Hello, I'm attempting to add a new feature in a DLL manually.  I've found a suitable "code cave" and to start off I replaced some code with a JMP far xxxxxxxx then at the end of my routine I placed the code I had overwritten then JMP back to where the could would normally resume. 

75977F61 JMP 75999130 ;this used to be mov edi, NTDLL.RtlInitUnicodeString
75977F66 NOP
75977F67 ;next code instruction
75999130 edi, NTDLL.RtlInitUnicodeString
75999136 JMP 75977F67

This is such a simple routine, I don't understand why it is crashing.  I would debug it but I am not able to do so as this runs before any user logs on.  I also thought that possibly, the "code cave" wasn't in the code section or didn't have page_execute properties but I rewrote an export entry and adjusted the jmps accordingly and it still crashes.
Posted on 2009-03-31 14:50:49 by GoldStar611
With modern computers and OS's, the JMP to a specific memory address is far from the ideal way to "patch" a program (or DLL) because its position in memory is not absolute. I would rather use a relative jump, or a CALL using a relative address. Replacing an instruction which refers to some other memory address should also be avoided. Find another block of bytes which can be replaced without any ambiguity.
Posted on 2009-03-31 21:12:12 by Raymond
Thanks for the reply.  I understand about dll relocations, and I went back into olly where I made the changes and looked at the bytes it was producing. The instruction came out to be E9 C (double), which is a relative jump.  I have also tried the call + ret method but it is still crashing.  I have this same style code in another part of the DLL and it works just fine:
75989ECC: Jmp 759990E2
75989ED1: nop, nop, nop
and at
759990E2: push push push...blah... pop pop pop (relocated original code from 75989ECC here)
7599912B: JMP 75989ED4

Is there anything else I should take into consideration?
Posted on 2009-04-01 09:43:56 by GoldStar611
This was just the weirdest thing.  Everytime I went to save changes in olly it would notify me that the OS would change jmps/calls etc and I'd just ok out of it.  I loaded the file in PEiD and found code caves from there (instead of by inspection) and now my jumps are working just fine and olly doesn't complain about relocated code and such.  Hopefully this helps somebody else and if anybody is wondering I added my code near the end of the .TEXT section.
Posted on 2009-04-02 10:54:05 by GoldStar611