Okay, I am using the Call procedure and pushing values onto the stack to use API

On one of the API's I am using has one of the arguments recieve a return value. But, if I am putting a value on the stack, how do I get it to store the return value into the variable I want it to?

Here's the code I put together so far. Look at the Push just before 'GetWindowThreadProcessID'. Help would be much appreciated. :)

WriteMemory proc lpWindow:DWORD,lpAddress:DWORD,lpValue:DWORD,lpSize:BYTE

LOCAL hWnd:HWND
LOCAL pID:DWORD
LOCAL pHandle:DWORD

push lpWindow
push 0
call FindWindow
cmp eax,0
jz @end
mov hWnd,eax
push ;??? - Return value of this argument should be stored in pID
push hWnd
call GetWindowThreadProcessId
push pID
push FALSE
push PROCESS_ALL_ACCESS
call OpenProcess
cmp eax,0
jz @end
mov pHandle,eax
push 0
push 4
push lpValue
push lpAddress
push pHandle
call WriteProcessMemory
push pHandle
call CloseHandle
@end:
ret

WriteMemory endp
Posted on 2005-01-30 21:30:17 by BBS
lpdwProcessId

Points to a 32-bit value that receives the process identifier. If this parameter is not NULL, GetWindowThreadProcessId copies the identifier of the process to the 32-bit value; otherwise, it does not.


In your case, it could be:
lea eax,pID

push eax


or you could use any other register you prefer. EAX would be used if you were to utilize the MASM invoke macro.

Raymond
Posted on 2005-01-30 22:26:12 by Raymond
Thanks for replying.

I probably should have mentioned that I already tried this code.
lea eax,pID

Push eax

But, pID still doesn't recieve the value that GetWindowThreadProcessID retrieves since OpenProcess can't recieve a process handle.

I also don't want to use invoke , I am just experimenting with the call procedure.
Posted on 2005-01-30 22:57:06 by BBS
BBS,

This should do what you want. INVOKE just PUSHes and CALLs, so I don't understand your reluctance to use it. Ratch



WriteMemory:
WM$1 STRUC
ADR1=$
hWnd DWORD ?
pID DWORD ?
pHandle DWORD ?
ADR2=$
return DWORD ?
ADR3=$
lpWindow DWORD ?
lpAddress DWORD ?
lpValue DWORD ?
lpSize DWORD ?
ADR4=$
WM$1 ENDS

S$1 EQU ESP.WM$1

SUB ESP,ADR2-ADR1 ;make room for local variables

INVOKE FindWindow,0,[S$1.lpWindow]

TEST EAX,EAX
.IF !ZERO?
LEA ECX,[S$1.pID] ;address of pID
MOV [S$1.hWnd],EAX
INVOKE GetWindowThreadProcessId,EAX,ECX
INVOKE OpenProcess,PROCESS_ALL_ACCESS,FALSE,[S$1.pID]

TEST EAX,EAX
.IF !ZERO?
MOV [S$1.pHandle],EAX
INVOKE WriteProcessMemory,EAX,[S$1.lpAddress+3*DWORD],[S$1.lpValue+2*DWORD],4,0
INVOKE CloseHandle,[S$1.pHandle]
.ENDIF
.ENDIF

ADD ESP,ADR1-ADR1 ;reclaim local variable space
RET ADR4-ADR3 ;balance stack and return to sender
Posted on 2005-01-31 00:34:21 by Ratch

pdwProcessId

Points to a 32-bit value that receives the process identifier. If this parameter is not NULL, GetWindowThreadProcessId copies the identifier of the process to the 32-bit value; otherwise, it does not.




LOCAL pHandle:DWORD
mov pID,0 <---------

snip

mov hWnd,eax
lea eax,pID <--------
push eax <---------------
push hWnd
call GetWindowThreadProcessId
snip


and the disassembly


00401051 PUSH DWORD PTR SS: ; /ProcessId = 35C
00401054 PUSH 0 ; |Inheritable = FALSE
00401056 PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
0040105B CALL <JMP.&KERNEL32.OpenProcess> ; \OpenProcess
00401060 CMP EAX, 0
00401063 JE SHORT msgbox.00401082
00401065 MOV DWORD PTR SS:, EAX
00401068 PUSH 0 ; /pBytesWritten = NULL
0040106A PUSH 4 ; |BytesToWrite = 4
0040106C PUSH DWORD PTR SS: ; |Buffer = 7FFDF000
0040106F PUSH DWORD PTR SS: ; |Address = 0
00401072 PUSH DWORD PTR SS: ; |hProcess = 00000044 (window)
00401075 CALL <JMP.&KERNEL32.WriteProcessMemor>; \WriteProcessMemory



seems to work for me

hope it helped
Posted on 2005-01-31 10:44:50 by bluffer
Ratch,
It's not that I'm reluctant to use invoke, I use it regularly. I just want to become accustomed to pushing and calling manually.

Bluffer,
It still doesn't open the process for me, like it still isn't registering to pID or something.

