Small problem

[Brett Kuntz]

I've wrote a simple dll api hook in C (just to get it working) and now that I figured out the correct way to do it, I'm writing it in ASM. I wrote the loader with no issues, however the DLL asm is giving me some grief.

Code Select Expand


    .486
    .model flat, stdcall
    option casemap :none

    include \masm32\include\windows.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc

    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
.data?
    OrigTick DWORD ?
    GetTickCountOrig DWORD ?
.code

LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD

    LOCAL pid :DWORD

    jmp down
        WINDOW_NAME db "Game", 0
    down:

    .if reason == DLL_PROCESS_ATTACH
   
        mov eax, GetTickCount
        mov GetTickCountOrig, eax
        call GetTickCount
        mov OrigTick, eax
        push offset WINDOW_NAME
        push 0
        call FindWindow
        lea ebx, pid
        push ebx
        push eax
        call GetWindowThreadProcessId
        push pid
        push 0
        push PROCESS_ALL_ACCESS
        call OpenProcess
        mov ebx, eax
        push PAGE_READWRITE
        push MEM_COMMIT
        push 4
        push 0
        push ebx
        call VirtualAllocEx
        mov edi, eax
        push 0
        push 4
        push GetTickCountHook
        push edi
        push ebx
        call WriteProcessMemory
        push 0
        push 4
        push edi
        push 41A78Ah
        push ebx
        call WriteProcessMemory

    .endif
   
    mov eax, 1
    ret

LibMain Endp

GetTickCountHook proc

    call GetTickCountOrig
    sub eax, OrigTick
    add eax, eax
    add eax, OrigTick
    ret

GetTickCountHook endp

End LibMain


The problem is with the two WriteProcessMemory's, the third parameter isn't getting pushed correctly on one or both of them. I can't find a way to use Olly on the DLL to step through it's initialization so checking what exactly is going wrong is fairly difficult. I even tried disassembling my C written DLL and using that as a reference and it still would not work. The C DLL assembled to something like:

lea eax, dword ptr [ebp+08]  ;stack varible
push eax

And I tried to copy that (put the values onto the stak using LOCAL's) and it assembled the same way, but still no dice.

Any ideas?

[hutch--]

K,

After a quick look, the code looks like it is a disassembly with manual calls and no comenting. Just to make it easier on yourself I would tend to break it up into clear API calls with some commenting so it waa easier to read. Then you test the return value of each call to make sure you have set up the conditions for each subsequent API call.