5

I am trying to re-write the following function in my injected DLL.

mov edi,edi
push ebp
mov ebp,esp
mov eax, [sound.dll+1AE0]
push eax
mov ecx,[ebp+08]
mov eax,[ecx]
mov eax,[eax+0C]
push eax
call sound.dll+7C640
pop ebp
ret 0004

I am loading my DLL via CreateRemoteThread. Is there a way to get the address of sound.dll+1AE0 (or linkage) when the DLL is loaded without having to to do GetModuleHandleEx and calculate the address dynamically?

Maybe with some imports or some linkage artifact?

Thanks!

EDIT:

The GetModuleHandleEx approach will look like:

DWORD mem1AE0=0;

Load mem1AE0 with sound.dll+1AE0 address

and then in my function:

_declspec(naked) void MyFunction() { 
    __asm { 
        mov edi,edi 
        push ebp 
        mov ebp,esp 
        mov eax, mem1AE0 
        mov eax, [eax] 
        push eax 
        mov ecx,[ebp+08] 
        mov eax,[ecx] 
        mov eax,[eax+0C] 
        push eax 
        call sound.dll+7C640 
        pop ebp 
        ret 0004 
    } 
}

The problem is when I have a call [sound.dll+XXXX] instruction

In that case I need to create a variable which will point to that memory

DWORD memXXXX=0;

Load it with the correct address and also create a proxycall DWORD

DWORD memXXXX_content=0;

and then do:

push eax 
mov eax, memXXXX 
mov eax, [eax] 
mov memXXXX_content, eax 
pop eax 
call memXXXX_content

which is totally inefficient unless I am doing somehting wrong?

Thanks

EDIT: I believe there is no way to get static links if you are dynamically loading your DLL.

fred26
  • 319
  • 1
  • 11
  • 1
    what's the problem with calling GetModuleHandleEx or OpenProcess/ReadProcessMemory? – peter ferrie Dec 15 '15 at 17:51
  • What is your end goal here? You are re-implementing the function exactly the same? If you have a specific change, it may be better to patch it in-place. Either that or place your hook at a more specific level. – Nick Cano Dec 16 '15 at 00:35
  • Yes, I need to replace that function entirey. Exactly the same. – fred26 Dec 16 '15 at 00:51
  • your second snippet should appear as "call [memXXXX_content]" because there is no form of absolute near call in x86, but that makes the whole thing equivalent to "call [memXXXX]". – peter ferrie Dec 17 '15 at 16:19
  • peter, I tried it and it doesn't work. call [memXXXX] calls the mem itself and not its content – fred26 Dec 18 '15 at 13:19
  • I believe there is no way to get static links if you are dynamically loading your DLL. Thanks to all who were interested. – fred26 Dec 28 '15 at 22:58

0 Answers0