageBoxAHook( HWND hWnd, LPCSTR lpcszText, LPCSTR lpcszTitle, UINT uType )
{
__asm
{
push ebp
mov ebp, esp
jmp dword ptr ds:[dwMessageBoxA]
}
}
int main( int argc ){
wchar_t * wszProcess = new wchar_t[512];
DWORD dwProcId = NULL;
HANDLE hProc = INVALID_HANDLE_VALUE;
LPVOID lpvAddrToWrite = NULL;
_tprintf_s(_T("External Hook\nEnter process: "));
_getts_s(wszProcess, 512);
for(;;Sleep(100))
if((dwProcId = FindProcess(wszProcess)) != NULL)
if((hProc = OpenProcess(PROCESS_VM_OPERATION, false, dwProcId)) != INVALID_HANDLE_VALUE)
break;
_tprintf_s(_T("\nFound \"%s\"! ProcessId: %d\n"), wszProcess, dwProcId);
if((lpvAddrToWrite = VirtualAllocEx(hProc, NULL, sizeof(&MessageBoxAHook), MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL && (_ftprintf_s(stderr, _T("Could not allocate memory in external process!")) != NULL))
goto _exit;
if(WriteProcessMemory(hProc, lpvAddrToWrite, &MessageBoxAHook, sizeof(&MessageBoxAHook), NULL) == false && (_ftprintf_s(stderr, _T("Could not write to process!")) != NULL))
goto _exit;
_exit:
CloseHandle(hProc);
delete[] wszProcess;
_gettchar();
} |
I rewrote the code and now WPM returns false 
|
|
| Back to top |
|
|
Deine Mutter
Expert Cheater
 Reputation: 1
Joined: 05 Apr 2006
Posts: 181
|
| Posted: Wed Jun 24, 2009 12:15 pm Post subject: |
|
|
| Quote: | | The handle must have PROCESS_VM_WRITE and PROCESS_VM_OPERATION access to the process. |
http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx
However, I doubt that this will work for serveral reasons, your code looks pretty faulty.
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Jun 24, 2009 12:25 pm Post subject: |
|
|
Oh lololololol. K I got it. Let me recode this thing, I was up late last night coding so ya.
Edit:
Now it'll return false on WriteProcessMemory :S
| Code: | #include <tchar.h>
#include <windows.h>
#include <psapi.h>
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);
#pragma comment(lib, "psapi.lib")
DWORD FindProcess( LPCTSTR lpcszFileName )
{
LPDWORD lpdwProcessIds;
LPTSTR lpszBaseName;
HANDLE hProcess;
DWORD i, cdwProcesses, dwProcessId = 0;
lpdwProcessIds = (LPDWORD)HeapAlloc(GetProcessHeap(), 0, 4096);
if (lpdwProcessIds != NULL)
{
if (EnumProcesses(lpdwProcessIds, 4096, &cdwProcesses))
{
lpszBaseName = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, MAX_PATH*sizeof(TCHAR));
if (lpszBaseName != NULL)
{
cdwProcesses /= sizeof(DWORD);
for (i = 0; i < cdwProcesses; i++)
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, lpdwProcessIds[i]);
if (hProcess != NULL)
{
if (GetModuleBaseName(hProcess, NULL, lpszBaseName, MAX_PATH) > 0)
{
if (!lstrcmpi(lpszBaseName, lpcszFileName))
{
dwProcessId = lpdwProcessIds[i];
CloseHandle(hProcess);
break;
}
}
CloseHandle(hProcess);
}
}
HeapFree(GetProcessHeap(), 0, (LPVOID)lpszBaseName);
}
}
HeapFree(GetProcessHeap(), 0, (LPVOID)lpdwProcessIds);
}
return dwProcessId;
}
void __stdcall MessageBoxAHook( HWND hWnd, LPCSTR lpcszText, LPCSTR lpcszTitle, UINT uType )
{
DWORD dwMessageBoxA = (DWORD)MessageBoxA+5;
__asm
{
jmp [dwMessageBoxA]
}
}
int main( int argc ){
wchar_t * wszProcess = new wchar_t[512];
DWORD dwProcId = NULL, dwToWrite = NULL, dwOldProt = NULL;
HANDLE hProc = INVALID_HANDLE_VALUE;
LPVOID lpvAddrToWrite = NULL;
_tprintf_s(_T("External Hook\nEnter process: "));
_getts_s(wszProcess, 512);
for(;;Sleep(100))
if((dwProcId = FindProcess(wszProcess)) != NULL)
if((hProc = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcId)) != INVALID_HANDLE_VALUE)
