Home » Forums » Other Projects

N-InjectLib and N-CodeHook simple example

Simple example is appreciated. Right now I am trying to figure out something from IDA Stealth, but what I really want is:
1) create suspended proccess from my application
2) inject dll which has detour function inside of it

‹ IDA Stealth Plugin Hook member functions/constructors ›
Submitted by Anonymous on Tue, 11/03/2009 - 14:15

N-InjectLib and N-CodeHook simple example

Submitted by jan newger on Tue, 11/03/2009 - 14:33.

I'll see what I can do and update the projects as soon as I've some spare time.

Best regards
Jan

»

Thanks for quick reply! I've

Submitted by OkKo (not verified) on Thu, 11/05/2009 - 13:17.

Thanks for quick reply!
I've wrote some test example, and it seems to be working.
Looks like I can not attach anything at this forum (I mean code) :)
Actually I am new to this "injection-hooking" stuff and have some questions.
What is expetected value for fuction IATModifier::setIBA? Is it address of import table in the process? Is it OK to use autosearch for this thing?

»

N-InjectLib and N-CodeHook simple example

Submitted by jan newger on Thu, 11/05/2009 - 14:01.

setIBA is used to set the image base address of the process you want to inject into. Autosearch is still a "todo" for now.

You can use geshi syntax to add code to your post (remove underscores):

<___geshi type="cpp">
int main()
{
return 0;
}
<___/geshi> "

»

This is my simple test. It

Submitted by OkKo (not verified) on Sat, 11/07/2009 - 07:45.

This is my simple test. It works, though I used the autosearch for the image base address. What problems may I have with current implementation of autosearch? Is everything OK with the example?

The dll:

#include "NCodeHookInstantiation.h"
 
NCodeHookIA32 nCodeHook;
 
#define USER32 "user32.dll"
 
// Without defining at least one export function injection doesn't work
extern "C" __declspec(dllexport) void  tryMe(); 
 
__declspec(dllexport) void tryMe() {
    // empty body
}
 
typedef BOOL (WINAPI *SetWindowTextWPtr) (HWND hWnd,LPCWSTR lpOutputString);
SetWindowTextWPtr origSetWindowTextW = NULL;
 
BOOL WINAPI SetWindowTextWHook(HWND hWnd, LPCWSTR lpString)
{
    return origSetWindowTextW(hWnd, L"***");
}
 
 
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        origSetWindowTextW = nCodeHook.createHookByName(USER32, "SetWindowTextW", SetWindowTextWHook);
        break;
 
    case DLL_THREAD_ATTACH:
        break;
 
    case DLL_THREAD_DETACH:
        break;
 
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

The application:

#include "Process.h"
#include "IATModifier.h"
#include <windows.h>
 
int main (int argc, char* argv[]) {
 
    STARTUPINFO         siStartupInfo;
    PROCESS_INFORMATION piProcessInfo;
 
    char fullPathToProcess[] = "c:\\windows\\system32\\calc.exe";
    memset(&siStartupInfo, 0, sizeof(siStartupInfo));
    memset(&piProcessInfo, 0, sizeof(piProcessInfo));
 
    siStartupInfo.cb = sizeof(siStartupInfo);
 
    if(CreateProcess(fullPathToProcess,     // Application name
        NULL,                 // Application arguments
        0,
        0,
        FALSE,
        CREATE_DEFAULT_ERROR_MODE | CREATE_SUSPENDED,
        0,
        0,                              // Working directory
        &siStartupInfo,
        &piProcessInfo) == FALSE) {
            // something bad happend
            return 1;
    }
 
    DWORD process_id = piProcessInfo.dwProcessId;         
    Process process(process_id);
    IATModifier iatMod(process, true);    
    iatMod.writeIAT("CodeHook.dll");
 
    ResumeThread(piProcessInfo.hThread);
    WaitForSingleObject(piProcessInfo.hProcess, INFINITE);
 
}
"

»

N-InjectLib and N-CodeHook simple example

Submitted by jan newger on Sat, 11/07/2009 - 12:36.

Hi Okko,

your example looks good. However, as I said the autosearch feature hasn't been thoroughly tested.
If this method works for you, it's fine. However, you need to be aware of the fact, that the code in findImportDescriptor will fail if there is a page with e.g. the PAGE_NOACCESS attribute before the image base address.
I will add a more reliable method in the next version of the library.

»

N-InjectLib and N-CodeHook simple example

Submitted by jan newger on Mon, 11/16/2009 - 01:27.

The library has been updated, which fixes this issue. A simple example is also included.

»

Great news! Thanks for such a

Submitted by OkKo (not verified) on Thu, 11/19/2009 - 12:00.

Great news! Thanks for such a nice tiny lib! I will continue using it, so be aware of bug reports :)

»
© 2010 newgre.net // jan newger