I have an exe file that I had written a while back and cannot find the source code for it (it was written in C++).
It calls the MessageBoxA function in user32.dll and passes necessary parameters to it. I want to modify the flags parameter to include the MB_ICONERROR (0x10) flag.
How do I go about finding which bytes in the exe file need to be modified to accomplish this?
You need a disassembler like ICE or IDA. https://www.hex-rays.com/products/ida/support/download.shtml.
Load the executable. Find the Win32 API call on Names Window, to find it, just type the function name. Then double click CODE XREF to go to referenced caller.
Then you get what you want:
Just select the line and click on Hex-View to get the address.
Related
Related to: How to find a functions address to hook/detour in an EXE file?
I have to detour a function defined inside the executable I'm injecting my code into. The application is Open-Source so I know everything about the function I'd need for hooking it.
In the accepted answer to that question, it says to hook some low level windows api functions first to get the address of the actual function I want to hook, question is, which windows API function should I hook?
Choose an API inside your target EXE that get called first when it runs. Load it to OllyDbg and trace until you find one.
recently I made the program which hooks the function "WriteFile" from notepad.exe.
I'd like to get the full path of the document which is hooked by my application, so I used
GetModuleFileName / GetModuleFileNameEx. However, the string only I could find is
'notepad.exe'
Regarding this situation, I'd like to ask you a question.
Is there any method to get documents' file name? like C:\Desktop\test.txt
First of all, I can't even begin to imagine the point of your program. It seems highly likely to me that there would be a better way to meet your actual goal.
But, taking the question at face value, if you have hooked WriteFile then presumably you could also hook CreateFile. If that's not an option, for whatever reason, then you can easily find the file name from your hooked WriteFile. Call GetFileInformationByHandleEx passing FileNameInfo.
If notepad received document's file name from command line, use GetCommandLine function.
I have an MFC DLL that is loaded by a 3rd party application. How can I get the DLL filename from within the code of the DLL? That is, for example, if the DLL's name is mycode.dll, in code I want to be able to retrieve the string "mycode.dll".
I should add that if the DLL file name is changed on disk then I would like to get the current name on disk (I don't mean changed during run-time but changed between invocations of the main program).
My DLL is implemented as a CWinApp class, my code has no explicit DllMain.
You can call AfxGetStaticModuleState to get a pointer to an AFX_MODULE_STATE structure, which has a member m_lpszCurrentAppName containing the module name (app or DLL depending on where it's called from).
See the Get GetModuleFileName function.
When you pass in NULL for the first parameter, it will just use the handle for the current process.
GetModuleFileName function definitely returns the EXE THAT LOADED THE DLL... not the DLL itself. I would have posted this as a comment above but I don't have enough points yet, meh.
I receive from an application a message like this:
"The instruction at 0xA.... referenced memory at 0xB..... The memory could not be "written". Click on OK to terminate the program"
the address 0xA looks valid: 0x10001053. Exe is mapped in memory by default at 0x40000000 and dlls at 0x10000000 so it's in the first loaded dll at offset 1053h.
Does someone knows a method to transform this address into source line ?
You should be able to locate it with the help of a map file. You may need to tweak some of your compiler/linker options to get the map file generated with sufficient detail.
If you are using the MS compiler then you need /MAP linker option.
If you have an interactive debugger, open the disassembler window and look for the code label that precedes the assembler line. That should correspond to a function in the source code (or to a function that has inlined the code that caused the problem).
Another trick is to use the call stack window, that way you could see all calls from the main function down to the function that caused the crash.
I have a C++ Windows application myapp.exe which loads several plug-ins.
Plug-ins need to find the path to their DLLs. I can use GetModuleFileName for this, but it need the handle for the plug-in DLL. I don't know where to get this handle. GetModuleHandle(NULL) returns the handle to the executable.
One option is to use GetModuleHandle (GetModuleHandle("myplugin.dll") ) , but this requires the name of the plugin to be hardcoded which I want to avoid.
Any help is appreciated.
Paul
I don't know where to get this handle
It's passed as a parameter to your DLLMain() entry function.
If the plugin can't access its DLLMain() entry function, it can use the VirtualQuery function on a piece of its own memory and use the AllocationBase field of the filled-in MEMORY_BASIC_INFORMATION structure as its HMODULE.