Can I get some opinions?

[megamandos]

Oh yeah here's a D3D Vtable hook if you're interested in seeing how it's done:

http://www.mpgh.net/forum/31-c-c-pro...ml#post5682845

Thanks!

---------- Post added at 02:06 AM ---------- Previous post was at 01:57 AM ----------

I think i will add that hooking method tomorrow. How do you know the offsets of stuff in the VTable? Was this reverse engineered by someone and/or is it dependent on the source code layout?

So I am pretty much going to copy your example and put your name in the code/docs somewhere, if you don't mind.

[[MPGH]Jason]

Thanks!

---------- Post added at 02:06 AM ---------- Previous post was at 01:57 AM ----------

I think i will add that hooking method tomorrow. How do you know the offsets of stuff in the VTable? Was this reverse engineered by someone and/or is it dependent on the source code layout?

So I am pretty much going to copy your example and put your name in the code/docs somewhere, if you don't mind.

I can't actually remember where I got the indices from :/
As for the citation, that's fine just remember that I wasn't the one to originally write the method. I wrote the GetVirtualTable method myself, but the Pattern and offsets were found by someone else.

[megamandos]

Thanks, noted.

---------- Post added at 03:28 AM ---------- Previous post was at 02:26 AM ----------

So, do you want me to put a last name or some other handle? Because "Jason" is very vague.

[[MPGH]Hell_Demon]

You can get the indices from d3d9.h, just count the amount of functions before the one you want to hook.

[.::SCHiM::.]

Copy the sections of a dll file into a piece of memory of save keeping, then unload the dll from memory. Then put everything back: hidden dll's

[megamandos]

If you unload the DLL doesn't it remove the entry from Ldr data? I suppose in the case of an injected DLL this is fine though... I will look at this

---------- Post added at 05:28 PM ---------- Previous post was at 05:28 PM ----------

On second through I could just remove the entry from Ldr data manually to achieve the same effect.

[megamandos]

Copy the sections of a dll file into a piece of memory of save keeping, then unload the dll from memory. Then put everything back: hidden dll's

Even better, I loaded the DLL, and then removed it from the PEB->LdrData. So other things trying to find DLLs loaded into the target process wont see the one we injected. I implemented this as part of Injex and tests were all positive

http://www.mpgh.net/forum/31-c-c-pro...ml#post5891321

[[MPGH]Jason]

Even better, I loaded the DLL, and then removed it from the PEB->LdrData. So other things trying to find DLLs loaded into the target process wont see the one we injected. I implemented this as part of Injex and tests were all positive

http://www.mpgh.net/forum/31-c-c-pro...ml#post5891321

It's called CloakDll, Darawk did it some time ago. I'd link the post to you but it's on another forum. Just google "Darawk CloakDll"

[megamandos]

Figured someone else posted it.... anyways, this unlinks from OUTSIDE the target process. So, while the idea isn't unique, the method is somewhat less common.

[[MPGH]Jason]

Figured someone else posted it.... anyways, this unlinks from OUTSIDE the target process. So, while the idea isn't unique, the method is somewhat less common.

Hehe I wrote one a while ago, wonder if I can dig it up. I think I did it in C# though.

[megamandos]

Damn it lol... :/

[[MPGH]Jason]

Well, mine wasn't designed to cloak a remote dll, just to get a module's load count from the PEB data. I think it was for an injector I was writing or something.

[megamandos]

Lawl stop writing injectors for .NET hahaha

---------- Post added at 12:39 AM ---------- Previous post was at 12:37 AM ----------

Oh and im going to put his code in Injex too... why not, as long as I credit the guy?

---------- Post added at 12:51 AM ---------- Previous post was at 12:39 AM ----------

On second thought, his stuff is really incompat with injex, i will have to change it a LOT. But he will still get reference, cause I didn't write the one where it unlinks from within the target process.

[[MPGH]Jason]

Haha I wrote a few WinAPI functions for external use at some point in C#. Fun Fun Fun.

Code:

        public static uint GetProcAddressEx(int hProc, uint hModule, string lpProcName)
        {
            uint procAddress = 0;
            byte[] pDosHd = ReadRemoteMemory(hProc, hModule, 0x40);
            if (pDosHd != null && BitConverter.ToUInt16(pDosHd, 0) == 0x5A4D)
            {
                uint e_lfanew = BitConverter.ToUInt32(pDosHd, 0x3C);
                if (e_lfanew > 0)
                {
                    byte[] pNtHd = ReadRemoteMemory(hProc, hModule + e_lfanew, 0x108);
                    if (pNtHd != null && BitConverter.ToUInt32(pNtHd, 0) == 0x4550)
                    {
                        uint expDirPtr = BitConverter.ToUInt32(pNtHd, 0x78);
                        if ( expDirPtr != 0)
                        {
                            byte[] pExpDir = ReadRemoteMemory(hProc, hModule + expDirPtr, 0x28);
                            uint pEat = BitConverter.ToUInt32(pExpDir, 0x1C);
                            uint pOrd = BitConverter.ToUInt32(pExpDir, 0x24);
                            uint ordbase = BitConverter.ToUInt32(pExpDir, 0x10);

                            int index = SearchExports(hProc, hModule, pExpDir, lpProcName);
                            if (pEat > 0 && pOrd > 0 && index > -1)
                            {
                                byte[] bOrd = ReadRemoteMemory(hProc, (uint)(hModule + pOrd + (index << 1)), 0x2);
                                int ord = (int)(bOrd == null ? -1 : BitConverter.ToUInt16(bOrd, 0));

                                if (ord != -1)
                                {
                                    byte[] addr = ReadRemoteMemory(hProc, (uint)(hModule + pEat + ((ord - (ordbase - 1)) << 2)), 0x4);
                                    if (addr != null)
                                        procAddress = hModule + BitConverter.ToUInt32(addr, 0);
                                }
                            }
                        }
                    }
                }
            }
            return procAddress;
        }

        private static int SearchExports(int hProcess, uint hModule, byte[] exports, string name)
        {
            uint cntExports = BitConverter.ToUInt32(exports, 0x18);
            uint ptrNameTable = BitConverter.ToUInt32(exports, 0x20);
            int rva = -1;

            if (cntExports > 0 && ptrNameTable > 0)
            {
                byte[] rawPtrs = ReadRemoteMemory(hProcess, hModule + ptrNameTable, cntExports << 2);
                if (rawPtrs != null && rawPtrs.Length >= 4)
                {
                    uint[] namePtrs = new uint[cntExports];
                    for (int i = 0; i < namePtrs.Length; i++)
                        namePtrs[i] = BitConverter.ToUInt32(rawPtrs, i << 2);

                    int start = 0, end = namePtrs.Length - 1, middle = 0;
                    string curvalue = string.Empty;

                    while (start <= end && rva == -1)
                    {
                        middle = start + ((end - start) / 2);
                        curvalue = StringFromPTR(hProcess, hModule + namePtrs[middle]);
                        if (curvalue.Equals(name))
                            rva = middle;
                        else if (curvalue.CompareTo(name) < 0)
                            start = middle - 1;
                        else
                            end = middle + 1;
                    }  
                }               
            }
            return rva;  
        }

BEJELLY!

[megamandos]

hehe I wrote GetProcAddress in C lol. Its just in case GetProcAddress is hooked in the target process.