Hello, I'm almost finished with a tutorial on DLL injection using the code cave method altought I have some questions:
Code:
_declspec(naked)void loadDLL(void)
{
_asm{
push 0xDEADBEEF
pushfd
pushad
push 0xDEADBEEF
mov eax, 0xDEADBEEF
call eax
popad
popfd
ret
}
}
_declspec(naked)void loadDLL_end(void)
{
}
Code:
VirtualProtect(loadDLL, stubLen, PAGE_EXECUTE_READWRITE, &oldProt);
memcpy((void*)((unsigned long)loadDLL + 1), &oldIP, 4);
memcpy((void*)((unsigned long)loadDLL + 8), &dllString, 4);
memcpy((void*)((unsigned long)loadDLL + 13), &loadLibAddy, 4);
Those are the parts where the questions are about.
When patching the asm code with the correct addresses why do you have to add 1, 8 and 13 to loadDLL?
And why is the size always 4?
Code:
unsigned long GetThreadIDFromProcname(char * procName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot;
BOOL retval, procFound = FALSE;
unsigned long pTID, threadID;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
retval = Process32First(thSnapshot, &pe);
while(retval)
{
if(StrStrI(pe.szExeFile, procName))
{
procFound = TRUE;
break;
}
retval = Process32Next(thSnapshot, &pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
CloseHandle(thSnapshot);
_asm{
mov eax, fs:[0x18]
add eax, 36
mov [pTID], eax
}
HANDLE hProcess = OpenProcess(PROCESS_VM_READ, FALSE, pe.th32ProcessID);
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
CloseHandle(hProcess);
return threadID;
}
I googled and found fs:[0x18] was for the address of the Thread Information Block but what does add eax, 36 do and why do it?
Thanks in advance