Virtual Protect http://msdn.microsoft.com/en-us/library/aa366898%28VS.85%29.aspx

This should be the relevant code for this purpose, i cut out non relevant stuff so dont worry when the Adresses are not coherent. Im pretty confused by the calculation he does to determine the Size and Address of the protection Area for VirtualProtect as i want to use the exact same call in my C++ Program.

My own thoughts, which are probably wrong, in the form of pseudocode !
eax = 004030A2
dwSize = [004030B2]+5
lpAddress = [004030AA] (32bit)
dwSize = t+5 ??
lpAddress = 10 GetUserNameA 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Since the t+5 part doesn't make any sense im stuck !

Anybody here willing to help a poor noob ?

looks to be hooking code..
I am kinda lost as to what your doing but

I think your trying to hook those functions..
hopefully this compact prolly wrong code helps



regards BanMe

its a proxy dll for a dll which is called by an evil rootkit that mistreats my memory and i'd like to have full control over my computer again

And your code is not wrong at all, i effectively did the same thing after a while just not as compact and im not really sure about the size.

Thanks for helping though !

next time include a smidge more details

and Anytime..
to explain the size it is more then likely 5 because that is the size of a hook..for example..heres a small somewhat abstracted example..of how i think 'it' looks..
VirtualProtect the Start of the function..you got that..so

maybe this can help if your injecting a dll and then hooking.. or you are hooking yourself.. :d


this is a small snippet from hkHooking Namespace I coded..that still needs work.. the other methods besides apc injection are easily implemented... IM currently toying with seeing if I can add a section to a Files in Memory image sections in runtime.. or preruntime.. need to mimic the base concept of rebuilding everything for a "attached section" but this shouldn't be to hard a task for the Ldr Routines... but this topic is widely talked about and now documented partly by piotr bania..

known 'hooking' methods and some concept methods...
the old '5 byte overwrite'..

2 byte hooking ebf9
mov edi,edi

old 5 byte overwrite with a spin
hooking of iether the "int3's or the nop's"..If now if you cant locate them up,you can search down..jmp up 7 or down the length of the function..

single byte hooks the Kernel Call Routines Service Identifier..use a kernel driver similar to stoned's 'service adding' features ....at least i would do that..havent analysed any of his code yet..

Shared Section Code used as hook routine..and the 'client' part of the subsystem implements the hooks.. preruntime..havent tested the client by injecting it yet though, but i have successfully hooked myself in some of the various tests to accomplish this..

IAT Hooking hooking the ImportAddress Table..
basicly hooks the Import Address Table to 'filter or hooking' the function upon call from the 'host' process..and can be used to gain information from a remote process..
IAT hooking can be easily bypassed by GetProcessAddress or a similar routine as well as signature scanning for the function..

EAT (or AddressLookupHooking)used for GetProcessAddress or other type lookup that retrieve the address from the EAT..
SigScanning for the function bypasses EAT.

Ghostwriting..on rootkit.com

.Mapped memory double checking with a gathered 'mapped' signature can detect runtime hooking and most of these types hooks not IAT or EAT..unless you modify the original module,then it becomes the tactic that they verify your system version and then download the dll,and do another mapped checking...and then you got issues with gathering the file from the socket securely..

Modified Stack hooking(im working on it..)with 'code' that searchs for and uses the found code to bulid itself..this can be done by providing a usable 'Stack swapping and Context poisoning' methodolgy..searching for places to use these Mentioned methods will be the fun part ..as well as chaining them together.. :d


BanMe