« previous next »
Pages: [1]

Author Topic: Hot-patching (numeric) constant / literal in an executable?  (Read 3081 times)

Husbjörn

  • *
  • Posts: 36
    • View Profile
Hot-patching (numeric) constant / literal in an executable?
« on: 2015-09-18 22:13:42 »
I have recently managed to manipulate a program to set the upper bound of a for-loop to a desirable value through de- and reassembling it.
However, due to reasons I'm not allowed to modify the physical executable file (or rather, I wouldn't be able to release a modified version of it legally). I was therefore wondering what my options are to achieving this patching on the fly? The actual instruction in question is a MOV operation where I need to modify the second, literal argument.
ReadProcessMemory is unable to view this value (presumably because it isn't stored on the heap?) so that won't work. It feels like there should be some way to achieve this.

What I have at my disposal is access to a dll that is loaded and used by the application in question, so I should hopefully have the required access rights. The program in question is furthermore a Win32 application that is always run as an administrator.
Any ideas or suggested reading?  ???
Logged

paul

  • *
  • Posts: 179
    • View Profile
Re: Hot-patching (numeric) constant / literal in an executable?
« Reply #1 on: 2015-09-19 00:00:26 »
If it depends on ddraw.dll or dsound.dll or any other dll that it will load from the same dir as the exe then thats an easy way to inject code. Make a proxy version of any of these dlls and then apply your patch in memory during dllmain entry point.
Logged

Husbjörn

  • *
  • Posts: 36
    • View Profile
Re: Hot-patching (numeric) constant / literal in an executable?
« Reply #2 on: 2015-09-19 07:01:50 »
Quote from: paul on 2015-09-19 00:00:26
Make a proxy version of any of these dlls and then apply your patch in memory during dllmain entry point.
That is what I'm planning to do yes, but the point I'm stuck at is how to access the actual program memory.
I can imagine what I need to do is find a function pointer to the entry point of the executable and then work with offsets from there, but how would I do this? GetProcAddress won't work because the target is an executable that doesn't export any named functions (or is it possible still? The documentation says ordinals, ie. (char*)1 can only be used with dll's though, but maybe there is some other function to get this pointer?).

Edit: ah, it was too simple x)
For anyone wondering, the HMODULE of the base program is also a pointer to the executable data, which can be read but not written to normally. Using WriteProcessMemory, you can write to it as well. So problem solved :)
« Last Edit: 2015-09-19 09:07:31 by Husbjörn »
Logged

paul

  • *
  • Posts: 179
    • View Profile
Re: Hot-patching (numeric) constant / literal in an executable?
« Reply #3 on: 2015-09-24 17:28:46 »
Easy, if you find out that the function is at 0xdead then just write to that address :)

char* buffer = (char*)0xdead;
*buffer = 0x0; // will crash unless you use VirtualProtect first, WriteProcessMemory is overkill because thats for remote processes
Logged
Pages: [1]
« previous next »