| View previous topic :: View next topic |
| Author |
Message |
NooBpluSS
Cheater
 Reputation: 0
Joined: 24 Jun 2007
Posts: 37
|
 Posted: Sat Jun 06, 2009 11:21 pm Post subject: [Help] VirtualProtect |
 |
|
I'm trying a jmp to use VirtualProtect :
| Code: |
function Virt(lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
var DblWord : DWORD;
hHandle : THandle;
begin
hHandle := LoadLibrary('kernel32.dll');
DblWord := DWORD(GetProcAddress(hHandle,'VirtualProtect'))+5;
asm
mov edi,edi
push ebp
mov esp,ebp
jmp [DblWord]
end;
end;
|
but it's not working...
_________________
Newbie cheater ;] |
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Jun 07, 2009 6:58 am Post subject: |
|
|
you're setting up the stack frame incorrectly
mov esp, ebp >> mov ebp, esp
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jun 07, 2009 8:13 am Post subject: Re: [Help] VirtualProtect |
|
|
| NooBpluSS wrote: | I'm trying a jmp to use VirtualProtect :
| Code: |
function Virt(lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
var DblWord : DWORD;
hHandle : THandle;
begin
hHandle := LoadLibrary('kernel32.dll');
DblWord := DWORD(GetProcAddress(hHandle,'VirtualProtect'))+5;
asm
mov edi,edi
push ebp
mov esp,ebp
jmp [DblWord]
end;
end;
|
but it's not working... |
and don't put the loadlibrary in the function. Set it up before it or your gonna get a stack overflow when you use it too much. Because delphi is setting up some variables that are suppose to be poped but were never poped.
|
|
| Back to top |
|
|
NooBpluSS
Cheater
Reputation: 0
Joined: 24 Jun 2007
Posts: 37
|
| Posted: Sun Jun 07, 2009 9:35 am Post subject: |
|
|
Now I trying it :
| Code: |
function Virt(lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
var DblWord : DWORD;
begin
DblWord := Dword(GetProcAddress(GetModuleHandle('kernel32.dll'), 'VirtualProtect')) + 5;
asm
mov edi,edi
push ebp
mov ebp, esp
jmp [DblWord]
end;
end; |
the error now is :
" Acess violation at address 7C800003 in module 'kernel32.dll'. Write of address 7C800000. "
what the problem guys ? :S
I want use VirtualProtect to unhook others API in user mode...
Can I do it with other method ?
_________________
Newbie cheater ;] |
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Sun Jun 07, 2009 11:33 am Post subject: |
|
|
| You probably need to change the page protection to WRITE o_o
|
|
| Back to top |
|
|
NooBpluSS
Cheater
Reputation: 0
Joined: 24 Jun 2007
Posts: 37
|
| Posted: Sun Jun 07, 2009 11:47 am Post subject: |
|
|
| Code: |
CodeLen := SizeOfProc(LoadedAddress);
VirtualProtect(ExportedAddress, CodeLen, PAGE_EXECUTE_READWRITE, @OldProtection);
Move(ExportedAddress, LoadedAddress, CodeLen);
Virt(ExportedAddress, CodeLen, OldProtection, @OldProtection);
|
I'm using PAGE_EXECUTE_READWRITE
LoadedAddress is the true address
ExportedAddress is the Api hooked
I can see the api hooked in user mode but I can't unhook it T.T'
_________________
Newbie cheater ;] |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jun 07, 2009 3:21 pm Post subject: |
|
|
| NooBpluSS wrote: | | Code: |
CodeLen := SizeOfProc(LoadedAddress);
VirtualProtect(ExportedAddress, CodeLen, PAGE_EXECUTE_READWRITE, @OldProtection);
Move(ExportedAddress, LoadedAddress, CodeLen);
Virt(ExportedAddress, CodeLen, OldProtection, @OldProtection);
|
I'm using PAGE_EXECUTE_READWRITE
LoadedAddress is the true address
ExportedAddress is the Api hooked
I can see the api hooked in user mode but I can't unhook it T.T' |
I told you, take the getprocaddress part out and preinit it so that all thats left is the assembler:
var
DblWord:Dword;
procedure initmycrap;stdcall;
begin
DblWord := Dword(GetProcAddress(GetModuleHandle('kernel32.dll'), 'VirtualProtect')) + 5;
end;
function Virt(lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
begin
asm
jmp [DblWord]
end;
end;
This will work...
|
|
| Back to top |
|
|
NooBpluSS
Cheater
Reputation: 0
Joined: 24 Jun 2007
Posts: 37
|
| Posted: Sun Jun 07, 2009 5:43 pm Post subject: |
|
|
I can't use GetProcAddress after GG, cause it's hooked too
then I put the DblWord in the FormCreate
| Code: |
DblWord := Dword(GetProcAddress(GetModuleHandle('kernel32.dll'), 'VirtualProtect')) + 5;
|
and my VirtualProtect :
| Code: |
function Virt(lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
begin
asm
jmp [DblWord]
end;
end;
|
but when I do this :
| Code: |
if Virt(ExportedAddressE, CodeLen, PAGE_EXECUTE_READWRITE, @OldProtection) then
ShowMessage('=)' )
else
ShowMessage('It's not working...try again ' );
|
I see the message " It's not working...try again "
Other method..? or is possible use VirtualProtect with a jmp to unhook other API ?
_________________
Newbie cheater ;] |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jun 07, 2009 8:10 pm Post subject: |
|
|
| NooBpluSS wrote: | I can't use GetProcAddress after GG, cause it's hooked too
then I put the DblWord in the FormCreate
| Code: |
DblWord := Dword(GetProcAddress(GetModuleHandle('kernel32.dll'), 'VirtualProtect')) + 5;
|
and my VirtualProtect :
| Code: |
function Virt(lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
begin
asm
jmp [DblWord]
end;
end;
|
but when I do this :
| Code: |
if Virt(ExportedAddressE, CodeLen, PAGE_EXECUTE_READWRITE, @OldProtection) then
ShowMessage('=)' )
else
ShowMessage('It's not working...try again ' );
|
I see the message " It's not working...try again "
Other method..? or is possible use VirtualProtect with a jmp to unhook other API ? |
does the original virtual protect work? Is DblWord declared globally?
|
|
| Back to top |
|
|
NooBpluSS
Cheater
Reputation: 0
Joined: 24 Jun 2007
Posts: 37
|
| Posted: Mon Jun 08, 2009 8:09 pm Post subject: |
|
|
Yes !! The original VirtualProtect is works..
I use VirtualProtect and works..
I use with jmp and it's works too but after GG is loaded it's not work..
hooked in kernel mode ?
guys.. first need I unhook in kernel mode ? or user mode ?
_________________
Newbie cheater ;] |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Jun 09, 2009 4:55 pm Post subject: |
|
|
| NooBpluSS wrote: | Yes !! The original VirtualProtect is works..
I use VirtualProtect and works..
I use with jmp and it's works too but after GG is loaded it's not work..
hooked in kernel mode ?
guys.. first need I unhook in kernel mode ? or user mode ? |
If you unhooked it in kernelmode, you can simply register a new service and call that service with the new service number from the SSDT instead. So if you do kernel bypass, you don't need a usermode one.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
