| View previous topic :: View next topic |
| Author |
Message |
Papillon
x-man
Joined: 28 Dec 2004
Posts: 1060
Location: Germany
|
 Posted: Mon Jan 01, 2007 16:15 Post subject: |
 |
|
Madcodehook does something very similar. Since it is supposed to work with Vista as well, nothing was really changed here. IIRC, not all processes can write to the code section of foreign processes, and for example under Linux, you have to unprotect it before writes are allowed.
_________________
Papillon |
|
| Back to top |
|
 |
chaoslink
Joined: 23 Aug 2006
Posts: 37
|
| Posted: Mon Jan 01, 2007 19:42 Post subject: |
|
|
| Papillon wrote: | | Madcodehook does something very similar. Since it is supposed to work with Vista as well, nothing was really changed here. IIRC, not all processes can write to the code section of foreign processes, and for example under Linux, you have to unprotect it before writes are allowed. |
What he said. |
|
| Back to top |
|
|
smellysocks
Joined: 05 Jan 2007
Posts: 3
Location: Toronto, Canada
|
| Posted: Fri Jan 05, 2007 15:06 Post subject: |
|
|
So, not to beat a dead horse, but is there anything in the way of 64 bit support?
I mean a beta hook, or anything at all that works?
Does anyone have any other solution at all? |
|
| Back to top |
|
|
chaoslink
Joined: 23 Aug 2006
Posts: 37
|
| Posted: Fri Jan 05, 2007 21:27 Post subject: |
|
|
| not in what I'm doing at all... if Microsoft has a 64 bit version of detours, with source available like the 32 bit version, then what I'm working on may be of some use. |
|
| Back to top |
|
|
Papillon
x-man
Joined: 28 Dec 2004
Posts: 1060
Location: Germany
|
| Posted: Sat Jan 06, 2007 15:52 Post subject: |
|
|
I was promised a 64-bit enabled version of madcodehook by it's author, but haven't received anything yet. Guess I have to ping him again...
_________________
Papillon |
|
| Back to top |
|
|
virusman
Joined: 30 Jan 2005
Posts: 1020
Location: Russia
|
| Posted: Sun Apr 08, 2007 0:05 Post subject: |
|
|
Hello, Papillon.
I'm writing AssemblyHelper class that can find a function by its signature:
| Code: | | *(dword*)&pGetFaction = asmhelp.FindFunctionBySignature("55 89 E5 56 53 ** ** ** 8D 45 F4 50 8B 55 0C"); |
Upcoming features are: hooking and making a hook queue to allow multiple plugins to hook the same function. |
|
| Back to top |
|
|
Papillon
x-man
Joined: 28 Dec 2004
Posts: 1060
Location: Germany
|
| Posted: Mon Apr 09, 2007 22:30 Post subject: |
|
|
I've recently written a similar function that finds the NWNX functions OE gave us in NWN2. But what I am missing is a way to load a DLL into the server process space, like LD_PRELOAD does on Linux.
Is there a way to do this without madcodehook ? I haven't done any research on this, but maybe someone knows more ?
_________________
Papillon |
|
| Back to top |
|
|
Gryphyn
Joined: 20 Jan 2005
Posts: 431
|
| Posted: Mon Apr 09, 2007 23:34 Post subject: |
|
|
| Papillon wrote: | I've recently written a similar function that finds the NWNX functions OE gave us in NWN2. But what I am missing is a way to load a DLL into the server process space, like LD_PRELOAD does on Linux.
Is there a way to do this without madcodehook ? I haven't done any research on this, but maybe someone knows more ? |
My understanding is...
Now that the NWNX functions have been exposed (exported?) you can now use the Windows API hooking functions directly [kernal32]. (previously you were hooking into a code address).
MCH is a common wrapper around several hooking mechanisms. The windows API amongst them.
It's all available on MSDN
Cheers
Gryphyn |
|
| Back to top |
|
|
dumbo
Joined: 21 Aug 2005
Posts: 21
|
| Posted: Tue Apr 10, 2007 2:50 Post subject: |
|
|
sample of inject code:
| Code: |
invoke OpenProcess, PROCESS_ALL_ACCESS, 1, PID ; pid of nwserver.exe
mov ebx, eax
invoke VirtualAllocEx, ebx, 0, dllnamesize, MEM_COMMIT, PAGE_READWRITE
mov esi, eax
invoke WriteProcessMemory, ebx, esi, offset dllname, dllnamesize, 0
invoke GetModuleHandleA, offset szKernel32name ; 'kernel32.dll',0
invoke GetProcAddress, eax, offset szLoadLibrary ; 'LoadLibraryA',0
invoke CreateRemoteThread, ebx, 0, 0, eax, esi, 0, 0
mov edi, eax
invoke WaitForSingleObject, eax, INFINITE
invoke CloseHandle, edi
invoke CloseHandle, ebx
|
but in our case the simplest way(and the most correct) is to call CreateProcess (nwserver.exe) with CREATE_SUSPENDED flag or even DEBUG_PROCESS(gives us exception control, for example). patch process memory and ResumeThread.
ps. i'm sorry for my russian-english. i want to help you guys, but rl/work burn my time. |
|
| Back to top |
|
|
Grinning Fool
Joined: 12 Feb 2005
Posts: 264
|
| Posted: Wed Apr 11, 2007 4:46 Post subject: |
|
|
Gryph- those will only help to load a DLL into the current process, but not into an external process.
I seemed to recall that ther was a registry key that can be used to preload a DLL into every proc automatically. Some digging found the key, but it odes preload for /all/ processes, so is probably overkill:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Source: http://www.stanford.edu/~stinson/misc/curr_res/hooks/api_spy.txt
Outside of that, it looks like this will be your best bet:
http://www.codeproject.com/dll/DLL_Injection_tutorial.asp
_________________
Khalidine, a NWN2 persistent world
Looking for volunteers. |
|
| Back to top |
|
|
Gryphyn
Joined: 20 Jan 2005
Posts: 431
|
|
| Back to top |
|
|
Papillon
x-man
Joined: 28 Dec 2004
Posts: 1060
Location: Germany
|
| Posted: Sun Apr 15, 2007 14:23 Post subject: |
|
|
Thanks for those pointers guys, I'll look into them.
_________________
Papillon |
|
| Back to top |
|
|
MagnumMan
Joined: 01 Apr 2005
Posts: 8
Location: MA
|
| Posted: Mon Apr 30, 2007 14:28 Post subject: |
|
|
| Why don't you just ask madshi for the 64-bit compabitle madCHook.DLL? Amia is running on Win64 with it just fine... |
|
| Back to top |
|
|
Papillon
x-man
Joined: 28 Dec 2004
Posts: 1060
Location: Germany
|
| Posted: Mon Apr 30, 2007 22:02 Post subject: |
|
|
I did, mutiple times, but got nothing. Madcodehook should be a thing of the past as far as NWNX is concerned anyway, so it does not matter.
_________________
Papillon |
|
| Back to top |
|
|
Papillon
x-man
Joined: 28 Dec 2004
Posts: 1060
Location: Germany
|
| Posted: Sun May 06, 2007 12:19 Post subject: |
|
|
Update: I've got this to a point where NWNX4 can work without madcodehook, by doing the hooking on my own.
Unfortunately, I have to start a new thread in the server process to load my DLL, and this means that I can not use the DDE based IPC anymore (you can't have the same DDE connection in more than one thread). I will have to find other means to pass the nwnx base directory and the init command to the server. Maybe something like #pragma data_seg.
_________________
Papillon |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
