okaydoit Posted August 17, 2017 Posted August 17, 2017 hello i want know how i can fix this code program loader; uses Windows, Messages; {$R Loader.RES} var si : Startupinfo; pi : Process_Information; NewData : array[0..1] of byte = ($90,$90); NewDataSize : DWORD; Bytesread : DWORD; Olddata : array[0..1] of byte; begin NewDataSize := sizeof(newdata); IF CreateProcess(nil,'Example.exe',nil,nil,FALSE, ; >>>>>>>>>>>********** here its like loader work i neeed change this place to run from memeory mean program is run it fully then run this code and patch prog like > i think need put GetProcessName from memeory Create_Suspended,nil,nil,si,pi) = true then begin ReadProcessMemory(pi.hprocess,Pointer($403CEA),@olddata,2,bytesread); if (olddata[0] = $75) and (olddata[1] = $19) then begin WriteProcessMemory(pi.hProcess, Pointer($403CEA), @NewData, NewDataSize, bytesread); ResumeThread(pi.hThread); end else begin Messagebox(0,pchar('Bytes not found! Wrong version?...'),pchar('Error'),mb_iconinformation); TerminateProcess(PI.hProcess,0); end; CloseHandle(pi.hProcess); CloseHandle(PI.hThread); end; end.
evlncrn8 Posted August 17, 2017 Posted August 17, 2017 if the process is already running use OpenProcess 2
LCF-AT Posted August 17, 2017 Posted August 17, 2017 Hi, if you just want to patch the bytes after the target is fully started then dont use Create_Suspended flag & Resume API.So you could also use a Sleep API to wait some seconds before you start to read / write the bytes.As next you should read the base address of your created process and using it with the RVA check & patch addresses instead to use static VA's and VirtualProtectEx too if needed. Or if you just want to patch the bytes from extern location / file if your app is already running then use OpenProcess as evlncrn8 already said. greetz 1
okaydoit Posted August 17, 2017 Author Posted August 17, 2017 thanks a lot my app is already running and i need now OpenProcess ?? can put code ? thanks a lot
okaydoit Posted August 17, 2017 Author Posted August 17, 2017 its same my code i need know this example.exe is run fully now i need patch one byte so i need make memeory write its check memeory process and read and write my code and patch it how i fix in my delphi code? becouse my code its like loader dup2 its run software first then search...and patch its problem of mee
okaydoit Posted August 17, 2017 Author Posted August 17, 2017 (edited) dear lcf fan write this code you told @@dont use Create_Suspended flag & Resume API.So you could also use a Sleep API to wait some seconds before you start to read / write the bytes.As next you should read the base address of your created process and using it with the RVA check & patch addresses instead to use static VA's and VirtualP@@ and also OpenProcess ? both can wirte code thanks Edited August 17, 2017 by okaydoit
LCF-AT Posted August 17, 2017 Posted August 17, 2017 Hi again, first you need to know what you wanna do.Do you wanna create a loader file what does start your target and patch it or do you wanna build a extern file what does check for your running target to patch it if found etc. You can use OpenProcess / EnumProcessModules to get the base address of your target and then add your patch RVA to the base = VA address.If you have it then you can check via ReadProcessMemory for the original byte opcode and if found then use WriteProcessMemory to write your byte/s on that VA address.So thats all so far. Just try a little around if you code with Delphi. greetz 1
LCF-AT Posted August 17, 2017 Posted August 17, 2017 Here I made a small quick simple example code.It starts your file and does wait 2 seconds before it does patch.Just try this now. .data FILENAME db "12345.exe",0h ; <---- target filename to start MI MODULEINFO <> PATCH db 0C3h ; <---- One byte patch .data? STARTUP STARTUPINFO <> PI PROCESS_INFORMATION <> MB MEMORY_BASIC_INFORMATION <> BUFFER db ? OLDPROTECT dd ? .code mov STARTUP.STARTUPINFO.cb ,sizeof STARTUPINFO invoke CreateProcess,offset FILENAME,NULL,NULL,NULL,FALSE,NULL,NULL,NULL,addr STARTUP,addr PI .if eax != 0h invoke Sleep,2000 ; Wait 2 seconds invoke OpenProcess,PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,NULL,PI.PROCESS_INFORMATION.dwProcessId .if eax != 0h mov edi,eax invoke GetModuleInformation,edi,NULL,addr MI,sizeof MODULEINFO .if eax != 0h invoke VirtualQueryEx,edi,MI.MODULEINFO.EntryPoint,addr MB,sizeof MEMORY_BASIC_INFORMATION .if eax != 0h invoke CloseHandle,edi mov esi,MB.MEMORY_BASIC_INFORMATION.AllocationBase ; Base VA add esi,0Ah ; RVA address of check / patch invoke VirtualProtectEx,PI.PROCESS_INFORMATION.hProcess,esi,sizeof BUFFER,PAGE_EXECUTE_READWRITE,addr OLDPROTECT .if eax != 0h LOOPS: invoke