Results 1 to 1 of 1

Thread: Patch Functions

  1. #1
    syntaxtcbl
    syntaxtcbl is offline
    Guest
    Join Date
    2014 Jun
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Patch Functions

    Hi,

    Some may find this usefull, others may not. We are assuming you are loaded inside the process.

    Code:
    type
      PImageDOSHeader = ^TImageDOSHeader;
      TImageDOSHeader = packed record
        e_magic: Word;
        e_cblp: Word;
        e_cp: Word;
        e_crlc: Word;
        e_cparhdr: Word;
        e_minalloc: Word;
        e_maxalloc: Word;
        e_ss: Word;
        e_sp: Word;
        e_csum: Word;
        e_ip: Word;
        e_cs: Word;
        e_lfarlc: Word;
        e_onvo: Word;
        e_res: array [0..3] of Word;
        e_oemid: Word;
        e_oeminfo: Word;
        e_res2: array [0..9] of Word;
        e_lfanew: DWord;
    end;
    
    type
      PImageNtHeaders = ^TImageNtHeaders;
      TImageNtHeaders = packed record
        signature: dword;
        FileHeader: TImageFileHeader;
        OptionalHeader: TImageOptionalHeader;
      end;
    
    type
      PImageFileHeader = ^TImageFileHeader;
      TImageFileHeader = packed record
        Machine: Word;
        NumberOfSections: Word;
        TimeDateStamp: dword;
        PointerToSymbolTable: dword;
        NumberOfSymbols: dword;
        SizeOfOptionalHeader: Word;
        Characteristics: Word;
      end;
    type
      PImageOptionalHeader = ^TImageOptionalHeader;
      TImageOptionalHeader = packed record
        Magic: Word;
        MajorLinkerVersion: byte;
        MinorLinkerVersion: byte;
        SizeOfCode : dword;
        SizeOfInitializedData: dword;
        SizeOfUninitializedData: dword;
        AddressOfEntryPoint: dword;
        BaseOfCode: dword;
        BaseOfData: dword;
        ImageBase: dword;
        SectionAlignment: dword;
        FileAlignment: dword;
        MajorOperatingSystemVersion: Word;
        MinorOperatingSystemVersion: Word;
        MajorImageVersion: Word;
        MinorImageVersion: Word;
        MajorSubsystemVersion: Word;
        MinorSubsystemVersion: Word;
        Win32VersionVaule: dword;
        SizeOfImage: dword;
        SizeOfHeaders: dword;
        CheckSum: dword;
        Subsystem : Word;
        DllCharacteristics: Word;
        SizeOfStackReserve: dword;
        SizeOfStackCommit: dword;
        SizeOfHeapReserve: dword;
        SizeOfHeapCommit: dword;
        LoaderFlags: dword;
        NumberOfRvaAndSizes: dword;
        DataDirectory: array[0..IMAGE_NUMBEROF_DIRECTORY_ENTRIES-1] of TImageDataDirectory
      end;
    
    type
      PImageDataDirectory = ^TImageDataDirectory;
      TImageDataDirectory = packed record
        VirtualAddress: dword;
        size: dword;
    end;
    
    type
      PImageImportDirectory = ^TImageImportDirectory;
      TImageImportDirectory = packed record
        rvaImportLookupTable: dword;
        TimeDateStamp: dword;
        ForwarderChain: dword;
        rvaModuleName: dword;
        rvaImportAddressTable: dword;
    end;
    
