Hello everyone, i'm pretty new to RCE and Code Injection and so on ( but i know how program!).

The goal here is to modify a local variable declared in a function of the host process.
So the idea is to inject the dll and then call it's function, passing the variable as an argument, to modify that variable just after is declared.
I know (even if i haven't tried yet) how to dll inject into the exe process, but i don't know how to call, using assembly, the function from the host process.

It's possibile to do this with dll injection? So how?
There are other methods?

http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx

Well, if i understood correctly, the method you linked allows me to call a function of the hosted process from the dll not a function of the injected dll from the host process...
am i wrong?.

Actually, I think I misread your question.
Your DLL could just do the following (assuming the address of the target function in the host process is 0xDEADBEEF):

The problem is that it's not the dll that has to call a host process function.

Ok suppose that i have this function on the host process:


and this function on the dll:


I want to call DllChangeBool from the host process, just after the "succeded" variabile is declared, something like this if i could write in C/C++:



but obviously changing the assembly code of the host process...
My problem is not to generically call a function from assembly, but how to find the address of the ChangeBool function in the host process.

What about using memory mapped files, a named pipe or window messages to communicate between dll and injector? That way your injector could inject the dll and wait for a message, which your dll would send in its DLL_PROCESS_ATTACH handler.

HR,
Ghandi

Thnx for all your answers but i still can't understand.

I don't understand why your method could help in what i'm trying to do..

The problem is that i want to have communication between the victim and the dll injected, since i have to call the dll function from the victim function.
What's the point on sending a message to the injector from the dll? I don't know when to send it (or better i know but i can't trigger it). Suppose that i know when to send the message, how i pass the reference to the local variabile, from the victim to the injected dll?

Your dll can use SendMessage to pass information through WM_USER messages, you could simply have it look for your injectors window with FindWindow and then when it has the handle, call the SendMessage API and pass through the base address of the dll (it will be the hInstance member of the DllMain function) to your injector which can then add an offset to create the valid virtual address.

Failing this you could have your dll call GetProcAddress on itself and pass through the resolved address using the same mechanism. I would consider going to MSDN and reading up about windows messages if you are interested at all.

HR,
Ghandi

In your local injector code, get DLL base address and function address of DLL to be injected ..
(Assuming ChangeBool function is exported from the DLL)



Then inject your DLL into remote process, storing the new base address of the DLL.
Add the new base address to the RVA of the function and you have the remote address of the function.
If you set your ChangeBool export to be StdCall type then you can call the remote function from your injector code using the CreateRemoteThread api, supplying the api with the address of the ChangeBool export in remote process memory, and pass a param to your function.

BoB

It's clearer now thnx.

Anyway, even if i think i found the solution, i want to ask again... why call the function from the injector?
I mean i need that the victim process, not the injector, calls the dll function... in a precise moment.
And the only way i see is to change the assembly code in the victim, using the address you told me how to calculate.

I mean i could also have called the dll from the injector code as you said, but how i trigger the declaration of a certain function local variable on the victim?
This is why i think i need to change the victim, so he makes the call when i need, not someone else for him.

Again am i wrong?
Just want to be sure .

Down to how you code it. If you want that your victim calls the dll function, you could simply use VirtualAllocEx to allocate memory within the victim context and write your code into there then use CreateRemoteThread to force execution of the code, bypassing any need to modify the primary thread's context.

Why be able to control remotely from your injector? I can see situations where the injector can handle the events for the victim process and respond accordingly, instead of having all of the code working from within the victim processes primary thread context. Horses for courses though, whatever works for you and fulfils your needs.

HR,
Ghandi

Actually, this looks like what you really want to use: http://research.microsoft.com/en-us/projects/detours/

This is EXACTLY what I did in the same situation. Memory mapped file to talk between the loader, and my injected dll.

Call VirtualProtectEx from the dll when it first is loaded on the location you want to have call your code in your dll. be sure to store the original permissions some where because it can cause problems to leave unprotected sometime.

next patch the location you de-protected with the opcode value for a long call 0xFF, 0x15, AA, DD, DD, RR or you can use a jump which does not require correcting the stack which is 0xFF, 0x25, AA, DD, DD, RR jut remember you have to jump back into the host.

what ever you patch over needs to be added to the bott0m of your code before you return, lets say you patch over a call function you will need to run that call at the bottom of your function same with anything else.

Then you re-protoect the memory and your done.

one file note you will want to declare your function as naked. eg. void __declspec(naked)Function(){}