How can i pass a structure Pointer in an Injected code Where i have to keep in mind the 'Delta Offset'?
For eg:How can i use GetLocalTime API where a SYSTEMTIME structure need to be passed.


In nornal Conditions it's like


Invoke GetLocalTime,eax,ADDR strupointer

In injected code every variable Address is Added with ebp
Also normal API calling convention is not enough.Please Help
Posted on 2004-02-16 15:37:38 by zakham
Obviously you cannot use invoke or addr like this, when dealing with injected code. I would recommend you to only inject a tiny piece of code, designed to load a DLL with the 'real' code - this way you can use APIs normally, and don't have to deal with the "delta offset".

If you insist on injecting the full code without the use of a DLL, remember that you'll have to do something like
lea eax,
to get the address, and that you'll probably find yourself having a list of requied APIs and do stuff like "call dword ptr " - the DLL approach is really the best way to go about this.

Have a look at my XCOM bugfix loader at http://f0dder.has.it , it shows how to inject DLL-loading code, and put it to good use.
Posted on 2004-02-16 16:28:09 by f0dder
Before i known that i can inject a thread to a program i where dealing with the PE and how to inject code, i found a good code to do it, but it where have a litle thing that i didn't like, it creates a new section in the exe to put the code, and if it need also a new data section.

i modify the code to search for zeros at the end of a section of code where to put the code if it fits in there, and then copy the code and change the start point, and with the data the same: search zeros in a data section of the size needed, then put the data (dll names, etc) , and after the dll load back to zero init the data and jump to the old start point (wich is saved in the end of a data section), take a look

you must run the parcheador.exe it will examine an exe create an adultered exe with diferent name (in real implementation should switch names an delete old exe)


_________________Hugo Mauricio Prado Macat
Posted on 2004-02-18 00:46:58 by mauricioprado


lea eax, [ebp+mystruct]


You may not do it that way since your structure might requires to be aligned at least at a multipl of 4, which is quite random in injected code...
I would use the stack instead.
Posted on 2004-02-18 09:56:01 by Axial



lea eax, [ebp+mystruct]


You may not do it that way since your structure might requires to be aligned at least at a multipl of 4, which is quite random in injected code...
I would use the stack instead.


If the stucture is created by the injected code then the stack is best, but the stucture being used may allready be part of the originol program in the data section.
Posted on 2004-02-18 10:03:58 by ENF
When not messing with bad stuff like buffer overflows, you should be able to guarantee your code will end up with at least 4byte alignment (PAGE alignment for VirtualAllocEx). And you are not doing buffer overflows. Thus, you should be able to guarantee at least 4byte alignment for your data structures, as necessary.
Posted on 2004-02-18 10:07:55 by f0dder