Hello!

I have following problem:
I load a dll via LoadLibrary. Then i get the address of a function (of the loaded dll) via GetProcAddress. After that i want to read the entry (first bytes) of the function with ReadProcessMemory. But ReadProcessMemory returns: NumberofBytesRead = 0.
I guess my program is not "allowed" to read the bytes from the loaded dll. But how can make my program to read (and write) the needed entry of the function? I tried VirtualQuery without a result.

Can someone give my a example or link please?

Thanks,
DarkSoul
Posted on 2001-11-13 02:08:45 by DarkSoul
if you load a dll with LoadLibrary, this dll will be in the address space of your process. So to get the first byte of a proc in this dll code:



invoke GetProcAddress,....
.if (eax) ;address of proc or 0
mov al,[eax] ;read first byte of proc
.endif


:)

japheth
Posted on 2001-11-13 03:19:14 by japheth
Iirc, read (or at least write)processmemory will fail on system DLLs.
At least on win9x. And hopefully also on win2k =).


Oh yes, under nt/2k/xp you will be dealing with Copy-On-Write,
which means if you DO succeed in patching a DLL, it will only change
in *your* process, not globally.
Posted on 2001-11-13 08:20:09 by f0dder
assuming that the dll you want to read from hasn't restricted access for read (most likely you will see that only on Win2k/NT/XP)
you should use VirtualProtect(Ex) to make a page readable, not VirtualQuery which just provides paging informations.
Posted on 2001-11-13 15:51:50 by DZA
I also think VirtualProtect(ex) has blocks to prevent you from deprotecting
the kernel and such..
Posted on 2001-11-13 16:27:32 by f0dder
ohhh.... i didnt know that
Posted on 2001-11-14 06:03:29 by Tsongkie[ii]

assuming that the dll you want to read from hasn't restricted access for read (most likely you will see that only on Win2k/NT/XP)
you should use VirtualProtect(Ex) to make a page readable, not VirtualQuery which just provides paging informations.

It seems to be ReadOnly... but how do i use VirtualQuery and VirtualProtect? If i use VertialQuery with the handle of my dll i get as answer 2 ( should be ReadOnly) but if i try to manipulate it via VirtualProtect, nothing happens. Where can i find an example for that (cause i don't know what arguements to pass to VirtualQuery and VirtualProtect).

What i really wanna do is that: A programm loads a dll, then it calls a function of the dll. But before the dll's function starts, my own function has to repleace some bytes of the arguements and then the dll's function can start. I tried everything... DebugProcess is not good for my problem (cause every program uses the dll should be processed). I found a source code named "APIHijacker"... but it will only work if the dll is loaded during startup of the programm, not if the programm loads the dll later. The dll uses a vxd. Maybe i can use this as "entry point"? I don't want to "patch" the dll on harddisk, cause some other programms won't work with my patched version and i don't want to copy the 2 different dlls every time i load a program.

Sorry, but my english is not the best. Thank you for your answer!
Posted on 2001-11-15 02:16:22 by DarkSoul
push offset old_protection
; dword buffer which receives old protection of that page
; required in Win2k, not required in Win9x (push 0)
push PAGE_READWRITE ; what flag, I assume this is what u want
push 2 ; how many bytes
push dword ptr ; pointer to the address u want to modify page flags
Call VirtualProtect


VirtualProtectEx has similar usage only that you must also push the handle to the process you want mess with (VirtualProtect can be used only to change flags of pages in the current process)
For your problem, you might want to try the ForceLibrary by y0da (www.y0da.cjb.net)
Posted on 2001-11-15 06:17:29 by DZA