Page 3 of 3 FirstFirst 123
Results 31 to 38 of 38

Thread: Hooking a member function from an injected DLL?

  1. #31
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    This idea is totally out of left field, but... if you're looking to mess with stuff going on inside of your target process but you can't mess with the primary executable's memory because of PunkBuster, what about patching the DLLs (either in-memory or on-disk)? For example, if the function you want to patch in your game calls Sleep(...) at some point, patch kernel32.dll's Sleep(...) function to do your bidding.

  2. #32
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    That might indeed be a good way to approximate the desired breakpoint, if:

    1. There is some such DLL/API function called close enough to the point of interest.
    2. The originally desired breakpoint doesn't need to be exact, contrary to e.g. if you want to read some temporary memory data buffer etc exactly at this breakpoint.
    3. PunkBuster does not checksum DLLs too, which I sadly assume is quite likely that it will?

    I'm sure Shakkan can answer the first two questions right away, and possibly even the third? Does anyone else know the answer to the third question?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #33
    Indeed, patching the DLL files themselves won't achieve anything, as PunkBuster's methods involve regular integrity checks, rather than memory-access protection. So such a disk-image modification will only ensure that PunkBuster gets angry at the soonest possible opportunity .

  4. #34
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Damn, it almost seems like that PunkBuster program doesn't want people to mess with the processes it protects, or something.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #35
    Shakkan
    Guest
    Hello,

    Quote Originally Posted by disavowed
    This idea is totally out of left field, but... if you're looking to mess with stuff going on inside of your target process but you can't mess with the primary executable's memory because of PunkBuster, what about patching the DLLs (either in-memory or on-disk)? For example, if the function you want to patch in your game calls Sleep(...) at some point, patch kernel32.dll's Sleep(...) function to do your bidding.
    That could be a good idea. In my hook, I would check ESP and see if it was called by the wanted method. Though it would create overhead for all other calls to it but that's a small price to pay.

    Quote Originally Posted by dELTA
    That might indeed be a good way to approximate the desired breakpoint, if:

    1. There is some such DLL/API function called close enough to the point of interest.
    2. The originally desired breakpoint doesn't need to be exact, contrary to e.g. if you want to read some temporary memory data buffer etc exactly at this breakpoint.
    3. PunkBuster does not checksum DLLs too, which I sadly assume is quite likely that it will?
    1. That's something I can easily check. I don't know right now but I can figure this out soon.
    2. Indeed, it doesn't need to be exact, as long as I'm notified somehow of a call to that method.
    3. PunkBuster can't scan all DLLs, well known applications such as FRAPS and Xfire inject themselves into games and hook themselves into some DLLs such as Direct3D. FRAPS even use a system-wide hook. As far as I know, PunkBuster entirely scans the executable and a _part_ of Direct3D. That means that the suggestion by disavowed seems like a good one. Anyone can confirm or infirm my assumption about PunkBuster?

    I still need to explore the PAGE_GUARD/VEH method and try an un-SafeDisc'd EXE online with SEH/DR method to see if PunkBuster also messes with DR's. I'm lagging behind but keep the suggestions coming, I will catch up. Just been busy recently.

    Thank you.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #36
    asmfan who love everyone
    Join Date
    Jul 2006
    Posts
    21
    "eeyebootroot.zip"
    password?

  7. #37
    clockwork305
    Guest
    There can be a somewhat simple, if hackish, way to do this from ring3 if the situation is right. I've used it in the past to get around similar protection. Find two API calls, one executed directly before the code you want to hook, and one after. Hook inside the first API call, when the hook is called check the return address on the stack and see if it's your target area. If it is, install your hook. Do the same for the API after the code you want, just to uninstall the hook. Hooking inside or at the ret of the APIs can help avoid detection depending on if/how the APIs are checked, but beware of portability issues with that. Just my two cents.
    Last edited by clockwork305; April 7th, 2008 at 23:56.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    Shakkan
    Guest
    Yeah, that's similar to a suggestion above from disavowed. In that case, as I mentionned, simply checking ESP would be sufficient, no need to hook at all since I only want to be _notified_ of the call, I don't need its parameter values and such. Anyway, hooking/unhooking would be unreliable, you never know when PB does integrity checks and that method would get called quite often as it is a "On Weapon Fire" method, called for every bullets that gets out.

    So many things to try now, so little time. I have yet to validate all the suggestions that were made in that thread, but I'll NEED to find the time very soon. There's no way I'm giving up.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 2
    Last Post: September 4th, 2011, 06:07
  2. Call a dll injected function from the host process
    By Smjert in forum The Newbie Forum
    Replies: 13
    Last Post: June 17th, 2010, 19:05
  3. Replies: 3
    Last Post: February 9th, 2008, 14:30
  4. Replies: 0
    Last Post: December 5th, 2007, 16:45
  5. sXe injected
    By syl in forum The Newbie Forum
    Replies: 5
    Last Post: May 9th, 2007, 16:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •