PDA

View Full Version : In-memory patching question


Czaj-nick
August 27th, 2001, 18:18
In short - I need to build loader that patches DLL used by my process. I only want to patch it once, just after process is loaded, I don't want/can't wait.

Currently I've solved it by debug API, I try ro patch every DLL loaded , in my LOAD_LIBRARY_DEBUG_EVENT handler. It works in both W98 and 2k. But I don't like it, I think debugging slows down my target

Is there any way to check the base address of particular module just after CreateProcess, or to hook library loading without using debug API ?

anon
August 28th, 2001, 00:32
"The base address is the starting address of a memory-mapped EXE or DLL and is an important concept in Win32. For the sake of convenience, Windows NT and Windows 95 uses the base address of a module as the module's instance handle (HINSTANCE)."

from MSDN article "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format"

by Matt Pietrek

DinDon
August 28th, 2001, 01:30
You could try to inject a new DLL, expressely written by you for your purposes, using a CBT hook (SetWindowsHookEx), and put your patching jobs in the DLL entry point (from there you could find the base addresses of all the previously loaded DLLs).

Grab a nice exemple of this technique at http://codeguru.earthweb.com/dll/apihijack.shtml

Have fun!

Czaj-nick
August 28th, 2001, 04:57
[QUOTE]anon (08-27-2001 22:32):
"The base address is the starting address of a memory-mapped EXE or DLL and is an important concept in Win32. For the sake of convenience, Windows NT and Windows 95 uses the base address of a module as the module's instance handle (HINSTANCE)."

I don't need main module's handle/base. I get process's handle, and want to obtain base address of one of DLLs it uses, in this process address space.

How to enumerate modules, given the process handle ?

Or maybe I don't understand something ?

Czaj-nick
August 28th, 2001, 08:34
Quote:
DinDon (08-27-2001 23:30):
You could try to inject a new DLL, expressely written by you for your purposes, using a CBT hook (SetWindowsHookEx), and put your patching jobs in the DLL entry point (from there you could find the base addresses of all the previously loaded DLLs).

Grab a nice exemple of this technique at http://codeguru.earthweb.com/dll/apihijack.shtml

Have fun!


Hmm , I'm not sure If i understand it properly. I create DLL with empty HookProc (not exactly - it contains CallNextHookEx), all just to force Windows load my DLL into my target process ? Ughhh.
However, if I understand well, after doing my job I can safely Unhook, exit my loader, and let the target go on... It seems to be a good solution.

BTW, when will my DLL be loaded ? Will all DLLs imported by my target be loaded already then ?

One more question - if I'm already in my DLL's DllMain - what's the best way to determine base addresses of previously loaded DLL's ? Just walking through taget's PE structures ?

mike
August 28th, 2001, 12:08
I did this once a while ago under 9x, but don't have access to the code anymore. Here's what I remember.

You load the DLL with LoadLibrary and get a handle to it. Then use GetProcAddress to get the address of the function you want to patch. Before you modify anything you have to change the flags on the page to writeable;
use VirtualQuery to get the current page flags & VirtualProtect to modify them.

see http://usa3.hostrack.net/woodmann/fravia/iceman.htm

DinDon
August 29th, 2001, 02:23
Quote:
when will my DLL be loaded ? Will all DLLs imported by my target be loaded already then ?

You can be sure that the DLLs loaded by the kernel loader (that is: all the DLLs requested by the target's PE header) will all be there already!

Quote:
One more question - if I'm already in my DLL's DllMain - what's the best way to determine base addresses of previously loaded DLL's ? Just walking through target's PE structures ?

Why do you want to make again the work which someone else has already done? I'd rather use EnumerateLoadedModules() inside DBGHELP.DLL. Look at
http://msdn.microsoft.com/library/en-us/debug/hh/winbase/dbghelp_9lwz.asp

Have fun!