revert Posted March 10, 2009 Posted March 10, 2009 I made this library for to help me out with all my tools. Its contains a PE32/PE32Plus parser, some basic PE edit possibilities are included. A C# stream wrapper for ReadProcessMemory and WriteProcessMemory. A class to take memory snapshots of VM layout. A port of LibDasm. Its .NET code so really slow but easy to use. And the beginning of a x86/x64 IAT rebuilder. Most of the code is work in progress so there might be some bugs Anyhow, you are free to use modify and add as you please. Enjoy B_S.Framework.rar
Ufo-Pu55y Posted March 10, 2009 Posted March 10, 2009 Nice share and handy reference for the future ! thx
Malakai Posted May 2, 2009 Posted May 2, 2009 This is awesome. Now all we need is a new CTOR for PEImage that takes an hModule.....I'm combining a lot of your stuff with EasyHook, to make a full featured C# API Hijacker.
revert Posted May 3, 2009 Author Posted May 3, 2009 @MalakaiYou mean read PE directly from memory? Sorry haven't coded that in.You should be able to enumerate all modules in a process using this code snippet: List<BSProcessModule> modules = ProcessHelper.GetModules(m_Process); foreach (BSProcessModule module in modules) { PEImage pe = PEImage.ReadImage(module.FileName); }Also take a look at this thread for a project that I made that uses the framework.
Malakai Posted May 3, 2009 Posted May 3, 2009 Revert, yes I meant straight from Memory. But after looking at my problem I don't think I need that really. I think the basics of your IAT implementation is all I need. I am a little confused at how grand-children modules are loaded into the process's VM. Let's say I have the following:Game.exe->(LoadLibrary)->Game.dll->(LoadLibrary)->DInput8.dllI can hook anything in Game.exe pretty easily use stuff like EasyHook from C#. I went ahead an Hook'd the LoadLibrary, and I can see it load "Game.dll". but here is where i'm not sure how to proceed.At first I hoped that my original hook into Kernel32.dll LoadLibrary will be called by any module mapped into my process space, but that appears to be wishful thinking. My hook handler for LoadLibrary never sees "DInput8.dll" get called. I can only assume that "Game.dll" has a distinct IAT desrcriptor for LoadLibrary and a distinct thunk from Game.exe's. So I need to redirect Game.dll's ThunkTable for LoadLibrary entry.Because I have Game.exe's LoadLibrary() , I know the hModule for Game.dll. This is it's base address, no? With game.dll's baseaddr I should be able to compute the ( and here's where I'm not positive again) thunk table location and the row for it's LoadLibrary() call. I can then patch it with my original LoadLibrary() hook address I use up in Game.exe.You're code has helped a bunch. but I'm still not quite there yet. I'm trying to figure out the pointer math to get from Game.dll hModule to Import Address Table - Kernel32.dll - LoadLibrary() VM Address.My Current guess:(Game.dll base addr ) + (ThunkTableRVA) + ( Ordinal Position of LoadLibrary * 4 bytes ) == LoadLibrary FirstThunk?I think I can ignore bas relocation because I know already where Game.dll was loaded into. Sound about right? Or am I missing something big.thanks for the help,-malakai
revert Posted May 3, 2009 Author Posted May 3, 2009 From what you explain you want to catch the loading of DInput8.dll. Are you sure it does not get loaded by the windows loader itself?Did you check the imports in game.dll? I'm pretty sure the windows loader does not use LoadLibrary to load the dependencies.revert
Malakai Posted May 3, 2009 Posted May 3, 2009 Yes, my eventual goal is to hook a function that is exported by DInput8.dll and listed in the IAT for Game.dll.The hooking of LoadLibrary() is more an exploratory step. If I can hook the LoadLibrary() in that grand-child DLL, then I can hook the DInput8.dll CreateBlahBlahXXX function I really want.I think that Windows does use the LoadLibrary() call even for modules that are listed in the IAT section of a PE. At least, I see the LoadLibrary() call for certain dll's that are clearly listed in the IAT. It could be coincidence, some tertiary dll may be doing a dynamic invocation.
revert Posted May 3, 2009 Author Posted May 3, 2009 (edited) Well after you get receive the Loadlibrary from Game.dll I'm pretty sure DInput8.dll will be loaded as well. After that parse the IAT and overwrite your entry. Sorry can't be more helpful cause I don't know the easyhook library. Never used it before. Edited May 4, 2009 by revert
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now