GeekByChoiCe 152 Practically a Master Poster Featured Poster

Im trying to inject my vb.net dll into the notepad process to hook one of its functions. Now it seems i face two problems....

GetProcAddress returns 0 (it also does if i call that function via c++ dll)
Its might be Vista? anyway next problem is that i want to write the address of the new function into the memory on the procaddr (if i ever will get it). Someone have an idea how to get the proc address on another way that is Vista supported?

i have created two functions for getting the adress of the new function but problem is that each function returns a different pointer o.O

i really dont know now which one is the correct one to use. Maybe someone could help me out in that?

Thing is that my dll is loaded into notepad.exe so i really dont understand the problem :s

Imports System.Runtime.InteropServices

Public Class eth

    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As System.UInt32, ByRef lpNumberOfBytesWritten As Int32) As Boolean
    Private Declare Function GetLastError Lib "kernel32" () As Integer
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal ModuleHandle As IntPtr, <[In](), MarshalAs(UnmanagedType.LPStr)> ByVal lpProcName As String) As IntPtr
    Private Declare Function GetModuleHandle Lib "kernel32.dll" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As IntPtr
    Private Declare Function SetLastError Lib "kernel32" (ByVal dwErrCode As Integer) As Integer
    Private Delegate Function CallBack(ByVal x As Integer) As Integer

    Private Shared logFile As String = "E:\Release\eth.log"

    Public Shared Function CoutMe(ByVal x As String) As Integer
        Dim proc As Process = Process.GetProcessesByName("notepad")(0)
        For i As Integer = 0 To proc.Modules.Count - 1
            If IO.Path.GetFileName(proc.Modules(i).FileName) = "eth.dll" Then
                logIt(proc.Modules(i).FileName & " LOADED", -1)
            End If
        Next

        SetLastError(0)

        Dim mHandle As IntPtr = GetModuleHandle("notepad.exe")
        logIt("module handle: " & mHandle.ToInt32(), GetLastError)

        Dim addr As IntPtr = GetProcAddress(mHandle, "InsertDateTime")
        logIt("InsertDateTime address " & addr.ToInt32(), GetLastError)

        'Dim newAddr As IntPtr = marshalIT() 'returns 02 6F C6 10
        Dim newAddr As IntPtr = delegateIT() 'returns 01 B0 09 72

        Dim tmpBuff() As Byte = BitConverter.GetBytes(newAddr.ToInt32())
        Dim buffer(4) As Byte
        buffer(0) = 233 'JMP
        Array.ConstrainedCopy(tmpBuff, 0, buffer, 1, tmpBuff.Length)

        'replace old addr with my addr
        WriteProcessMemory(Process.GetCurrentProcess().Handle, addr, buffer, buffer.Length, 0)
        logIt("Last Error after WriteProcessMemory: ", GetLastError)
        MsgBox("done")
    End Function

    Private Shared Sub logIt(ByVal s As String, ByVal i As Integer)
        Dim rightnow As String = "[" & DateTime.Now & "] "
        IO.File.AppendAllText(logFile, rightnow & s & " - Err Code: " & i & vbNewLine)
    End Sub

    'use marshal for function pointer
    Private Shared Function marshalIT() As IntPtr
        Dim gh As GCHandle
        gh = GCHandle.Alloc(new_InsertDateTime(12), GCHandleType.Pinned)
        logIt("Our function Location (marshalIT): " & gh.AddrOfPinnedObject.ToInt32(), -1)
        marshalIT = gh.AddrOfPinnedObject()
        gh.Free()
    End Function

    Private Shared Function delegateIT() As IntPtr
        Dim bCall As CallBack = (AddressOf new_InsertDateTime)
        Dim myAddr As IntPtr = Marshal.GetFunctionPointerForDelegate(bCall)
        logIt("Our function Location (delegateIT): " & myAddr.ToInt32(), -1)
        delegateIT = myAddr
    End Function

    'replacing function
    Private Shared Function new_InsertDateTime(ByVal x As Integer) As Integer
        MsgBox("t00t " & x)
    End Function
End Class

i have logged what happens and this is the result:

[29.07.2009 13:47:39] ##############################
[29.07.2009 13:47:22] Start process with id: 4680
[29.07.2009 13:47:22] E:\ethica\ethicaD\bin\Release\ethicaD.dll LOADED - Err Code: -1
[29.07.2009 13:47:23] module handle: 2883584 - Err Code: 0
[29.07.2009 13:47:24] InsertDateTime address 0 - Err Code: 127
[29.07.2009 13:47:27] Our function Location (marshalIT): 40879632 - Err Code: -1
[29.07.2009 13:47:27] Last Error after WriteProcessMemory: - Err Code: 487
[29.07.2009 13:47:39] ############################################################
[29.07.2009 14:08:21] Start process with id: 1728
[29.07.2009 14:08:22] E:\Release\eth.dll LOADED - Err Code: -1
[29.07.2009 14:08:22] module handle: 2883584 - Err Code: 0
[29.07.2009 14:08:23] InsertDateTime address 0 - Err Code: 127
[29.07.2009 14:08:23] Our function Location (delegateIT): 29297010 - Err Code: -1
[29.07.2009 14:08:24] Last Error after WriteProcessMemory: - Err Code: 487
[29.07.2009 14:08:29] #############################


I really hope someone can help me with that case :$

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.