Results 1 to 7 of 7

Thread: patching dll functions at runtime?

  1. #1
    ramin_rad2000
    Guest

    patching dll functions at runtime?

    Probably most of you have written this kind of loader b4 but here is my question?
    I want to write a loader which fires the app then wait for a debug signal(LOAD_DLL_DEBUG_INFO) and then find out if this is the right dll and then patches one of it's functions.
    I have seen stones tut on this but i couldn't understand it.
    Please just try to give an actual source code or tutorial coz i know in general what have to be done
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    interesting topic .. i always have seen loaders for .exe files and never .dll or .ocx is there a possible way to make a memory patch(loader) like Risc process patcher does but in .dll files?? in case NOT.. then what other ways we can take to patch a .dll in memory like using a loader for targets been packed or protected some how.
    Last edited by cRk; May 3rd, 2004 at 23:48.

  3. #3
    the Lamer ? it's ME ! Yes SynApsus's Avatar
    Join Date
    Feb 2004
    Location
    France
    Posts
    30
    Of course it is possible. I don't think it exists but it seems to be easy to code...
    Just code a program which will run the process you have to patch in memory and who uses the dll ( a loader ) then enumerate the modules using Module32First/Module32Next, find the dll you want to patch, determine the address of the patch ( use the difference between the patch location and the image base of the dll ) and that's all.

  4. #4
    ramin_rad2000
    Guest
    SynApsus can you give us a source code?
    can we use the rva in a dll as an offset to apply patch?Is this rva different in every machine?
    I made a simple patch(in a dll)and it worked both in xp and 98 and i want to know wether it is general or not?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    the Lamer ? it's ME ! Yes SynApsus's Avatar
    Join Date
    Feb 2004
    Location
    France
    Posts
    30
    No, I will not provide source code lol. Find it by yourself !
    Some tips to help you :
    ** Reversing
    - Find the bytes to modify and notice the RVA where u will have to patch. This RVA can change very easily ! So you will have to substract the imagebase of the dll and the RVA you just noticed ( do all that in the disassembler ! do not substract the RVA you get in the debugger and the image base of the PE header because the image base of a dll can change when loaded, and the datas will be redirected with the relocations ) Keep this number somewhere : IT will never change. ( if we suppose the location of the patch is not in an dynamically allocated space hehe )

    ** Patching
    - Load the process using the Debug Apis and CreateProcess etc
    - Freeze it at each LOAD_DLL_DEBUG_EVENT debug event
    - check if this loaded dll is the one you want to patch
    - if it is, use the lpBaseOfDll member of ur LOAD_DLL_DEBUG_INFO struct
    to retrieve the module handle ( real image base in memory atm ) and add it
    the number we noticed.
    - Now you can use the writeprocessmemory function to write to the dll in the
    debuggee process, just when loaded...

    lol, I have not given you the source code but not far of it !

  6. #6
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    this is not so easy for someone who dosen't know about coding at all .... would someone else provide source code/ or a tool able to do this task .. i'm newbie...i don't think i will be able to handle this .. maybe someday with free time i'll learn some coding tricks
    Last edited by cRk; May 6th, 2004 at 11:31.

  7. #7
    Hello,

    Please find attached a very basic working prototype 'C' program that should work for you
    with some minor changes. It does the basic Create Process / Wait for debug event /
    Is this the event I'm looking for? / Continue debug event / cycle.
    I used this prototype to memory patch a program (protected by a latter version
    of Asprotect) based on the timing/loading of a *.dll similar in context to what
    you are looking for.
    Once you familiarize yourself with the process, you should not have any trouble
    adapting to patch a *.dll vs an *.exe as I have done.
    Note: this program was written to run on winxp:
    A) makes use of the psapi.dll which allows for enumerating modules within a
    process. If you don't have version winnt 4.0 or greater, than you
    will probably need to use the toolhelp32 snapshot method as
    SynApsus mentions. There is plenty of information out there to
    show you how to do this.
    B) makes use of DebugActiveProcessStop API only valid for version winxp and
    greater. This API allows for the debugger to detach from the process
    you loaded (your target app). Sweet.
    C) you may need to explicitly include c:\path\psapi.lib (for psapi.dll) in the link step to avoid any reference type errors.
    I am partial to this approach as it eliminates the need to use a process dumper, pe editor
    tool, worry about CRC checking, or having to rebuild an IAT. The choice
    is yours.
    I would be very interested in hearing of your success.
    Good Luck!
    Attached Files Attached Files

Similar Threads

  1. Finding memory address of a .net application at runtime?
    By mr_tex in forum The Newbie Forum
    Replies: 0
    Last Post: November 24th, 2013, 20:43
  2. DLL code patching at runtime ...
    By kappasm in forum The Newbie Forum
    Replies: 11
    Last Post: February 6th, 2011, 06:13
  3. extract runtime assembly code ?
    By mansourweb in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 13th, 2010, 04:48
  4. Vista x64 SP1 tcpip.sys runtime patching
    By LordByte in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: March 17th, 2008, 19:26
  5. Patching dll at runtime
    By SaNGa in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 7th, 2002, 01:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •