jakalspop Posted October 12, 2010 Share Posted October 12, 2010 is possible to load dll functions to process are running Link to comment Share on other sites More sharing options...
trancexx Posted October 12, 2010 Share Posted October 12, 2010 is possible ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
jakalspop Posted October 13, 2010 Author Share Posted October 13, 2010 how can i do that is there example please Link to comment Share on other sites More sharing options...
trung0407 Posted October 13, 2010 Share Posted October 13, 2010 the method is called "hook" or "api hook", dll/function hook, try to search around Link to comment Share on other sites More sharing options...
jakalspop Posted October 13, 2010 Author Share Posted October 13, 2010 i search for it but i don't how to use function int WINAPI MessageBox( __in_opt HWND hWnd, __in_opt LPCTSTR lpText, __in_opt LPCTSTR lpCaption, __in UINT uType ); in User32.dll target calc.exe Link to comment Share on other sites More sharing options...
trancexx Posted October 13, 2010 Share Posted October 13, 2010 You need to create new thread in that process. That's done by call to CreateRemoteThread function. There are more than one example around.But, since you said that you searched and don't know how to use what found, then don't. Find something else to play with until you are advanced enough to make use of advanced stuff. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
jakalspop Posted October 13, 2010 Author Share Posted October 13, 2010 i foind this example but i didn't know how can i use it for this fuction : MessageBoxW In : user32.dll Target : calc.exe expandcollapse popup#NoTrayIcon #AutoIt3Wrapper_Change2CUI=y #include <_WinApiHook.au3> #include <_MemoryDll.au3> Local $MyMsgBox = DllCallbackRegister("_MyMsgBox", "none", "hwnd;wstr;wstr;uint") Local $pMyMsgBox = DllCallbackGetPtr($MyMsgBox) Local $targetmodule = "user32.dll" Local $targetfunction = "MessageBoxW" $DISTORM_DEBUG = True MsgBox(0 + 64, "Local Hook Test", "Press OK to start the local hook test.") ; local hook test $MyHook = _HookApi_Get($targetmodule, $targetfunction) ConsoleWrite("-------------" & @CRLF) ConsoleWrite("HookAddress: " & DllStructGetData($MyHook, "HookAddress") & @CRLF) ConsoleWrite("HookBak: " & DllStructGetData($MyHook, "HookBak") & @CRLF) ConsoleWrite("Bridge: " & DllStructGetData($MyHook, "Bridge") & @CRLF) ConsoleWrite("BridgePtr: " & DllStructGetData($MyHook, "BridgePtr") & @CRLF) ConsoleWrite("Status after get: " & DllStructGetData($MyHook, "Status") & @CRLF) ConsoleWrite("Process: " & DllStructGetData($MyHook, "Process") & @CRLF) If IsDllStruct($MyHook) Then _HookApi_Set($MyHook, $pMyMsgBox) ConsoleWrite("Status after set: " & DllStructGetData($MyHook, "Status") & @CRLF) MsgBox(0 + 64, "Unhooked MessageBox", "We unset the hook before this call.") _HookApi_UnSet($MyHook) ConsoleWrite("Status after unset: " & DllStructGetData($MyHook, "Status") & @CRLF) MsgBox(0 + 64, "Unhooked MessageBox", "We unset the hook before this call.") EndIf MsgBox(0 + 64, "Remote Hook Test", "Press OK to start the remote hook test.") ;; remote hook test MsgBox(0 + 64, "Info", "Press OK. You then have 10 seconds to test the Message button.") $pid = Run("testapp.exe") ProcessWait($pid) Sleep(500) ; for remote processes, the Bridge element will be NULL ; the BridgePtr will be a pointer in the remote process to the memory allocated $MyHook = _HookApi_Get($targetmodule, $targetfunction, $pid) ConsoleWrite("-------------" & @CRLF) ConsoleWrite("HookAddress: " & DllStructGetData($MyHook, "HookAddress") & @CRLF) ConsoleWrite("HookBak: " & DllStructGetData($MyHook, "HookBak") & @CRLF) ConsoleWrite("Bridge: " & DllStructGetData($MyHook, "Bridge") & @CRLF) ConsoleWrite("BridgePtr: " & DllStructGetData($MyHook, "BridgePtr") & @CRLF) ConsoleWrite("Status after get: " & DllStructGetData($MyHook, "Status") & @CRLF) ConsoleWrite("Process: " & DllStructGetData($MyHook, "Process") & @CRLF) ; verify bridge $hProcess = _GetProcHandle($pid) $s = DllStructCreate("byte[64]") DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($MyHook, "BridgePtr"), "ptr", DllStructGetPtr($s), "uint", 64, "uint*", 0) ConsoleWrite("-------------------" & @CRLF) ConsoleWrite("remote bridge: " & DllStructGetData($s, 1) & @CRLF) ; inject dll $hModule = _InjectDll(@ScriptDir & "\msgdll.dll", $pid) ;; set hook ; call the remote function to set the bridge address ; if you know the offset, then add it to $hModule ; if not, load the dll locally to get hMod and use GetProcAddress to get the funcaddres ; then the offset = funcaddress - hMod ; get the bridge setting function offset $hMod = _WinAPI_LoadLibrary("msgdll.dll") $fnAddress = _GetProcAddress($hMod, "_GetMessageBoxW@4") $offset = $fnAddress - $hMod ; set the bridge $ret = DllCall("kernel32.dll", "ptr", "CreateRemoteThread", "ptr", $hProcess, "ptr", 0, "uint", 0, "ptr", $hModule + $offset, "ptr", DllStructGetData($MyHook, "BridgePtr"), "dword", 0, "ptr", 0) _WinAPI_WaitForSingleObject($ret[0]) _WinAPI_CloseHandle($ret[0]) ; get hook function offset $fnAddress = _GetProcAddress($hMod, "_MyMsgBox@16") $offset = $fnAddress - $hMod ; free the locally loaded library _WinAPI_FreeLibrary($hMod) _HookApi_Set($MyHook, $hModule + $offset) $s = 0 $s = DllStructCreate("byte[10]") DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($MyHook, "HookAddress"), "ptr", DllStructGetPtr($s), "uint", 10, "uint*", 0) ConsoleWrite("remote hook: " & DllStructGetData($s, 1) & @CRLF) _WinAPI_CloseHandle($hProcess) ; test out the hooked function Sleep(10000) MsgBox(0 + 64, "Info", "Time is up. Please close any testapp message boxes, or it may crash.") ; unset the hook _HookApi_UnSet($MyHook) ; optionally free the injected library ; if the remote hooked message box is open when we do this, the remote app will crash ; leaving the injected library loaded will prevent the crash, and won't do any harm _FreeRemoteDll($hModule, $pid) MsgBox(0 + 64, "Unhooked", "MessageBoxW is now unhooked, and the dll has been unloaded.") DllCallbackFree($MyMsgBox) Func _MyMsgBox($hwnd, $text, $caption, $flags) MemoryFuncCall("int", DllStructGetData($MyHook, "BridgePtr"), "hwnd", 0, _ "wstr", "This is the hook intercepting the MessageBoxW call, then calling the bridge to the real function." & @CRLF & _ "Here's what we got:" & @CRLF & @CRLF & _ "Hwnd: " & $hwnd & @CRLF & _ "Text: " & $text & @CRLF & _ "Caption: " & $caption & @CRLF & _ "Flags: " & $flags, _ "wstr", "Hooked Message Box", _ "uint", 48) EndFunc expandcollapse popup#NoTrayIcon #AutoIt3Wrapper_Change2CUI=y #include <_WinApiHook.au3> #include <_MemoryDll.au3> Local $MyMsgBox = DllCallbackRegister("_MyMsgBox", "none", "hwnd;wstr;wstr;uint") Local $pMyMsgBox = DllCallbackGetPtr($MyMsgBox) Local $targetmodule = "user32.dll" Local $targetfunction = "MessageBoxW" $DISTORM_DEBUG = True MsgBox(0 + 64, "Local Hook Test", "Press OK to start the local hook test.") ; local hook test $MyHook = _HookApi_Get($targetmodule, $targetfunction) ConsoleWrite("-------------" & @CRLF) ConsoleWrite("HookAddress: " & DllStructGetData($MyHook, "HookAddress") & @CRLF) ConsoleWrite("HookBak: " & DllStructGetData($MyHook, "HookBak") & @CRLF) ConsoleWrite("Bridge: " & DllStructGetData($MyHook, "Bridge") & @CRLF) ConsoleWrite("BridgePtr: " & DllStructGetData($MyHook, "BridgePtr") & @CRLF) ConsoleWrite("Status after get: " & DllStructGetData($MyHook, "Status") & @CRLF) ConsoleWrite("Process: " & DllStructGetData($MyHook, "Process") & @CRLF) If IsDllStruct($MyHook) Then _HookApi_Set($MyHook, $pMyMsgBox) ConsoleWrite("Status after set: " & DllStructGetData($MyHook, "Status") & @CRLF) MsgBox(0 + 64, "Unhooked MessageBox", "We unset the hook before this call.") _HookApi_UnSet($MyHook) ConsoleWrite("Status