I have studied Iczelion's PE tutorials to learn more about it. I have played around a little and ended up with this demo.

The demo includes

a) a hostprogram (host.exe) which purpose is to read a text file (FileToRead.txt) and display the text in its edit box.
b) an insertprogram (Insert.exe) which purpose is to see what the hostprogram reads.
c) a dll (NMEA.dll) which makes it possible.

1. Start the insert.exe. The process loads the hostprogram code into memory and inserts a code in the last data section. Then the entry point is changed to the inserted code start address. Then the hostprogram is saved as "copy.exe".

2. The copy.exe is executed by pushing the button on insertprogram dialog. The iserted code loads the NMEA.dll before returning to the old entrypoint.

3. At start up of the dll the hostprogram jumptable is seached for the ReadFile kernel32 address. When found the address is changed to the address of the Capture function address in NMEA.dll.

4. When the hostprogram calls the ReadFile API, by pushing the button, it first jumps to the capture function and leaves the returnaddress and the address to the buffer of the text to be read. The dll calls the API and when returning to dll the buffer is read and sent to insertprogram edit box just before it is displayed in hostprogram edit box.

5. Exiting the insertprogram deletes the copy.exe.

The code is tested on win2k and win98.

Funny knowledge. I have used it to capture GPS NMEA strings on an occupied serial port.

Posted on 2003-06-27 13:59:10 by minor28
Why patch the executable when you can do it on-the-fly? Check the XCOM bugfix at http://f0dder.has.it . The code is in C, but it should be rather easy to follow - and the method works for both NT and Win9x (ie, no use of CreateRemoteThread).
Posted on 2004-01-26 00:32:34 by f0dder
The reason for this demo was my work to add some features to a freeware program (with the authors permission). To do this I injected code in the program to start a dll from where I could start a dialogbox to handle and compute data produced by the program. Data to the program was read from the comport. Futhermore I wanted to compute the comport data for additional purposes than the program did so I captured the data from the comport before the program got access to it. I also wanted to draw lines in the program. So my dll is now an integrated part of the program. That's why, I didn't know better then. I will study your suggestion later and see if you method is better.
Posted on 2004-01-26 03:05:29 by minor28
Well, to integrate your code as a permanent part of the application, adding the code permanently is probably a better solution (you might want to study the import table format though, and add your DLL that way instead of injecting additional load-code).

I used the loader+runtime injection method because I wanted to play with this, and because I obviously couldn't distribute a patched executable - even without the game data files, it would be a form of piracy. I felt that a loader was easier to do than a patcher, and more fun anyway :)

(Btw, I did sortof get official permission to distribute the bugfix loaders)
Posted on 2004-01-26 03:14:00 by f0dder