5 byte code jump crashing when in a injected dll
Code:
#include"stdafx.h"#include"stdafx.h"#include#include DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsignedchar *lpBackup); BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsignedchar *lpBackup); int MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType); BYTE hook[6]; int main() { HookFunction("user32.dll", "MessageBoxA", MyMessageBoxA, hook); // MessageBox(0, "HEY", "", MB_OK);return 0; } int MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { UnHookFunction("user32.dll", "MessageBoxA", hook); char msg[32]; sprintf(msg, "HOOKED!!\n\n%s", lpText); int x = MessageBox(hWnd, msg, lpCaption, uType); HookFunction("user32.dll", "MessageBoxA", MyMessageBoxA, hook); return x; } DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsignedchar *lpBackup) { printf("%s %s - %s %s\n","lpModule",lpModule,"lpFuncName",lpFuncName); DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); printf("%s %p\n","dwAddr =",dwAddr); BYTE jmp[6] = { 0xe9, //jmp0x00, 0x00, 0x00, 0x00, //address0xc3 }; //retnprintf("%s %d\n","jmp[0] =",jmp[0]); ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0); //GetCurrentProcess()DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); //((to)-(from)-5)printf("%s %d\n","dwCalc =",dwCalc); memcpy(&jmp[1], &dwCalc, 4); //build the jmpWriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0); //GetCurrentProcess()return dwAddr; } BOOL UnHookFunction(LPCSTR lpModule, LPCSTR lpFuncName, unsignedchar *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0)) return TRUE; return FALSE; }
thanks
0 comentarios:
Publicar un comentario