Delphi - Access violation when try to overwrite an instruction with DLL Injection

て烟熏妆下的殇ゞ 提交于 2020-01-25 19:01:27

问题


Good morning. I'm trying to learn about DLL injection, so I've wrote a little software, that just gets a String, compares with StrCmp() and if the input was equal "Winner", the software gives a Good boy message, with the porpouse of learn DLL injection. So I write a DLL that loads a Form when inject, the porpouse is using the DLL injection, to modify the Instruction of comparison( JNZ(74) to JMP(EB)), and make the software, accept any string. My DLL code is:

library Project2;
uses
  SysUtils,
  Windows,
  Classes,
  Unit1 in 'Unit1.pas' {Form1};

{$R *.res}
var
Hproccess:THandle;
Hid:Cardinal;
b:Boolean=false;

       Procedure Chamar;
       begin
        Form1:=TForm1.Create(nil);
       Form1.ShowModal;
       end;
begin
Hproccess:=OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessID);
CreateRemoteThread(Hproccess,nil,0,@Chamar,@Chamar,0,Hid);
end.

How can you see, the DLL just Create a new Thread to load the Form(Form1). The problem is, when I write in the Memory Addres to overwrite the JNZ instruction, Windows don't let me do it, and returns the Message of Access Violation at Address 005B55A9. My form code also is very simple.

    unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls;

type
  TForm1 = class(TForm)
    Button2: TButton;
    procedure Button2Click(Sender: TObject);

  private

  public

  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}
procedure TForm1.Button2Click(Sender: TObject);
var
Memory:Dword;
begin
Memory:=$005B55A9;
PDWORD(Memory)^:=225; {EB=225}
Free();
end;
end.

What Am I doing of wrong? How can I overwrite the instruction of JNZ(74) to JMP(EB) without Access Violation error? Sorry for my mistakes, I started to read about it yesterday, that was my first example. I already have the Injector(Extreme Injector). My doubt is just about the DLL coding. Can you help me?

I forgot to say, I use Windows 10...


回答1:


Assuming that, as you claim, that address is a valid address in your process, an access violation would indicate that the protection flags for that address do not permit writing. That would typically be the case for the code in your process.

A couple of ways to deal with that:

  1. Use VirtualProtect to change the protection for that address. Typically you'll want to restore the protection to its original value once you have made your modification.
  2. Use [WriteProcessMemory][3] to perform the memory write. This will change the protection to allow writing, make the modification, and restore the original protection. If the address in fact refers to a different process, then you have to use WriteProcessMemory to modify the memory.

Examples of using VirtualProtect for such purposes abound. For instance, this post shows how to patch some code, and use VirtualProtect to arrange that the memory can be written to. The actual data written in that post differs from yours, but the point is to demonstrate how to use VirtualProtect.

Before you proceed, make sure you read the documentation carefully.



来源:https://stackoverflow.com/questions/40263014/delphi-access-violation-when-try-to-overwrite-an-instruction-with-dll-injectio

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!