Flag: Tornado!
Hurricane!
|
|
 Error: Authentication required to access requested resource.
Topic created on: by  .
|
Use conditional breakpoints
|
Hi,
Thank you for your reply.
I was able to set a breakpoint in tge function call, but I cant see anywhere the dword Im looking for. It is the last parameter of the function. By the way, how can i see the functions parameters?
thank you again
|
wut do u exactly mean by 'cant see the dword' ?
isn't it in the stack?
1. are u looking for a certain situation that the dword becomes a specific value?
or 2. do you want to know what the dword means?
in case 1., u should use conditional breaks like lallous said.
in case 2., u should look at msdn.
or if the params are different from it's shown in msdn, the function might be '#define'd like CreateWindow.
cheers.
|
Hello,
Yes, it is in the stack, thank you. And I found what I was looking for. However, I´m affraid the scenario is more complex than the one I thought before.
Please look at this new scenario:
I have one exe application that uses a custom dll and other windows system dlls. Both the exe and the custom dll uses a common windows system dll (I will call it: shared_sys_dll).
I would like to make the custom dll to use the changed shared_sys_dll, and make it private to the custom dll. This dll would be inside the same folder of the custom dll (for instance). Of course that any application in the system, including the exe program, would not use this changed dll). Besides this changed dll would be private to the custom dll, any other internal call to any other system api should work.
Is this possilbe to do? Where I need to change in my custom dll to make it point to a changed "system" dll?
My second goal is to change the shared_sys_dll. I found the line that I need to change. It looks something like this:
PUSH DWORD PTR DS: [ESI + E0]
Instead of using the value ESI+E0 I would like to pass a fixed value. How this instruction should look like? Example: like this? PUSH DWORD PTR DS: [my_value]
Finally, how can I see what module (exe or any of the dlls running inside it) start the use of the shared_sys_dll, where the line of code is being executed? I need to be sure, that this shared_sys_dll is being in fact invoked by my custom dll. Unfortunatly I dont have sure about that...
I dont know if I made myself clear. If not, I will try to explain it better.
Thank you
|
i'm not sure if i get it right, but i think you want to switch a system dll to yours, right?
well it's possible, and in your case it's simple.
your custom dll can call shared_sys_dll's function in two ways.
one is using import directory, and the other is using apis like loadlibrarya + getprocaddress.
both case would work in this way.
rename your changed_dll as 'shared_sys_dll', and put it in the same directory with your 'exe' file.
when the shared_sys_dll gets loaded, windows will first look for the dll in the same dir with the exe, and then look for it in %system32% dir.
so, if you write your changed_dll to export all the functions that shared_sys_dll exports, it will work fine.
for ur second question, you can patch the code. overwrite memory.
PUSH DWORD PTR DS: [ESI + E0] is assembled to ff b6 e0 00 00 00
and
PUSH DWORD PTR DS: [my_value] is assembled to
ff 35 xx xx xx xx
(xx xx xx xx refers to the address of my_value, and consider little endian)
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 28,226 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}