    function PatchIAT(Module: string; Import: string; NewFunctor: Pointer): boolean;
    var
      Base: Pointer;
      ImportDW, CurrentImport: DWORD;
      CurrentName: string;
      Function RVA(P: Cardinal): Pointer;
      begin
        result:=PChar(Base) + P;
      end;
    var
      PDOS: PImageDosHeader;
      PNew: PImageNtHeaders;
      PIID: PImageImportDirectory;
      PRVA: PDWORD;
      OldProtect, MyProtect: Cardinal;
    begin
      result:=false;
      Module:=LowerCase(Module);
      Base:=Pointer(GetModuleHandle(nil));
      ImportDW:=DWORD(GetProcAddress(GetModuleHandle(PChar(Module)), PChar(Import)));
      if ImportDW = 0 then
        exit;
      PDOS:=PImageDosHeader(Base);
      PNew:=PIMageNtHeaders(RVA(PDOS^.e_lfanew));
      PIID:=RVA(PNew^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
      while PIID^.rvaModuleName <> 0 do
      begin
        CurrentName:=LowerCase(PChar(RVA(PIID^.rvaModuleName)));
        if (CurrentName = Module) then
        begin
          PRVA:=PDWORD(RVA(PIID^.rvaImportAddressTable));
          while PRVA^ <> 0 do
          begin
            CurrentImport:=PRVA^;
            if CurrentImport = ImportDW then
            begin
              //VirtualProtect(PRVA, 4, PAGE_EXECUTE_READWRITE, OldProtect);
              PRVA^:=DWORD(NewFunctor);
              //VirtualProtect(PRVA, 4, OldProtect, MyProtect);
              result:=true;
              MessageBox(0,PChar(IntToStr(GetCurrentProcessID)),PChar(IntToStr(GetCurrentProcessID)),0);
            end;
            inc(PRVA);
          end;
        end;
        inc(PIID);
      end;
    end;
    
    procedure Patch(dst, src, count: DWORD);
    var
      oldprot, tmp: DWORD;
    begin
      VirtualProtect(Pointer(dst), count, PAGE_EXECUTE_READWRITE, oldprot);
      if not IsBadWritePtr(Pointer(dst), count) then
        CopyMemory(Pointer(dst), Pointer(src), count)
      else MessageBox(0, 'Patch failed', nil, 0);
      VirtualProtect(Pointer(dst), count, oldprot, tmp);
    end;
    
    procedure PatchInJumpTo(Where: DWORD; JmpTo: DWORD; nops: Integer = 0);
    var
      PB: array[0..4+10] of byte;
      offset: DWORD;
      i: Integer;
    begin
      for i:=0 to PRED(sizeof(PB)) do
      PB[i]:=$90;
      offset:=JmpTo - Where - 5;
      PB[0]:=$E9; // jump
      PDWORD(PB[1])^:=offset;
      Patch(Where, DWORD(PB), 5 + nops);
    end;
    
    procedure PatchInCallTo(Where: DWORD; JmpTo: DWORD; nops: Integer = 0);
    var
      PB: array[0..4+10] of byte;
      offset: DWORD;
      i: Integer;
    begin
      for i:=0 to PRED(sizeof(PB)) do
        PB[i]:=$90;
      offset:=JmpTo - Where - 5;
      PB[0]:=$E8; // call
      PDWORD(PB[1])^:=offset;
      Patch(Where, DWORD(PB), 5 + nops);
    end;
    
    function NewCreateProcess(r1,r2: Pointer; lpApplicationName: PChar; lpCommandLine: PChar; lpProcessAttributes: PSecurityAttributes; lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer; lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo; var lpProcessInformation: TProcessInformation): BOOL; cdecl;
    begin
      MessageBox(0,'Hooked','Hooked to my function',0);
    end;
    
    procedure NewCreateProcessStub; assembler;
    asm
      jmp NewCreateProcess
      pop eax
      push ebp
      mov ebp, esp
      jmp eax
    end;
    Useage Example: PatchIAT('kernel32.dll', 'CreateProcessA', NewCreateProcess)
    Useage Example: PatchInJumpTo(dwCreateProcess, DWORD(NewCreatProcessStub));
    Useage Example: PatchInCallTo(dwCreateProcess, DWORD(NewCreateProcessStub));

    Hopefully some of you can put this to good use!

    If you need examples of how to use, i have plenty of examples.

    (NOTE: The site did not like me using the "at" symbol so i have to edit this post once its approved)

Similar Threads

  1. [Delphi] Dll Injection functions
    By Dwar in forum Delphi
    Replies: 3
    Last Post: 2016-06-17, 11:18 PM
  2. Basic Functions on C + +
    By Vitrix Maggot in forum C/C++
    Replies: 0
    Last Post: 2013-06-30, 05:02 PM
  3. [Tool] Patch V. 23 + Patch NonSteam Online
    By miguel20bh in forum Counter Strike
    Replies: 0
    Last Post: 2012-01-13, 06:07 PM
  4. [C++] Writing your own detour functions
    By Dwar in forum Programming Tutorials
    Replies: 0
    Last Post: 2010-11-20, 04:48 AM
Visitors found this page by searching for:
Nobody landed on this page from a search engine, yet!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •