A big hello to everyone on the board, this is my first posting.

I'm experimenting with API hooking and have tried patching a DLL in a specific process in order to subvert a specific API. Because DLLs are up in shared memory, I assumed that any changes made would be reflected in other (subsequently loaded) processes which use the DLL in question.

However, when I patch the DLL (either export address or actual code) the modifications appear to be confined to the process that I run my patch program in.

Is it really going to be necessary for me to enumerate all processes in order to apply my patch ? Surely there must be a more elegant way in which I could exploit the dynamic linking mechanism / shared DLL memory ?

code minstrel
Posted on 2004-10-13 16:43:24 by code minstrel
I have found an interesting program by OCY that is able to hook a DLL (winsock) in every process, without specifically patching the copy in each process (see attachment). While this appears to answer my question, I don't quite understand how it works.

I believe it opens up inter-process shared memory by calling a ring0 VXD service ? There appears to be an API (or some invokation mechanism) called VxdCall4. However, I don't quite understand how this works or how one obtains the address of vxdcall.

Any ideas ?

Code minstrel
Posted on 2004-10-17 13:36:32 by code minstrel