Results 1 to 2 of 2
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    [C++] Hook process functions via dll injection

    Hook process functions via dll injection
    This tutorial on how to hook process functions via dll injection.
    What we want to accomplish here is overwrite the address of the function to either jmp, or call our own function in the dll file. Sounds really complicated, but it's not and with little knowledge of pointers and how programs work we can do this.

    We create a function that will render an instruction to jmp or call a specified offset. With this instruction we then assign appropriate permissions to access and write to the original function call, we then write our new instruction in place of the original.

    Here is the basic structure (Redirect.h):
     #define CALL(a) _asm call [a]  
    #define JMP(a) _asm jmp [a]

    class Redirect
    {
    public:
    void RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf);
    void JMPFunction(DWORD address, DWORD jumpto);
    void RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf);
    void CALLFunction(DWORD address, DWORD jumpto);
    Redirect();
    virtual ~Redirect();

    };

    The class consists of one constructor and four methods.

    With the structure there, there is nothing more to do but code what we wanted to do.
     #include "Redirect.h"  

    //////////////////////////////////////////////////////////////////////
    // Construction/Destruction
    //////////////////////////////////////////////////////////////////////

    Redirect::Redirect()
    { }
    Redirect::~Redirect()
    { }

    void Redirect::CALLFunction(DWORD address, DWORD jumpto)
    {
    char instruction[5];
    RenderCALLInstruction((LPVOID)address,(LPVOID)jump to,instruction);
    DWORD oldprot, dummy;
    VirtualProtect((void*)address,5,PAGE_EXECUTE_READW RITE,&oldprot);
    memcpy((LPVOID)address,(LPVOID)instruction,5);
    VirtualProtect((void*)address,5,oldprot,&dummy);
    }

    void Redirect::RenderCALLInstruction(LPVOID address, LPVOID jumpto, char *buf)
    {
    int offset = (int)jumpto - ((int)address + 5);
    buf[0] = (char)0xE8;
    *(DWORD*)(buf+1) = offset;
    }

    void Redirect::JMPFunction(DWORD address, DWORD jumpto)
    {
    char instruction[5];
    RenderJMPInstruction((LPVOID)address,(LPVOID)jumpt o,instruction);
    DWORD oldprot, dummy;
    VirtualProtect((void*)address,5,PAGE_EXECUTE_READW RITE,&oldprot);
    memcpy((LPVOID)address,(LPVOID)instruction,5);
    VirtualProtect((void*)address,5,oldprot,&dummy);
    }

    void Redirect::RenderJMPInstruction(LPVOID address, LPVOID jumpto, char *buf)
    {
    int offset = (int)jumpto - ((int)address + 5);
    buf[0] = (char)0xE9;
    *(DWORD*)(buf+1) = offset;
    }

    Redirecting the function is simple:
     /* This is just an example 
    * 0x600542A5 would be the offset of the call in the original program you would like to redirect.
    */
    Redirect Hook;
    Hook.CALLFunction(0x600542A5,(DWORD)OnZoneSend);

    Not done yet though, we still have to create the OnZoneSend function. This is where people can run into problems if they don't know instruction flow in applications, it may require a little knowledge of assembly.
     int WINAPI OnZoneSend(...) {  
    // ... your code here
    return ZoneSend(...);
    }

    We now call a naked function which will jmp to the original function entry point.
     DWORD lpZoneSend = 0x6005484F; // original function entry point.  
    int __declspec(naked) WINAPI ZoneSend(...)
    {
    JMP(lpZoneSend)
    }

    Thats it! Enjoy.
    Author: Specific
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following User Says Thank You to Dwar For This Useful Post:


  3. #2
    SaptaAgunk
    SaptaAgunk is offline
    New member SaptaAgunk's Avatar
    Join Date
    2010 Dec
    Posts
    13
    Thanks Thanks Given 
    14
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    can I have some source code with DevC + + language?
    and not detected by HackShield

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •