Results 1 to 7 of 7

Thread: In-memory patching question

  1. #1
    Czaj-nick
    Guest

    In-memory patching question

    In short - I need to build loader that patches DLL used by my process. I only want to patch it once, just after process is loaded, I don't want/can't wait.

    Currently I've solved it by debug API, I try ro patch every DLL loaded , in my LOAD_LIBRARY_DEBUG_EVENT handler. It works in both W98 and 2k. But I don't like it, I think debugging slows down my target

    Is there any way to check the base address of particular module just after CreateProcess, or to hook library loading without using debug API ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    anon
    Guest
    "The base address is the starting address of a memory-mapped EXE or DLL and is an important concept in Win32. For the sake of convenience, Windows NT and Windows 95 uses the base address of a module as the module's instance handle (HINSTANCE)."

    from MSDN article "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format"

    by Matt Pietrek
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    DinDon
    Guest
    You could try to inject a new DLL, expressely written by you for your purposes, using a CBT hook (SetWindowsHookEx), and put your patching jobs in the DLL entry point (from there you could find the base addresses of all the previously loaded DLLs).

    Grab a nice exemple of this technique at http://codeguru.earthweb.com/dll/apihijack.shtml

    Have fun!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Czaj-nick
    Guest
    [quote]anon (08-27-2001 22:32):
    "The base address is the starting address of a memory-mapped EXE or DLL and is an important concept in Win32. For the sake of convenience, Windows NT and Windows 95 uses the base address of a module as the module's instance handle (HINSTANCE)."

    I don't need main module's handle/base. I get process's handle, and want to obtain base address of one of DLLs it uses, in this process address space.

    How to enumerate modules, given the process handle ?

    Or maybe I don't understand something ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Czaj-nick
    Guest
    DinDon (08-27-2001 23:30):
    You could try to inject a new DLL, expressely written by you for your purposes, using a CBT hook (SetWindowsHookEx), and put your patching jobs in the DLL entry point (from there you could find the base addresses of all the previously loaded DLLs).

    Grab a nice exemple of this technique at http://codeguru.earthweb.com/dll/apihijack.shtml

    Have fun!
    Hmm , I'm not sure If i understand it properly. I create DLL with empty HookProc (not exactly - it contains CallNextHookEx), all just to force Windows load my DLL into my target process ? Ughhh.
    However, if I understand well, after doing my job I can safely Unhook, exit my loader, and let the target go on... It seems to be a good solution.

    BTW, when will my DLL be loaded ? Will all DLLs imported by my target be loaded already then ?

    One more question - if I'm already in my DLL's DllMain - what's the best way to determine base addresses of previously loaded DLL's ? Just walking through taget's PE structures ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    הבּרוּ נשׂאי כּלי יהוה mike's Avatar
    Join Date
    Mar 2001
    Posts
    491
    I did this once a while ago under 9x, but don't have access to the code anymore. Here's what I remember.

    You load the DLL with LoadLibrary and get a handle to it. Then use GetProcAddress to get the address of the function you want to patch. Before you modify anything you have to change the flags on the page to writeable;
    use VirtualQuery to get the current page flags & VirtualProtect to modify them.

    see http://usa3.hostrack.net/woodmann/fravia/iceman.htm

  7. #7
    DinDon
    Guest
    when will my DLL be loaded ? Will all DLLs imported by my target be loaded already then ?
    You can be sure that the DLLs loaded by the kernel loader (that is: all the DLLs requested by the target's PE header) will all be there already!

    One more question - if I'm already in my DLL's DllMain - what's the best way to determine base addresses of previously loaded DLL's ? Just walking through target's PE structures ?
    Why do you want to make again the work which someone else has already done? I'd rather use EnumerateLoadedModules() inside DBGHELP.DLL. Look at
    http://msdn.microsoft.com/library/en-us/debug/hh/winbase/dbghelp_9lwz.asp

    Have fun!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. detecting or preventing patching in memory (code and data)
    By Paradigm in forum The Newbie Forum
    Replies: 12
    Last Post: April 13th, 2013, 12:36
  2. Urgent patching question
    By PetrH in forum The Newbie Forum
    Replies: 12
    Last Post: January 28th, 2009, 00:23
  3. Dynamic memory allocation question
    By Aquatic in forum The Newbie Forum
    Replies: 21
    Last Post: February 4th, 2004, 14:33
  4. Inline memory patching Asprotect
    By Instructor in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: July 15th, 2001, 08:28
  5. CommView 2.3 and Asprotect memory patching
    By TOTEU in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: October 31st, 2000, 00:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •