Hi all,
anyone knows why kernel32.dll cannot load a dll?.
I need to inject a dll into kernel32.dll to add code to it, but i cannot (even with softice) to be able to force kernel32.dll to load a specific dll.

Cya and thanks.

ps: The purpose is to program a process dispatcher.
Posted on 2003-05-11 23:05:48 by r00t
The purpose is redirect some apis from Kernel32.dll to my own code, but i need those code to be "executable" from all processes.
Posted on 2003-05-11 23:07:52 by r00t
The purpose is redirect some apis from Kernel32.dll to my own code, but i need those code to be "executable" from all processes.
Then you need to patch it in every process. When a system dll is patched, the patched dll gets copied to the process space of the process that did the patching, and all other processes continue to use the unpatched version of the dll.
Posted on 2003-05-11 23:21:54 by sluggy
Wrong, in 9x when u patch a system dll, automatically, the changes are "seen" in all current active processes.
That isn't my problem. The problem is i must be able to execute the "new" apis from all processes. But where i "put" my code?.

Greets.
Posted on 2003-05-11 23:39:43 by r00t
The new code to be executed would normally reside in the dll that did the patching, i.e. it installs a jump in the system dll back to itself.
Posted on 2003-05-12 00:47:40 by sluggy
r00t,

The Windows Operating system doesn't permit to write code to the
kernel32.dll So,you can't use the WriteProcessMemory API,or something similar
to patch kernel32.dll
Posted on 2003-05-12 04:57:54 by Vortex
Yes, u can write code in kernel32.dll, if u know how to switch to ring0.

The main question is:
How i can "reserve", or share memory between al processes?.
Posted on 2003-05-12 10:55:03 by r00t
If you allocate memory above 0x80000000, it will be shared.
You may have to enable writing for the pages you want to patch before you patch them. Otherwise, copy-on-write will be triggered. You should reset the dirty flag and write enable flag afterwards.
Posted on 2003-05-12 11:14:59 by Sephiroth3
Windows NT (including 2000 and XP) are radically different from Windows 95/98 in case of shared memory. In NT, patched system libraries are only visible to process that patched them. No real way to share memory between processes. In 9x, you cannot even patch system libraries unless you reset page permissions using VxD calls. It is also possible to share memory between all processes by creating filemapping, since all memory above 2GB (80000000h) is visible to all contexts.
So which OS are we talking about?
Posted on 2003-05-12 13:11:13 by comrade
does the filemapping approach work on NT too? I seem to recall something about the file mappings not necesarrily being shared... but might be wrong.
Posted on 2003-05-12 15:24:16 by f0dder
We are talking about 9x, and i can patch the code via ring0. (i use the IDT modification trick to switch from ring3 to ring0 and viceversa).
Example:
I want to redirect the Kernel api WriteFile, so i modify the export table via ring0. Now the export points to my code. The problem is: Those code must be visible from all processes. The problem with GlobalAlloc is that those code (copied into the allocated memory) is visible only in the process space that reserved it.

How can i force to allocate memory over 2GB?.
How can i force filemapping to memory over 2GB?.

Greets and thanks.
Posted on 2003-05-12 22:08:28 by r00t
I may be way off base here but could you use the Page Allocation Services for allocating specific physical memory address ?
Posted on 2003-05-12 22:27:39 by donkey
Doesn't file mapping (under 9x) always allocate memory above 2GB?
Posted on 2003-05-12 23:02:27 by comrade
It does. Also you cannot write to memory above 2GB under Windows 95/98 by calling VxDCall0 _PageModifyPermissions. No need to go into ring0:
   call            GetModuleHandleA,offset kernel32

mov ebx,eax
mov eax,[ebx.MZ_lfanew]
lea edi,[eax.ebx]
mov esi,[edi.NT_OptionalHeader.\
OH_DirectoryEntries.DE_Export.\
DD_VirtualAddress]
mov esi,[esi.ebx.ED_AddressOfFunctions]
mov ecx,[esi.ebx]
add ecx,ebx ;ecx==VxDCall0
shr ebx,12
push 020060000h
push 00h
push 01h
push ebx
push 001000dh ;_PageModifyPermissions
call ecx


This code is from http://www.wasm.ru/article.php?article=1021007. I am sure Babelfish would help out.
Posted on 2003-05-12 23:33:26 by comrade
Thanks a lot comrade.
Posted on 2003-05-15 20:54:39 by r00t