I created a program that uses a DLL. The DLL debugs a program. What is the least intrusive way of replacing an API call within the debugged program with my own code from my DLL?

I was thinking of replacing the jump table entry, but my DLL is not in the program's memory space, so I don't think I can just give it a DWORD address it can call.

I also thought of replacing one of the program's DLLs with my own DLL and have my DLL load the replaced DLL. But that would mean that my DLL would have to export all the functions exported by the replaced DLL and I don't know what parameters those functions receive.

Do you guys have any suggestions?
Posted on 2002-01-03 19:48:44 by Hel
You dont nessercery have to know what paramters functions the other DLL recieve as they are already on the stack so pushing them back onto it isn't nesscery.

For instance:

invoke MyFunc ,param1,param2,param3

Is translated by masm to:

push param3 ; Stack - 4
push param2 ; Stack - 8
push param1 ; Stack - 12
call MyFunc ; Stack - 16

Function Myfunc then gets control and then all it needs to do is transfer the execution address with a jmp and leave the stack, esp and ebp unchanged.

invoke GetProcAddress ,hMod,ADDR szMyFunc
jmp eax

(I think the above will work. Im uncertain as to masm will compile the jmp as it might require an indirect parameter or not accpept 'eax' at all)

The hard bit now its to get masm to build the export table of the DLL
Posted on 2002-01-03 21:54:06 by huh
If the program imports LoadLibrary then you can use this to get your dll into the programs address space and then use GetProcAddress to get your dlls function address (assuming that is imported as well). unfortunatly this means you would have to aulter the program so that it calls LoadLibrary with your dlls name on the stack and calls GetProcAddress, not realy very good if you have to do this for every program you want to debug.
Posted on 2002-01-03 23:04:55 by Quantum
Try elicz's apihooks. http://www.elicz.cjb.net/ He has
functions that will hook api's, inject dlls into another process space, call functions of injected dlls, ect. Yoda also has
a similiar library called forcelib. you can get it at
http://y0da.teamunknown.com/. But if you want to have fun
and try to do it yourself the basic idea is this.
Use CreateProcess to launch the app suspened.
save the threads context structure.
use read process memory to save initil code that will be replaced.
use writeprocessmemory to write code that will call loadlibrary and load your dll.
run the code and catch either the eip, or a int 3 that u placed in yoru code.
then reset its context ( this will restore original eip )
use writeprocessmemory to write back original code
run the exe.
You know have a dlll loaded into another apps process space. ( on the load of the dll, do your api hooking there )

There are other ways to do this as well, i can post some code if youd like, but elicz and yodas libs do a find job.

Posted on 2002-01-04 03:38:40 by prs
Hi, prs, please post those code to clean inject a dll into another process space.
I need it to make a process dispatcher for windows 98.

I've tried to inject a dll via the SetWindowsHookEx but its a very dirty method and is error prone.

Thanks a lot.
Posted on 2003-04-08 23:43:16 by r00t
There is also the CreateRemoteThread API function available
on NT systems.
Posted on 2003-04-09 02:43:37 by Vortex
I have a working example of DLL injection at my site, which was used to fix graphics errors in XCOM.
Posted on 2003-04-09 03:23:04 by f0dder
Thanks all for the help, specially f0dder.
I was able to embellish the SetWindowsHookEx method to make it really error-free in Windows 98.

I'll post my findings here soon.

Greets and thanks again.
Posted on 2003-04-09 03:26:16 by r00t