Results 1 to 7 of 7

Thread: patching dll functions at runtime?

Hybrid View

  1. #1
    ramin_rad2000
    Guest

    patching dll functions at runtime?

    Probably most of you have written this kind of loader b4 but here is my question?
    I want to write a loader which fires the app then wait for a debug signal(LOAD_DLL_DEBUG_INFO) and then find out if this is the right dll and then patches one of it's functions.
    I have seen stones tut on this but i couldn't understand it.
    Please just try to give an actual source code or tutorial coz i know in general what have to be done
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    interesting topic .. i always have seen loaders for .exe files and never .dll or .ocx is there a possible way to make a memory patch(loader) like Risc process patcher does but in .dll files?? in case NOT.. then what other ways we can take to patch a .dll in memory like using a loader for targets been packed or protected some how.
    Last edited by cRk; May 3rd, 2004 at 23:48.

  3. #3
    the Lamer ? it's ME ! Yes SynApsus's Avatar
    Join Date
    Feb 2004
    Location
    France
    Posts
    30
    Of course it is possible. I don't think it exists but it seems to be easy to code...
    Just code a program which will run the process you have to patch in memory and who uses the dll ( a loader ) then enumerate the modules using Module32First/Module32Next, find the dll you want to patch, determine the address of the patch ( use the difference between the patch location and the image base of the dll ) and that's all.

  4. #4
    ramin_rad2000
    Guest
    SynApsus can you give us a source code?
    can we use the rva in a dll as an offset to apply patch?Is this rva different in every machine?
    I made a simple patch(in a dll)and it worked both in xp and 98 and i want to know wether it is general or not?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    the Lamer ? it's ME ! Yes SynApsus's Avatar
    Join Date
    Feb 2004
    Location
    France
    Posts
    30
    No, I will not provide source code lol. Find it by yourself !
    Some tips to help you :
    ** Reversing
    - Find the bytes to modify and notice the RVA where u will have to patch. This RVA can change very easily ! So you will have to substract the imagebase of the dll and the RVA you just noticed ( do all that in the disassembler ! do not substract the RVA you get in the debugger and the image base of the PE header because the image base of a dll can change when loaded, and the datas will be redirected with the relocations ) Keep this number somewhere : IT will never change. ( if we suppose the location of the patch is not in an dynamically allocated space hehe )

    ** Patching
    - Load the process using the Debug Apis and CreateProcess etc
    - Freeze it at each LOAD_DLL_DEBUG_EVENT debug event
    - check if this loaded dll is the one you want to patch
    - if it is, use the lpBaseOfDll member of ur LOAD_DLL_DEBUG_INFO struct
    to retrieve the module handle ( real image base in memory atm ) and add it
    the number we noticed.
    - Now you can use the writeprocessmemory function to write to the dll in the
    debuggee process, just when loaded...

    lol, I have not given you the source code but not far of it !

  6. #6
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    this is not so easy for someone who dosen't know about coding at all .... would someone else provide source code/ or a tool able to do this task .. i'm newbie...i don't think i will be able to handle this .. maybe someday with free time i'll learn some coding tricks
    Last edited by cRk; May 6th, 2004 at 11:31.

Similar Threads

  1. Finding memory address of a .net application at runtime?
    By mr_tex in forum The Newbie Forum
    Replies: 0
    Last Post: November 24th, 2013, 20:43
  2. DLL code patching at runtime ...
    By kappasm in forum The Newbie Forum
    Replies: 11
    Last Post: February 6th, 2011, 06:13
  3. extract runtime assembly code ?
    By mansourweb in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 13th, 2010, 04:48
  4. Vista x64 SP1 tcpip.sys runtime patching
    By LordByte in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: March 17th, 2008, 19:26
  5. Patching dll at runtime
    By SaNGa in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 7th, 2002, 01:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •