RemoteExecute, Function adress specify?

delphi package - getting into other processes

RemoteExecute, Function adress specify?

Postby Calandoriel » Tue Jul 10, 2007 12:42 am

Hi once again Madshi. As usual, your library are easy to use when you most need it. However.

I don't know if it's because im tired like crap, or if simply missunderstood the usage of RemoteExecute.

This is my Function header.

type TRemoteExecuteFunction = function DrawText(zero: dword; messagetype: dword; color: dword; textpoint:pointer) : dword; stdcall;

This is the RemoteExecute usage(Madshi, you should know it pretty well):


function RemoteExecute (processHandle : dword;
func : TRemoteExecuteFunction;
var funcResult : dword;
params : pointer = nil;
size : dword = 0 ) : bool; stdcall;


What i see here is, RemoteExecute(processHandle, @DrawText, len, @arrCh, MAX_PATH)

However, Since the functio ni want. Is not being exported. But singly exists, because i know where the function call is being made, and i know the arguments. Let's say we have a function call in asm like this:

05A7A6D7 CALL 05A6BED0(DrawText)

Where we have the asm:

0012E334 05A7A624 GameWindow.05A7A624
0012E338 0012E394 |Arg1 = 0012E394
0012E33C FF408CFF |Arg2 = FF408CFF
0012E340 00000011 |Arg3 = 00000011
0012E344 00000000 \Arg4 = 00000000

I want to be able to use that call. And With RemoteExecute i can't specify which adress i want to place the RemoteExecute on.

With CreateRemoteThreadEx(); Its the same thing. I can specify i function i want to place into the specified process.

What i want todo is something like:

RemoteExecute(processHandle, $05A7A6D7 , @DrawText)

Where then $05A7A6D7 is the adress, where the function call is being made. Then I want the arguments from DrawText being sent.

The function which i want to use, Will Draw Text onto the screen in a game. What i want to be able todo is, Calling that function, adding the arguments. So, Sort of a function hook, but i just want to use the function.
Could you please guide me on this matter?

Keep rocking

Cal
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Postby madshi » Sat Jul 14, 2007 6:58 pm

RemoteExecute wants to copy the function to the target process, so it's not what you need. CreateRemoteThread(Ex) does not do that, however. So it sounds as if CreateRemoteThread(Ex) is what you need. There's a big problem, however: CreateRemoteThread(Ex) starts a new thread and it's strictly defined how the thread function has to look like. You can't just use any number of parameters you like. So CreateRemoteThread(Ex) is not really what you need, either.

The easiest way to solve this problem is to write a little dll and inject that into the target process. That's always easier than trying to get along without a dll.

Of course there's always the hard way. You could use RemoteExecute to copy a function to the target process and execute it there. This function could then call DrawText for you. That's quite difficult to realize, though. Only experienced assembler programmers should go this way... :)
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

ofc

Postby Calandoriel » Sun Jul 29, 2007 12:26 am

Of course, it's done by a lil dll :)

In c++ it would prolly look something like this

typedef void (__stdcall *_PRINTTEXT) (int arg2, int arg3, int arg4, WCHAR *arg1);
_PRINTTEXT PrintText = (_PRINTTEXT)0x05A5A6D7;
PrintText(color,8,0,output);

However, I can't get any good input how the code would look in Delphi.

All help appriciated.
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Re: ofc

Postby madshi » Mon Jul 30, 2007 10:03 am

Calandoriel wrote:Of course, it's done by a lil dll :)

In c++ it would prolly look something like this

typedef void (__stdcall *_PRINTTEXT) (int arg2, int arg3, int arg4, WCHAR *arg1);
_PRINTTEXT PrintText = (_PRINTTEXT)0x05A5A6D7;
PrintText(color,8,0,output);

However, I can't get any good input how the code would look in Delphi.

All help appriciated.

If you have a little dll then I don't understand what you need RemoteExecute for? Anyway, your code in Delphi syntax would look something like this:

Code: Select all
var PrintText : procedure (arg2, arg3, arg4: integer; arg1: PWideChar); stdcall;
begin
  PrintText := $5A5A6D7;
  PrintText(color, 8, 0, output);
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

The problem is.

Postby Calandoriel » Sat Aug 11, 2007 7:43 am

The dll i've made. Will just take the import from the dll and add it to the import table of the target exe. After that run "WriteProcessMemory"

The problem is not the actual function. Its how to send the arguments to the adress where the call is.

So you mean with

var PrintText : procedure (arg2, arg3, arg4: integer; arg1: PWideChar); stdcall;
begin
PrintText := $5A5A6D7;
PrintText(color, 8, 0, output);

I'd be able to send that specified function to that specified memory adress?

Thanks for your help.
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Re: The problem is.

Postby madshi » Sat Aug 11, 2007 8:04 am

Calandoriel wrote:The dll i've made. Will just take the import from the dll and add it to the import table of the target exe. After that run "WriteProcessMemory"

I don't understand that.

Calandoriel wrote:So you mean with

I'd be able to send that specified function to that specified memory adress?

I've no idea. I don't understand your concept. The code I posted was just a 1:1 translation of the C++ code you posted, because you said you wouldn't know Delphi.
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Postby Calandoriel » Wed Aug 29, 2007 6:09 am

It exports DllMain.

I use CFF Explorer to insert DllMain into imports.

And from there make the executable load DllMain :)

The code i posted, are to use a already existing call function on the specified adress pointer :)

I hope this was clearer.
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Postby madshi » Wed Sep 05, 2007 9:10 am

Calandoriel wrote:I hope this was clearer.

Not really...

:confused:
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Hmm.

Postby Calandoriel » Thu Sep 20, 2007 2:44 pm

Did you understand my question about wanting to insert my own made function clone into a asm call-specified adress?

etc

.text:0040100E call sub_401050

Where i know the arguments of sub_401050.

Using a dll to hook that address with WriteProcessMemory, how would i be able to send my own made function to that call(knowing the arguments)
in delphi.

Now i hope this makes you understand what im pointing at :D
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Postby madshi » Wed Sep 26, 2007 8:20 am

I'm sorry, I still don't understand... :(
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

eeeh

Postby Calandoriel » Thu Feb 21, 2008 6:55 pm

Well we have this function, in a already compiled application.
I want to use a function in this application, for this specific application.
The function Draws text on the screen in the application.

So we have this function, placed at address $5A5A6D7.

the whole thing looks like this.

5A5A6D3 push eax
5A5A6D4 push 0
5A5A6D5 push 4
5A5A6D6 push 5
5A5A6D7 call function

i know since before that function accepts 4 arguments.
so, what my question is, how do use this function from my own dll.

so that it uses the call at 5A5A6D7 and passes on the four arguments of my choice?
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Postby madshi » Tue Feb 26, 2008 5:21 pm

If your own dll is loaded in the same process where that function is available you can do this:

Code: Select all
procedure CallCode(p1, p2, p3, p4: dword);
var func : procedure (p1, p2, p3, p4: dword); stdcall;
begin
  func := pointer($5A5A6D7);
  func(p1, p2, p3, p4);
end;
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Sweet

Postby Calandoriel » Sun Mar 02, 2008 4:46 pm

Sweet, Thanks a bunch :)
Calandoriel
 
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se


Return to madRemote

Who is online

Users browsing this forum: No registered users and 1 guest

cron