Answer the question
In order to leave comments, you need to log in
S
S
sddvxd2019-02-01 20:06:47
sddvxd, 2019-02-01 20:06:47
Why doesn't the address of the function change in the import section?
Good afternoon!
I wrote a code to change the imported address CreateProcessW to my own. If I try to change the address of the imported function in my process (CLIENT.exe), then everything goes well:
BOOL g(){
QMessageBox::information(0, 0, "ok");
return false;
}
int main(int argc, char* argv[]){
Process explorer(L"CLIENT.exe"); //Инициализация this->hModule, this->pID, this->hProcess
if(!explorer.isOpen()) return -1;
HID hId = explorer.replaceProcAddress("KERNEL32.dll", GetProcAddress(GetModuleHandleA("Kernel32"), "CreateProcessW"), (PROC)g);
CreateProcessW(0,0,0,0,0,0,0,0,0,0); //Вызвалась функция g()
return 0;It works, the address of the function has been changed.
But if I try to change the address there by the method of injecting a DLL into a foreign process, then I get nothing:
//CLIENT.exe
int main(int argc, char* argv[]){
Process explorer(L"explorer.exe"); //Инициализация this->hModule, this->pID, this->hProcess
if(!explorer.isOpen()) return -1;
if(!explorer.injectLib(L"C:\\libappUTILS.dll")) return -2; //Инжект через CreateRemoteProcess
return 0;Library code:
//libappUTILS.dll
Process* explorer;
WINBOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, WINBOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation){
int argc = 0;
QApplication app(argc, 0);
QMessageBox::information(0,"hooked", QString(QString("У explorer.exe перехвачен вызов: ")));
}
BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD fdwReason, PVOID load){
switch (fdwReason) {
case DLL_PROCESS_ATTACH:{
explorer = new Process(L"explorer.exe");
if(!explorer->isOpen())
explorer->error(L"Does not open process");
HID hId = explorer->replaceProcAddress("KERNEL32.dll", GetProcAddress(GetModuleHandleA("Kernel32"), "CreateProcessW"), (PROC)MyCreateProcessW);
if(hId == INVALID_HID){
int argc = 0;
QApplication app(argc, 0);
QMessageBox::information(0, "error", 0);
}
QMessageBox::information(0, "ptr", QString::number((long long)MyCreateProcessW));
break;
}
}
return FALSE;
}Process::replaceProcAddress code:
HID Process::replaceProcAddress(LPCSTR moduleName, PROC original, PROC swap){
ULONG size;
bool found = false;
PIMAGE_IMPORT_DESCRIPTOR pImageDesc;
pImageDesc = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(ImageDirectoryEntryToData(getHinstance(), TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &size));
if(pImageDesc == NULL)
return INVALID_HID;
for(; pImageDesc->Name; pImageDesc++){
PSTR pModName = reinterpret_cast<PSTR>(reinterpret_cast<PBYTE>(getHinstance()) + pImageDesc->Name);
if(strcmp(pModName, moduleName) == 0){
PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(reinterpret_cast<PBYTE>(getHinstance()) + pImageDesc->FirstThunk);
for(; pThunkData->u1.Function; pThunkData++){
PROC* ppOriginalFunc = reinterpret_cast<PROC*>(&pThunkData->u1.Function);
if(*ppOriginalFunc == original){
found = true;
DWORD dwOldProtect;
if(VirtualProtect(ppOriginalFunc, sizeof(swap), PAGE_WRITECOPY, &dwOldProtect)){
if(!WriteProcessMemory(getHandle(), ppOriginalFunc, &swap, sizeof(swap), NULL))
return INVALID_HID;
{
int argc = 0;
QApplication app(argc, 0);
QMessageBox::information(0, "ok", "changed");
}
VirtualProtect(ppOriginalFunc, sizeof(swap), dwOldProtect, &dwOldProtect);
}
}
}
}
}
if(found) return 1;
return INVALID_HID;
}Processes both opened normally, and open. Please tell me, what could be the snag
HID - my type (uint), which I use to determine the success of the completion of procedures
Similar questions
A
M
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question