What is the best/prefered way to inject a DLL... WPM with loadlib/getprocadd code and then wpm rewrite the jmp, SetWindowsHook(EX) or CreateRemoteThread...? And what is the correct manner to redirect an import? CreateProcess with suspended, rewrite the address of the function you want to redirect in the importtable to your own ? Does anyone have a simple/good example on a IAT redirect (not massive, just simple inject DLL and redirect function...) ASM or C++.. thx in advance =)
Posted on 2003-04-13 16:42:53 by SFP
Seriously, noone knows =) ? Or noone wants to help because they think it is for malicious use =) ?
Posted on 2003-04-14 06:16:40 by SFP
create suspended + writeprocesmemory + (etc etc) works fine for all OSes, but I find the method messy. Nevertheless, it's the approach taken in my XCOM bugfix loader.

If you don't really care about 9x, I think VirtualAllocEx+CreateRemoteThread of NT is much cleaner for generic code injection. In the case of IAT redirection, I would redirect the entrypoint (create with suspende, construct near jump to VirtualAllocEx memory at entrypoint, restore EP and jump there when done) - no, you can't use SetThreadContext for this, as EIP != program entrypoint when creating suspended.
Posted on 2003-04-14 06:39:09 by f0dder
Ok thx alot, btw do you know of any simple src on it? I tried googling but I only found setwindowshook method and some ugly MFC code for the other.
Posted on 2003-04-14 07:59:18 by SFP
click the little "www" button under my posts (or view my profile) and hop to my site, have a look at "xcom pitch-patching".
Posted on 2003-04-14 08:44:42 by f0dder
thx alot =)))
Posted on 2003-04-14 09:17:31 by SFP
np, hope it helps.
Posted on 2003-04-14 09:52:16 by f0dder
hmm conserning the problem with SetThreadContext, why can't I set it back since I HAVE the Original/Right Entrypoint saved?
Posted on 2003-04-15 17:23:30 by SFP
Depends on when you're going to set it back.
Remember that if you CreateProcess with SUSPENDED, the initial thread is not suspended at program EP - it's somewhere in DLL init code land.
Posted on 2003-04-16 01:40:45 by f0dder