PDA

View Full Version : call a function not loaded


armand
09-24-2004, 03:14 PM
I would like to call a function (InsertMenu) which is not in the list of used functions.
I suppose I have to use GetModuleHandle or LoadLibrary and then GetProcAddress
But these functions are not used.
Is there a way to call InsertMenu?

rous
09-24-2004, 06:33 PM
What system are you using?

rous

sna
09-25-2004, 06:48 AM
RE: Call a function not imported

Vanilla phpBB doesn't support merging of threads so we'll do it this way instead:

It's on win98 mainly but i'd like to do it on xp too
(new thread deleted)

Now, you have a couple of choices depending on the context. The main module (exe file) of a process will always load at it's preferred base address. This means that being inside the address space of said process you'll have full access to the main module's various elements and structures by directly addressing them.

Here's how MSDN describes 'imagebase':

Preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes.

A vicious plan to overthrow authorities begin to take form. Reach into the import table of the main module and grab an address to a function inside user32.dll, any function will do. Then round the address downwards to the nearest boundary of 64K and see if you find an IMAGE_DOS_HEADER there. No? subtract 64K and try again. When you do find the header, check e_lfanew and verify that there is also an IMAGE_NT_HEADERS structure following it. You can be fairly certain that you have found the base address of user32.dll when there is.

The next step is to write a GetProcAddress() replacement. There are source codes and ideas spread across the entire net and finding them shouldn't be too difficult. Also, for the first part where you obtain the base address of user32.dll, as a saftey guard against forwarded exports you might want to implement the code as a procedure and try a couple different function addresses.

Regards, sna

armend
09-25-2004, 10:30 AM
I see. I'm going try something like that.
Maybe you're going see me again here :wink:
Thank you very much for your answer
S