How to correctly inject a [jump + address] instruction into another process?

**lionking0** · 12-31-2022

I am trying to inject a jump instruction into another process (External injection), although the injection operation has been completed the address was not correct.

For example:

Code:

unsigned int addr = 0x0048DA03;
unsigned int jumpToAddr = 0x0048D9B2;
unsigned char command[] = { 0xEA };
VirtualProtectEx(hProcess, (void*)addr, 20, PAGE_READWRITE, &oldProtect);
WriteProcessMemory(hProcess, (void*)addr, (void*)command, sizeof(command), NULL); // this line for jmp
WriteProcessMemory(hProcess, (void*)addr, (void*)jumpToAddr, sizeof(jumpToAddr), NULL); // this line for the address
VirtualProtectEx(hProcess, (void*)addr, 20, oldProtect, &oldProtect);

The result:

As you see, after executing that code, the jump address is wrong.
Also, the same problem occurs with the following code:

Code:

void* reservedMemAddress = VirtualAllocEx(hProcess, NULL, 100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (reservedMemAddress) {
    WriteProcessMemory(hProcess, (void*)addr, (void*)command, sizeof(command), NULL);
    WriteProcessMemory(hProcess, (void*)addr, (void*)reservedMemAddress, sizeof(reservedMemAddress), NULL);
}

How can I write the address correctly?
How can I merge the two WriteProcessMemory lines into one to write the entire instruction ex: JMP 0x0048D9B2?

**Win32-0** · 02-01-2023

To correctly inject a jump instruction into another proces, you need to ensure that the target process is running in the same architecture (32-bit or 64-bit) as the injector, and that the jump instruction is being written to a valid memory address that is accessible by the target process.

You should also make sure that the memory location you are injecting into is marked as writable, and that you have the proper privileges to access the target process's memory.

Here is an updated code that might get you where you need to be

Code:

void* reservedMemAddress = VirtualAllocEx(hProcess, NULL, 100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (reservedMemAddress) {
WriteProcessMemory(hProcess, reservedMemAddress, (void*)command, sizeof(command), NULL);
DWORD oldProtect;
VirtualProtectEx(hProcess, reservedMemAddress, 100, PAGE_EXECUTE_READ, &oldProtect);
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)reservedMemAddress, NULL, 0, NULL);
}

This code allocates 100 bytes of memory in the target process's virtual address space, writes the contents of the command variable to that memory, and sets the memory protection to allow execution. Then, it creates a remote thread in the target process that starts executing the code in the newly-allocated memory.

For you second question, here is the code for that also..

Code:

unsigned char jmp_instruction[5] = { 0xE9, 0xB2, 0xD9, 0x48, 0x00 };
(DWORD)(jmp_instruction + 1) = (DWORD)addr - (DWORD)reservedMemAddress - 5;

WriteProcessMemory(hProcess, reservedMemAddress, jmp_instruction, sizeof(jmp_instruction), NULL);

This code generates the 5-byte machine code for the jump instruction, and writes it to the reserved memory in the target process. The jump instruction is constructed such that it jumps to the specified address addr.

Thread: How to correctly inject a [jump + address] instruction into another process?

Thread Tools

Display

How to correctly inject a [jump + address] instruction into another process?

The Following User Says Thank You to Win32-0 For This Useful Post:

Similar Threads

[Help] How do I inject my own C# scripts into Terraria?

[Tutorial] How to correctly inject hacks in SF2 - Avoid XIGNCODE3 from popping up

[Tutorial] How to correctly inject hacks into SF2(Win 8 or higher versions)

[Solved] How to click/press from visual basic application to another process

[Tutorial] C++ Code Caving (Injecting a function into another process) | video tutorial