Originally posted by devnul
Could you post the lines you changed?
dn
sure - here's the modified InjectCode function with sizeof(inj) statements added in (what I think are) the right places:
Code:
// V2 - Allocates memory, injects our sniffer code into it, and gets it started.
BOOL InjectCode()
{
LPVOID pvCode;
LPVOID pvMem;
INJECTSTRUCT inj;
LPVOID pvStart;
DWORD dwLen;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOffset = MAKELONG(MAKEWORD(0, INJECT_OFFSET), 0);
DWORD dwFuncOffset;
// The start of the function we're injecting
pvStart = (LPVOID)InternalHookProc;
// Figure out how large our memory block is that contains our sniffer code.
VirtualQuery(pvStart, &mbi, sizeof(mbi));
dwFuncOffset = (DWORD)pvStart - (DWORD)mbi.BaseAddress;
// Determine the length of the code to inject, and add the size of the offset to it.
dwLen = (DWORD)mbi.RegionSize + dwOffset;
#ifdef _SNIFFDEBUG
TCHAR szMsg[MAX_PATH];
wsprintf(szMsg, _T("Injecting code length %d ...\n"), dwLen + sizeof(inj));
OutputDebugString(szMsg);
#endif
// Allocate a writeable memory block in preparation for injection ...
pvCode = VirtualAlloc(NULL, dwLen + sizeof(inj), MEM_COMMIT, PAGE_READWRITE);
if (!pvCode) return FALSE; // Failed to allocate memory
#ifdef _SNIFFDEBUG
wsprintf(szMsg, _T("Code allocated at 0x%8.8X\n"), pvCode);
OutputDebugString(szMsg);
#endif
// Get the memory address to sniff for, and de-xor it.
pvMem = gsh_pvEQKey;
xormem(&pvMem, gsh_xorby, sizeof(pvMem));
// Clear and fill out the struct with pointers to our API calls and some other useful stuff
// such as the SEQ box socket addr, the memory pointer to sniff, etc.
ZeroMemory(&inj, sizeof(inj));
inj.addr = gsh_SEQAddr;
inj.pvmem = pvMem;
inj.ullLastKey = MAXDWORD;
inj.func_VirtualQuery = (VIRTUALQUERY) GetProcAddress(GetModuleHandle(_T("KERNEL32")), "VirtualQuery");
inj.func_IsBadReadPtr = (ISBADREADPTR) GetProcAddress(GetModuleHandle(_T("KERNEL32")), "IsBadReadPtr");
inj.func_socket = (CREATESOCKET) GetProcAddress(GetModuleHandle(_T("WSOCK32")), "socket");
inj.func_sendto = (SENDTO) GetProcAddress(GetModuleHandle(_T("WSOCK32")), "sendto");
inj.func_closesocket = (CLOSESOCKET) GetProcAddress(GetModuleHandle(_T("WSOCK32")), "closesocket");
inj.func_CallNextHookEx = (CALLNEXTHOOKEX) GetProcAddress(GetModuleHandle(_T("USER32")), "CallNextHookEx");
// Write the injection struct to the beginning of the memory page.
CopyMemory(pvCode, &inj, sizeof(inj));
// Copy our DLL code into the memory page starting at the offset specified.
CopyMemory((LPBYTE)pvCode + dwOffset + sizeof(inj), mbi.BaseAddress, dwLen - dwOffset);
// Mark the code's memory to allow execution.
VirtualProtect(pvCode, dwLen + sizeof(inj), PAGE_EXECUTE_READWRITE, &dwLen);
#ifdef _SNIFFDEBUG
OutputDebugString(_T("Setting hook procedure...\n"));
#endif
// Set a hook into the message pump of the process's main thread.
((LPINJECTSTRUCT)pvCode)->hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)((LPBYTE)pvCode + dwOffset + sizeof(inj) + dwFuncOffset), NULL, GetCurrentThreadId());
return TRUE;
}