ReadProcessMemory,PI.PROCESS_INFORMATION.hProcess,esi,addr BUFFER,sizeof BUFFER,NULL .if eax != 0h .if BUFFER == 00 ; Check for byte xy invoke WriteProcessMemory,PI.PROCESS_INFORMATION.hProcess,esi,addr PATCH,sizeof PATCH,NULL .if eax != 0h ; Restore old Protect invoke VirtualProtectEx,PI.PROCESS_INFORMATION.hProcess,esi,sizeof BUFFER,OLDPROTECT,addr OLDPROTECT invoke MessageBox,NULL,chr$("File was Patched!"),chr$("Info!"),MB_ICONINFORMATION .else invoke MessageBox,NULL,chr$("WriteProcessMemory failed!"),chr$("Problem!"),MB_ICONWARNING .endif .else jmp LOOPS .endif .else invoke MessageBox,NULL,chr$("ReadProcessMemory failed!"),chr$("Problem!"),MB_ICONWARNING .endif .else invoke MessageBox,NULL,chr$("VirtualProtectEx failed!"),chr$("Problem!"),MB_ICONWARNING .endif .else invoke CloseHandle,edi invoke MessageBox,NULL,chr$("VirtualQueryEx failed!"),chr$("Problem!"),MB_ICONWARNING .endif .else invoke CloseHandle,edi invoke MessageBox,NULL,chr$("GetModuleInformation failed!"),chr$("Problem!"),MB_ICONWARNING .endif .else invoke MessageBox,NULL,chr$("Can't open process!"),chr$("Problem!"),MB_ICONWARNING .endif .else invoke MessageBox,NULL,chr$("Can't create process!"),chr$("Problem!"),MB_ICONWARNING .endif invoke ExitProcess, NULL greetz 2
okaydoit Posted August 17, 2017 Author Posted August 17, 2017 Thanks again LCF-AT I NEED EXACTLY ***************** wanna build a extern file what does check for your running target to patch it i ************** can show in my code what i need do it / thansk again and sorry waste time
LCF-AT Posted August 17, 2017 Posted August 17, 2017 Hi, in your code above.... change Create_Suspended to NULL.After that insert a Sleep API with few seconds to wait.Now the question is whether its needed for your target to read the actually base address or not.If not then you can use your direct VA addresses as in your code above.Otherwise you have to read the base and add your patch RVA address. Something like that.... begin NewDataSize := sizeof(newdata); IF CreateProcess(nil,'Example.exe',nil,nil,FALSE,NULL,nil,nil,si,pi) = true then begin Sleep 2000 ReadProcessMemory(pi.hprocess,Pointer($403CEA),@olddata,2,bytesread); if (olddata[0] = $75) and (olddata[1] = $19) then begin WriteProcessMemory(pi.hProcess, Pointer($403CEA), @NewData, NewDataSize, bytesread); end else begin Messagebox(0,pchar('Bytes not found! Wrong version?...'),pchar('Error'),mb_iconinformation); TerminateProcess(PI.hProcess,0); end; CloseHandle(pi.hProcess); CloseHandle(PI.hThread); end; end. ....anyway,so just write it new in your Delphi language app etc.On the other hand just use my code I did post above and just enter your RVA address / checking byte / patch byte and try it. greetz
okaydoit Posted August 17, 2017 Author Posted August 17, 2017 i again thanks i write sleep focuntion Sleep(9000); so its go create process and not open program>>> just wait only 9 secound then its run program so its bad i need its open program fulll then after 9 secound make patch it note : i run exmaple.exe then i attach from memeory in ollydbg and i patch place and software work fully
LCF-AT Posted August 17, 2017 Posted August 17, 2017 Here a small example file you can check also in Olly.Only thing you have to do is to enter your target name (12345.exe to else).The patch does patch 2 nops at RVA 3CEA.If this is your address and you only need to patch 2 nops then you just need to change the name only or also increase sleep value if you need.Just check this out also in Olly. Enter filename of target in Olly and save... 00403000 31 32 33 34 35 2E 65 78 65 00 00 00 00 00 00 00 12345.exe....... Enter your patch bytes.... 00403028 90 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .............. Sleep is set to 3 seconds 00401034 PUSH 0xBB8 ; /Timeout = 3000. ms 00401039 CALL 004011CC ; \Sleep 00401098 ADD ESI,0x3CEA ; <--- RVA address of your patch Change BytesToWrite value to more or less / depends on your patch bytes etc 004010B7 PUSH 0x0 ; /pBytesWritten = NULL 004010B9 PUSH 0x2 ; |BytesToWrite = 0x2 004010BB PUSH 0x403028 ; |Buffer = bones.00403028 004010C0 PUSH ESI ; |Address = 0x0 004010C1 PUSH DWORD PTR DS:[0x403248] ; |hProcess = NULL 004010C7 CALL 004011E4 ; \WriteProcessMemory PS: I remvoed ReadProcessMemory API so if you wait long enough then it should be fine.Just make some test. greetz Loader.rar 1
okaydoit Posted August 17, 2017 Author Posted August 17, 2017 (edited) Solved it thanks you a lot Edited August 17, 2017 by okaydoit Solved thanks
victoria Posted September 16, 2023 Posted September 16, 2023 On 8/17/2017 at 12:58 PM, okaydoit said: Solved it thanks you a lot can you up your code delphi ?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now