after unset: " & DllStructGetData($MyHook, "Status") & @CRLF) MsgBox(0 + 64, "Unhooked MessageBox", "We unset the hook before this call.") EndIf MsgBox(0 + 64, "Remote Hook Test", "Press OK to start the remote hook test.") ;; remote hook test MsgBox(0 + 64, "Info", "Press OK. You then have 10 seconds to test the Message button.") $pid = Run("testapp.exe") ProcessWait($pid) Sleep(500) ; for remote processes, the Bridge element will be NULL ; the BridgePtr will be a pointer in the remote process to the memory allocated $MyHook = _HookApi_Get($targetmodule, $targetfunction, $pid) ConsoleWrite("-------------" & @CRLF) ConsoleWrite("HookAddress: " & DllStructGetData($MyHook, "HookAddress") & @CRLF) ConsoleWrite("HookBak: " & DllStructGetData($MyHook, "HookBak") & @CRLF) ConsoleWrite("Bridge: " & DllStructGetData($MyHook, "Bridge") & @CRLF) ConsoleWrite("BridgePtr: " & DllStructGetData($MyHook, "BridgePtr") & @CRLF) ConsoleWrite("Status after get: " & DllStructGetData($MyHook, "Status") & @CRLF) ConsoleWrite("Process: " & DllStructGetData($MyHook, "Process") & @CRLF) ; verify bridge $hProcess = _GetProcHandle($pid) $s = DllStructCreate("byte[64]") DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($MyHook, "BridgePtr"), "ptr", DllStructGetPtr($s), "uint", 64, "uint*", 0) ConsoleWrite("-------------------" & @CRLF) ConsoleWrite("remote bridge: " & DllStructGetData($s, 1) & @CRLF) ; inject dll $hModule = _InjectDll(@ScriptDir & "\msgdll.dll", $pid) ;; set hook ; call the remote function to set the bridge address ; if you know the offset, then add it to $hModule ; if not, load the dll locally to get hMod and use GetProcAddress to get the funcaddres ; then the offset = funcaddress - hMod ; get the bridge setting function offset $hMod = _WinAPI_LoadLibrary("msgdll.dll") $fnAddress = _GetProcAddress($hMod, "_GetMessageBoxW@4") $offset = $fnAddress - $hMod ; set the bridge $ret = DllCall("kernel32.dll", "ptr", "CreateRemoteThread", "ptr", $hProcess, "ptr", 0, "uint", 0, "ptr", $hModule + $offset, "ptr", DllStructGetData($MyHook, "BridgePtr"), "dword", 0, "ptr", 0) _WinAPI_WaitForSingleObject($ret[0]) _WinAPI_CloseHandle($ret[0]) ; get hook function offset $fnAddress = _GetProcAddress($hMod, "_MyMsgBox@16") $offset = $fnAddress - $hMod ; free the locally loaded library _WinAPI_FreeLibrary($hMod) _HookApi_Set($MyHook, $hModule + $offset) $s = 0 $s = DllStructCreate("byte[10]") DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($MyHook, "HookAddress"), "ptr", DllStructGetPtr($s), "uint", 10, "uint*", 0) ConsoleWrite("remote hook: " & DllStructGetData($s, 1) & @CRLF) _WinAPI_CloseHandle($hProcess) ; test out the hooked function Sleep(10000) MsgBox(0 + 64, "Info", "Time is up. Please close any testapp message boxes, or it may crash.") ; unset the hook _HookApi_UnSet($MyHook) ; optionally free the injected library ; if the remote hooked message box is open when we do this, the remote app will crash ; leaving the injected library loaded will prevent the crash, and won't do any harm _FreeRemoteDll($hModule, $pid) MsgBox(0 + 64, "Unhooked", "MessageBoxW is now unhooked, and the dll has been unloaded.") DllCallbackFree($MyMsgBox) Func _MyMsgBox($hwnd, $text, $caption, $flags) MemoryFuncCall("int", DllStructGetData($MyHook, "BridgePtr"), "hwnd", 0, _ "wstr", "This is the hook intercepting the MessageBoxW call, then calling the bridge to the real function." & @CRLF & _ "Here's what we got:" & @CRLF & @CRLF & _ "Hwnd: " & $hwnd & @CRLF & _ "Text: " & $text & @CRLF & _ "Caption: " & $caption & @CRLF & _ "Flags: " & $flags, _ "wstr", "Hooked Message Box", _ "uint", 48) EndFunc_WinApiHook.au3_MemoryDll.au3 Link to comment Share on other sites More sharing options...
jakalspop Posted October 14, 2010 Author Share Posted October 14, 2010 any help Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now