S
S
sddvxd2019-02-01 20:06:47
C++ / C#
sddvxd, 2019-02-01 20:06:47

Why doesn't the address of the function change in the import section?

Good afternoon!
I wrote a code to change the imported address CreateProcessW to my own. If I try to change the address of the imported function in my process (CLIENT.exe), then everything goes well:

BOOL g(){
   QMessageBox::information(0, 0, "ok");
   return false;
}

int main(int argc, char* argv[]){
    Process explorer(L"CLIENT.exe"); //Инициализация this->hModule, this->pID, this->hProcess
    if(!explorer.isOpen()) return -1;
    HID hId = explorer.replaceProcAddress("KERNEL32.dll", GetProcAddress(GetModuleHandleA("Kernel32"), "CreateProcessW"), (PROC)g);
    CreateProcessW(0,0,0,0,0,0,0,0,0,0); //Вызвалась функция g()
    return 0;

It works, the address of the function has been changed.
But if I try to change the address there by the method of injecting a DLL into a foreign process, then I get nothing:
//CLIENT.exe

int main(int argc, char* argv[]){
    Process explorer(L"explorer.exe"); //Инициализация this->hModule, this->pID, this->hProcess
    if(!explorer.isOpen()) return -1;
    if(!explorer.injectLib(L"C:\\libappUTILS.dll")) return -2; //Инжект через CreateRemoteProcess
    return 0;

Library code:
//libappUTILS.dll

Process* explorer;


WINBOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, WINBOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation){
    int argc = 0;
    QApplication app(argc, 0);
    QMessageBox::information(0,"hooked", QString(QString("У explorer.exe перехвачен вызов: ")));
}

BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD fdwReason, PVOID load){
    switch (fdwReason) {
        case DLL_PROCESS_ATTACH:{
            explorer = new Process(L"explorer.exe");
            if(!explorer->isOpen())
                explorer->error(L"Does not open process");
            HID hId = explorer->replaceProcAddress("KERNEL32.dll", GetProcAddress(GetModuleHandleA("Kernel32"), "CreateProcessW"), (PROC)MyCreateProcessW);

            if(hId == INVALID_HID){
                    int argc = 0;
                    QApplication app(argc, 0);
                    QMessageBox::information(0, "error", 0);
            }
            QMessageBox::information(0, "ptr", QString::number((long long)MyCreateProcessW));


            break;
        }
    }
    return FALSE;
}

Process::replaceProcAddress code:
HID Process::replaceProcAddress(LPCSTR moduleName, PROC original, PROC swap){
    ULONG size;
    bool found = false;
    PIMAGE_IMPORT_DESCRIPTOR pImageDesc;
    pImageDesc = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(ImageDirectoryEntryToData(getHinstance(), TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &size));
    if(pImageDesc == NULL)
        return INVALID_HID;
    for(; pImageDesc->Name; pImageDesc++){
        PSTR pModName = reinterpret_cast<PSTR>(reinterpret_cast<PBYTE>(getHinstance()) + pImageDesc->Name);
        if(strcmp(pModName, moduleName) == 0){
            PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(reinterpret_cast<PBYTE>(getHinstance()) + pImageDesc->FirstThunk);
            for(; pThunkData->u1.Function; pThunkData++){
                PROC* ppOriginalFunc = reinterpret_cast<PROC*>(&pThunkData->u1.Function);
                if(*ppOriginalFunc == original){
                    found = true;
                    DWORD dwOldProtect;
                    if(VirtualProtect(ppOriginalFunc, sizeof(swap), PAGE_WRITECOPY, &dwOldProtect)){
                        if(!WriteProcessMemory(getHandle(), ppOriginalFunc, &swap, sizeof(swap), NULL))
                            return INVALID_HID;
                        {
                            int argc = 0;
                            QApplication app(argc, 0);
                            QMessageBox::information(0, "ok", "changed");
                        }
                        VirtualProtect(ppOriginalFunc, sizeof(swap), dwOldProtect, &dwOldProtect);
                    }
                }
            }
        }
    }
    if(found) return 1;
    return INVALID_HID;
}

Processes both opened normally, and open. Please tell me, what could be the snag
HID - my type (uint), which I use to determine the success of the completion of procedures

Answer the question

In order to leave comments, you need to log in

1 answer(s)
J
jcmvbkbc, 2019-02-02
@jcmvbkbc

what could be the rub

Is your code being called at all? Does it work without errors? Or where is the first mistake?
Why do you expect everyone to be conscious and use W and not A?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question