Retrieve True Bytes of a Function

c++ / delphi package - dll injection and api hooking
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

iconic wrote:I've already explained how to do this in my previous post. As Madshi mentioned earlier as well, you can use WriteProcessMemory on the target process (you don't need a previous call to VirtualProtectEx because WriteProcessMemory already does this internally by protecting with PAGE_EXECUTE_READWRITE and will also even flush the icache after modifying the memory). Map the target module as executable in your process, adjust the RVA to the new mapped base in your process and then read in the original bytes. After this is done simply write these original bytes back to the target(s) in the other process(es). That's it


--Iconic
i already do it, i just think have another way.
thanks.

you know how query a handle to get their name? when i query a handle who ObjectType = 7 (Process).
i need know what PID their are openning.

something like that:

pReturnSize2 := @ReturnSize2;
NtQueryObject(hObject, ObjectNameInformation, nil, 0, pReturnSize2);
ONI2 := VirtualAlloc(nil, ReturnSize2, MEM_COMMIT, PAGE_READWRITE);
if (Assigned(ONI2)) then
begin
Status2 := NtQueryObject(hObject, ObjectNameInformation, ONI2, ReturnSize2, pReturnSize2);
if (NT_SUCCESS(Status2)) then
begin
SetLength(Result2, ONI2^.name.Length);
Result2 := ONI2^.name.Buffer
end;
VirtualFree(ONI2, 0, MEM_RELEASE);
end;

but to retrieve the PID who this (Process) handle are openning.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

Iconic is right, of course. And there's also this:

http://help.madshi.net/mchTools.htm#ProcessIdToFileName
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »


That's exactly what i'm looking for, you know if MCH have some function to enumerate all open handles instead use NTQuerySystemInformation with SystemHandleInformation ?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Post by madshi »

Nope.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

@pambol

Google search is your friend

https://stackoverflow.com/questions/157 ... pplication

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

iconic wrote:@pambol

Google search is your friend

https://stackoverflow.com/questions/157 ... pplication

--Iconic
Already solved thanks.
Another little question, it's possible determine if a process X are from windows? like explorer to retrieve if others peoples run some application with same name as used for windows.
Using his patch it's one method and check if are c:\Windows\explorer.exe, since are impossible put 2 explorer.exe on windows folder.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

You know why the same handles who are listed on x86 application don't list on x64 application?
i build a example on x86 who show some handles, and the same application as x64 don't show the same handles as from x86.

:(
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Post by iconic »

@pambol,

You're likely not using the proper structure member sizes. On x64 you need ULONG_PTR for most of it, even if the target is 32-bit, otherwise the underlying OS has no idea what the bitdepth is of whatever value you're attempting to acquire from 32-bit world within a 64-bit process. Keep in mind the memory addressing and address space itself in 64-bit mode is VERY different as opposed to your familiar x86/32-bit world. I think at this point this topic has gone off topic and no longer reflects questions about madCodeHook's RestoreCode() API. Best of luck to you


--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Post by pambol »

iconic wrote:@pambol,

You're likely not using the proper structure member sizes. On x64 you need ULONG_PTR for most of it, even if the target is 32-bit, otherwise the underlying OS has no idea what the bitdepth is of whatever value you're attempting to acquire from 32-bit world within a 64-bit process. Keep in mind the memory addressing and address space itself in 64-bit mode is VERY different as opposed to your familiar x86/32-bit world. I think at this point this topic has gone off topic and no longer reflects questions about madCodeHook's RestoreCode() API. Best of luck to you


--Iconic
changed structure vars to x64 but still don't showing the same results as x86.
Post Reply