Here's the code I am using, I invoke a message box after open process to see if it was able to open it, but it never recieves a process handle.

WriteMemory proc lpWindow:DWORD,lpAddress:DWORD,lpValue:DWORD,lpSize:BYTE

LOCAL hWnd:HWND
LOCAL pID:DWORD
LOCAL pHandle:DWORD

mov pID,0
push lpWindow
push 0
call FindWindow
cmp eax,0
jz @end
mov hWnd,eax
lea eax,pID
push eax
push hWnd
call GetWindowThreadProcessId
push pID
push 0
push PROCESS_ALL_ACCESS
call OpenProcess
cmp eax,0
jz @end
invoke MessageBox,0,0,0,0
mov pHandle,eax
push 0
push 4
push lpValue
push lpAddress
push pHandle
call WriteProcessMemory
push pHandle
call CloseHandle
@end:
ret

WriteMemory endp
Posted on 2005-01-31 19:56:26 by BBS
Hi BBS,

dont know really whats goin wrong in your code coz i havent tried it myself. but from what ive read so far the code youve posted should do fine...

have you looked at pID after GWTPID returns? what does OP return?
forget that messagebox, single-step thru the code and see whats goin on!

what are you tryin to do anyway? looks like youre tryin stuff you cant handle...
maybe you need a whole different approach?

give us some more info - the better the help can be.

regards,
enodev
Posted on 2005-01-31 20:32:32 by enodev
Hey enodev,

This is my write engine for when I create my *** in MASM. (*** for PC games)

I understand what I'm doing, I have alot of experience for making *** in VB and C++, and in MASM (Using the invoke macro for the API calls of course).

This is just my first attempt of pushing, then calling the API.

FindWindow -
Locates the target window that I want to ***, after use,eax holds the window's handle if the window was found.

GetWindowThreadProcessId -
Once I have the window's handle, I proceed to get it's process ID, so I can gain access to the process. The process' ID will be returned in pID's argument.

OpenProcess -
Once I get the process Id, I can open the process. I pass 'PROCESS_ALL_ACCESS', for accessability of it all. I could just get away with 'PROCESS_VM_WRITE', if I am only writing to memory. After use, eax holds the process' handle if the process was found.

WriteProcessMemory -
Now I can write to the process through the process' handle. I just need a target address and whatever value I find suitable for it. (This is where *** comes in, something seperate from programming, unless you get into debugging.)

CloseHandle -
Don't want any memory leaks, close the target process handle.

Hope that helps you help me.
Posted on 2005-01-31 20:45:01 by BBS
well if you are depending on one message box to identify if your code reached there or not then you will keep on breaking your head and probably will never be able to solve it

how do you know your findwindow didnt fail (do you have a message box there)

what guarentee you can have that it will never fail
get out a debugger and single step through the code to find what is failing where

anyway as i said it works for me



00401042 |.>MOV DWORD PTR SS:[EBP-4], EAX
00401045 |.>LEA EAX, DWORD PTR SS:[EBP-8]
00401048 |.>PUSH EAX ; /pProcessID = 0012FFB8
00401049 |.>PUSH DWORD PTR SS:[EBP-4] ; |hWnd = 0004004C ('Default IME',class='IME',parent=00080024)
0040104C |.>CALL <JMP.&USER32.GetWindowThreadProc>; \GetWindowThreadProcessId





0012FFA8 00401051 /CALL to GetWindowThreadProcessId from msgbox.0040104C
0012FFAC 0004004C |hWnd = 0004004C ('Default IME',class='IME',parent=00080024)
0012FFB0 0012FFB8 \pProcessID = 0012FFB8
0012FFB4 77E87900 RETURN to KERNEL32.77E87900 from ntdll.ZwSetInformationThread





0012FFA4 00401060 /CALL to OpenProcess from msgbox.0040105B
0012FFA8 001F0FFF |Access = PROCESS_ALL_ACCESS
0012FFAC 00000000 |Inheritable = FALSE
0012FFB0 00000308 \ProcessId = 308




0012FF9C 0040107A /CALL to WriteProcessMemory from msgbox.00401075
0012FFA0 00000044 |hProcess = 00000044 (window)
0012FFA4 00000000 |Address = 0
0012FFA8 7FFDF000 |Buffer = 7FFDF000
0012FFAC 00000004 |BytesToWrite = 4
0012FFB0 00000000 \pBytesWritten = NULL



so probably it must be some other fault
Posted on 2005-02-01 04:43:20 by bluffer
Yeah, I already tried putting a message box after find window. The code runs up to open process and eax returns 0. Thanks anyways guys. I guess I will just have to keep messing around with this one.
Posted on 2005-02-01 19:40:50 by BBS
hint : ask vanilla flavoured questions - keep the details to yourself and you won't tread on any toes here...
Posted on 2005-02-02 07:26:32 by Homer
I wouldn't have mentioned it, but enodev said that more informtaion about what the code is doing might help the support.
Posted on 2005-02-02 21:17:28 by BBS