BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
 Posted: Fri Apr 03, 2009 3:21 pm Post subject: reworked WritePointer..working(tested) |
 |
|
bear in mind that the code here is prelimanary and is subject to change and bug fixs constantly...(all edit to the code will remain here in this post..)
| Code: |
typedef struct _WRITEPOINTERS
{
ULONG_PTR WriteBuffer;
UINT_PTR WriteLength;
ULONG_PTR BaseAddress;
BOOL ReadBase;
ULONG_PTR Offset[10];
BOOL ReadOffset[10];
}WRITEPOINTERS,*pWRITEPOINTERS;
__checkReturn BOOL _SetPointer(__out pWRITEPOINTERS PtrWriter,__in_bcount(bLength) ULONG_PTR Buffer,__in UINT_PTR bLength,__in ULONG_PTR ulBase,__in BOOL ReadBase,__in ULONG_PTR Offset,__in BOOL ReadOffset,...)
{
va_list pArguments;
INT_PTR i = 0;
ULONG_PTR ulTemp = 0;
BOOL bRet = FALSE;
if(Buffer == 0 && Buffer == OFFSET_END)
return bRet;
PtrWriter->WriteBuffer = Buffer;
if(bLength == 0 && bLength == OFFSET_END)
return bRet;
PtrWriter->WriteLength = bLength;
if(ulBase == 0 && ulBase == OFFSET_END)
return bRet;
PtrWriter->BaseAddress = ulBase;
if(ReadBase > 1)
return bRet;
PtrWriter->ReadBase = ReadBase;
PtrWriter->Offset[i] = Offset
PtrWriter->ReadOffset[i] = ReadOffset
va_start(pArguments,ReadOffset);
do
{
i++;
ulTemp = va_arg(pArguments,ULONG_PTR);
if(ulTemp == OFFSET_END)
{
break;
}
else
{
PtrWriter->Offset[i] = (ulTemp != 0) ? ulTemp : 0;
blTemp = va_arg(pArguments,ULONG_PTR);
PtrWriter->ReadOffset[i] = (PtrWriter->Offset[i] == OFFSET_END) ? blTemp : 0;
}
}while(i <= 10);
bRet = TRUE;
return bRet;
}
|
so upon success of SetPointer, one can then pass the outgoing structure to WritePointer.here is the code for WritePointer..in the future I am hoping to add a bounds checker to this code but i want to make sure that the code works and is robust enough to be of some value to the users of this forum..
| Code: |
__checkReturn BOOL _WritePointer(__in WRITEPOINTERS WriteOffset)
{
ULONG oProt = 0,oProtect = 0;
ULONG_PTR ulTemp = 0,WriteCache = 0,ulAddress = 0;
BOOL bRet = FALSE;
MEMORY_BASIC_INFORMATION mbi = {0};
ULONG_PTR iOffset = 0;
UINT_PTR i = 0;
__try
{
ulTemp = WriteOffset.BaseAddress;
ulTemp = (WriteOffset.ReadBase == TRUE) ? *(ULONG_PTR*)ulTemp :ulTemp;
do
{
iOffset = WriteOffset.Offset[i];
ulAddress = ulTemp+iOffset;
ulTemp = (WriteOffset.ReadOffset[i] == TRUE) ? *(ULONG_PTR*)ulTemp+iOffset : ulTemp+iOffset;
i++;
}while(WriteOffset.Offset[i] != OFFSET_END);
memset(&mbi,0,sizeof(MEMORY_BASIC_INFORMATION));
if(VirtualQuery((LPCVOID)ulAddress,&mbi,sizeof(mbi)) > 0)
{
if(mbi.AllocationProtect & PAGE_EXECUTE_READWRITE)
{
WriteCache = WriteOffset.WriteBuffer;
*(ULONG_PTR**)ulTemp = (ULONG_PTR*)WriteCache;
}
else
{
if(VirtualProtect((LPVOID)ulAddress,mbi.RegionSize,PAGE_EXECUTE_READWRITE,&oProtect))
{
WriteCache = WriteOffset.WriteBuffer;
*(ULONG_PTR**)ulAddress = (ULONG_PTR*)WriteCache;
if(VirtualProtect((LPVOID)ulAddress,mbi.RegionSize,mbi.AllocationProtect,&oProt))
{
bRet = TRUE;
return bRet;
}
else
{
bRet = TRUE;
return bRet;
}
}
else
{
return bRet;
}
}
}
else
{
return bRet;
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {
return bRet;
}
return bRet;
}
|
im also aiming for 32 and 64 bit compatibility so any mistakes or little tricks that you guys know and that you could provide, would be greatly appreciated.
here is the test case :] it replaces a string in kernel32 at offset kernel32base+0x2de8 which should be the string L"Users" and replaces it with L"somedll.dll"...
| Code: |
int _main(void)
{
WRITEPOINTERS cWP = {OFFSET_END};
wchar_t * szFile = L"somedll.dll";
if(SetPointer(&cWP,(ULONG_PTR)szFile,(ULONG_PTR)wcslen(szFile),(ULONG_PTR)GetModuleHandleA("kernel32.dll"),0,0x2de8,1))
{
_WritePointer(cWP);
}
return 0;
}
|
_________________
don't +rep me..i do not wish to have "status" or "recognition" from you or anyone.. thank you. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