break;
_tprintf_s(_T("\nFound \"%s\"! ProcessId: %d\n"), wszProcess, dwProcId);
if((lpvAddrToWrite = VirtualAllocEx(hProc, NULL, sizeof(&MessageBoxAHook), MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL && (_ftprintf_s(stderr, _T("Could not allocate memory in external process!")) != NULL))
goto _exit;
if(WriteProcessMemory(hProc, lpvAddrToWrite, &MessageBoxAHook, sizeof(&MessageBoxAHook), NULL) == false && (_ftprintf_s(stderr, _T("Could not write to process!")) != NULL))
goto _exit;
dwToWrite = JMP(MessageBoxA, lpvAddrToWrite);
if(VirtualProtectEx(hProc, (LPVOID)MessageBoxA, 10, PAGE_EXECUTE_READWRITE, &dwOldProt) == false && (_ftprintf_s(stderr, _T("Could unprotect MessageBoxA")) != NULL))
goto _exit;
if(WriteProcessMemory(hProc, (LPVOID)MessageBoxA, (LPCVOID)0xE9, sizeof(byte), NULL) == false && (_ftprintf_s(stderr, _T("Could not write hook!")) != NULL))
goto _exit;
if(WriteProcessMemory(hProc, (LPVOID)((DWORD)MessageBoxA+1), (LPCVOID)dwToWrite, sizeof(DWORD), NULL) == false)
goto _exit;
_exit:
CloseHandle(hProc);
delete[] wszProcess;
_gettchar();
} |
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Jun 24, 2009 1:39 pm Post subject: |
|
|
| GetLastError?
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Jun 24, 2009 1:45 pm Post subject: |
|
|
| 0x12B
|
|
| Back to top |
|
|
Deine Mutter
Expert Cheater
Reputation: 1
Joined: 05 Apr 2006
Posts: 181
|
| Posted: Wed Jun 24, 2009 1:49 pm Post subject: |
|
|
| Code: | | sizeof(&MessageBoxAHook) = sizeof(DWORD) = 4 |
You can't get the size of a function with sizeof.
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed Jun 24, 2009 1:53 pm Post subject: |
|
|
| Oh, how would I do it?
|
|
| Back to top |
|
|
Deine Mutter
Expert Cheater
Reputation: 1
Joined: 05 Apr 2006
Posts: 181
|
| Posted: Wed Jun 24, 2009 1:58 pm Post subject: |
|
|
Good question.
I really don't know. Maybe something like this would work^^: | Code: | void funcA()
{
return;
}
void funcB()
{
return;
}
int main()
{
cout << "size of funcA: " << hex << ((ULONG)&funcB - (ULONG)&funcA) << endl; //ewww, dirty
return 0;
}
|
I think you get the point. If there is no proper solution you will have to count the bytes manually^^.
_________________
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Jun 24, 2009 3:47 pm Post subject: |
|
|
Well... It did work sorta:
| Quote: | ERROR_PARTIAL_COPY
299 (0x12B):
Only part of a ReadProcessMemory or WriteProcessMemory request was completed. |
So I guess there is something wrong with your size finding...
And really, you cant find the size of a function. You can disassemble it your self or. Make it scan until a retn. Then calculate the retn-thestart.
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
|
| Back to top |
|
|
DoomsDay
Grandmaster Cheater
Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Thu Jun 25, 2009 7:40 am Post subject: |
|
|
I compiled the application using VS2008.
- On the first write the function's size was passed as the size of a pointer - 4 bytes.
- The function retrieves the offset of MessageBoxA by reading from its own IAT (use GetProcAddress).
- In the second write, 0xE9 is passed as an address, while the function requires a pointer.
- The address argument passed on the third write is a pure WTF
(not a pointer).
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
and if you hate the CRT/CLR like me you can use my version that is also included in darawk's post it works just the same 
