RemoteExecute, Function adress specify?

delphi package - getting into other processes
Post Reply
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

RemoteExecute, Function adress specify?

Post by Calandoriel »

Hi once again Madshi. As usual, your library are easy to use when you most need it. However.

I don't know if it's because im tired like crap, or if simply missunderstood the usage of RemoteExecute.

This is my Function header.

type TRemoteExecuteFunction = function DrawText(zero: dword; messagetype: dword; color: dword; textpoint:pointer) : dword; stdcall;

This is the RemoteExecute usage(Madshi, you should know it pretty well):


function RemoteExecute (processHandle : dword;
func : TRemoteExecuteFunction;
var funcResult : dword;
params : pointer = nil;
size : dword = 0 ) : bool; stdcall;


What i see here is, RemoteExecute(processHandle, @DrawText, len, @arrCh, MAX_PATH)

However, Since the functio ni want. Is not being exported. But singly exists, because i know where the function call is being made, and i know the arguments. Let's say we have a function call in asm like this:

05A7A6D7 CALL 05A6BED0(DrawText)

Where we have the asm:

0012E334 05A7A624 GameWindow.05A7A624
0012E338 0012E394 |Arg1 = 0012E394
0012E33C FF408CFF |Arg2 = FF408CFF
0012E340 00000011 |Arg3 = 00000011
0012E344 00000000 \Arg4 = 00000000

I want to be able to use that call. And With RemoteExecute i can't specify which adress i want to place the RemoteExecute on.

With CreateRemoteThreadEx(); Its the same thing. I can specify i function i want to place into the specified process.

What i want todo is something like:

RemoteExecute(processHandle, $05A7A6D7 , @DrawText)

Where then $05A7A6D7 is the adress, where the function call is being made. Then I want the arguments from DrawText being sent.

The function which i want to use, Will Draw Text onto the screen in a game. What i want to be able todo is, Calling that function, adding the arguments. So, Sort of a function hook, but i just want to use the function.
Could you please guide me on this matter?

Keep rocking

Cal
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

RemoteExecute wants to copy the function to the target process, so it's not what you need. CreateRemoteThread(Ex) does not do that, however. So it sounds as if CreateRemoteThread(Ex) is what you need. There's a big problem, however: CreateRemoteThread(Ex) starts a new thread and it's strictly defined how the thread function has to look like. You can't just use any number of parameters you like. So CreateRemoteThread(Ex) is not really what you need, either.

The easiest way to solve this problem is to write a little dll and inject that into the target process. That's always easier than trying to get along without a dll.

Of course there's always the hard way. You could use RemoteExecute to copy a function to the target process and execute it there. This function could then call DrawText for you. That's quite difficult to realize, though. Only experienced assembler programmers should go this way... :)
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

ofc

Post by Calandoriel »

Of course, it's done by a lil dll :)

In c++ it would prolly look something like this

typedef void (__stdcall *_PRINTTEXT) (int arg2, int arg3, int arg4, WCHAR *arg1);
_PRINTTEXT PrintText = (_PRINTTEXT)0x05A5A6D7;
PrintText(color,8,0,output);

However, I can't get any good input how the code would look in Delphi.

All help appriciated.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: ofc

Post by madshi »

Calandoriel wrote:Of course, it's done by a lil dll :)

In c++ it would prolly look something like this

typedef void (__stdcall *_PRINTTEXT) (int arg2, int arg3, int arg4, WCHAR *arg1);
_PRINTTEXT PrintText = (_PRINTTEXT)0x05A5A6D7;
PrintText(color,8,0,output);

However, I can't get any good input how the code would look in Delphi.

All help appriciated.
If you have a little dll then I don't understand what you need RemoteExecute for? Anyway, your code in Delphi syntax would look something like this:

Code: Select all

var PrintText : procedure (arg2, arg3, arg4: integer; arg1: PWideChar); stdcall;
begin
  PrintText := $5A5A6D7;
  PrintText(color, 8, 0, output);
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

The problem is.

Post by Calandoriel »

The dll i've made. Will just take the import from the dll and add it to the import table of the target exe. After that run "WriteProcessMemory"

The problem is not the actual function. Its how to send the arguments to the adress where the call is.

So you mean with

var PrintText : procedure (arg2, arg3, arg4: integer; arg1: PWideChar); stdcall;
begin
PrintText := $5A5A6D7;
PrintText(color, 8, 0, output);

I'd be able to send that specified function to that specified memory adress?

Thanks for your help.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: The problem is.

Post by madshi »

Calandoriel wrote:The dll i've made. Will just take the import from the dll and add it to the import table of the target exe. After that run "WriteProcessMemory"
I don't understand that.
Calandoriel wrote:So you mean with

I'd be able to send that specified function to that specified memory adress?
I've no idea. I don't understand your concept. The code I posted was just a 1:1 translation of the C++ code you posted, because you said you wouldn't know Delphi.
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Post by Calandoriel »

It exports DllMain.

I use CFF Explorer to insert DllMain into imports.

And from there make the executable load DllMain :)

The code i posted, are to use a already existing call function on the specified adress pointer :)

I hope this was clearer.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Calandoriel wrote:I hope this was clearer.
Not really...

:confused:
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Hmm.

Post by Calandoriel »

Did you understand my question about wanting to insert my own made function clone into a asm call-specified adress?

etc

.text:0040100E call sub_401050

Where i know the arguments of sub_401050.

Using a dll to hook that address with WriteProcessMemory, how would i be able to send my own made function to that call(knowing the arguments)
in delphi.

Now i hope this makes you understand what im pointing at :D
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I'm sorry, I still don't understand... :(
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

eeeh

Post by Calandoriel »

Well we have this function, in a already compiled application.
I want to use a function in this application, for this specific application.
The function Draws text on the screen in the application.

So we have this function, placed at address $5A5A6D7.

the whole thing looks like this.

5A5A6D3 push eax
5A5A6D4 push 0
5A5A6D5 push 4
5A5A6D6 push 5
5A5A6D7 call function

i know since before that function accepts 4 arguments.
so, what my question is, how do use this function from my own dll.

so that it uses the call at 5A5A6D7 and passes on the four arguments of my choice?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

If your own dll is loaded in the same process where that function is available you can do this:

Code: Select all

procedure CallCode(p1, p2, p3, p4: dword);
var func : procedure (p1, p2, p3, p4: dword); stdcall;
begin
  func := pointer($5A5A6D7);
  func(p1, p2, p3, p4);
end;
Calandoriel
Posts: 25
Joined: Sun Oct 01, 2006 11:43 pm
Location: www.ipconfig.se

Sweet

Post by Calandoriel »

Sweet, Thanks a bunch :)
Post Reply