I'm trying to inject this function:
void doubleValue(int pointer){
*((int*)pointer) *= 2;
}
Into a process via VirtualAllocEx & WriteProcessMemory:
int size = 1024 * 1024 * 4;
HANDLE h = GetCurrentProcess();
void * func = &doubleValue;
int arg = (int)&HP;
DWORD adr = (DWORD)VirtualAllocEx(h, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(h, (LPVOID)adr, func, size, 0);
unsigned long i = 0;
VirtualProtectEx(h, (LPVOID)(adr - size), size * 2, PAGE_EXECUTE_READWRITE, &i);
HANDLE thread = CreateRemoteThread(h, NULL, 0, (LPTHREAD_START_ROUTINE)(adr), &arg, 0, NULL);
Note: For testing purposes I'm injecting the function into the same process (GetCurrentProcess()).
When injected the line copied is jmp xxxxxxx instead of the real function;
00660000 - push ebp
00660001 - mov ebp,esp
00660003 - sub esp,000000C0
00660009 - push ebx
0066000A - push esi
0066000B - push edi
0066000C - lea edi,[ebp-000000C0]
00660012 - mov ecx,00000030
00660017 - mov eax,CCCCCCCC
0066001C - repe stosd
0066001E - mov eax,[ebp+08]
00660021 - mov ecx,[eax]
00660023 - shl ecx,1
00660025 - mov edx,[ebp+08]
00660028 - mov [edx],ecx
0066002A - pop edi
0066002B - pop esi
0066002C - pop ebx
0066002D - mov esp,ebp
0066002F - pop ebp
So I got a dump of the function
\x55\x8B\xEC\x81\xEC\xC0\x00\x00\x00\x53\x56\x57\x8D\xBD\x40\xFF\xFF\xFF\xB9\x30\x00\x00\x00\xB8\xCC\xCC\xCC\xCC\xF3\xAB\x8B\x45\x08\x8B\x08\xD1\xE1\x8B\x55\x08\x89\x0A\x5F\x5E\x5B\x8B\xE5\x5D
And tried to write that instead of the &func's data. but still nothing happened. Also since I injected into my own process that jump address was perfectly fine and that should have worked too. [Test Only, Im not trying to inject code into my own process]
Images from cheatengine+visualstudio.
adr=00443F5B
jmp address:
No matter how much I change the code I'm either getting Access violation executing location 0xXXXXXX or literally nothing happens.
Edit: I know that i can just writeprocmem -> HP, but thats not the point here.
Aucun commentaire:
Enregistrer un commentaire