How to find address of function pointers in a running process?
I am currently using C++ under Windows XP and wish to find the address of a function. Could somebody help me please? If you could, please give me an example. Thanks.
Simplest way: Use the debug symbols.
If there are no symbols, you're going to have to figure out where your functions are the hard way (reverse compile, find entry points, find function which looks like the one you want). Software such as IDA Pro is your best bet.
Related
Well, i am feeling a little bit foolish asking something like this, but i' have no idea where the main function is in code i got from another person.
It's a pretty large Visual C++ project. So my question is simple, and please forgive me for asking this, but is there an easy way to find the entry point in a c++ solution in visual studio? It may not be called main, because there is a link to MFC tools (so perhaps WinMain).
Thank You!
Debug->Step Into used while you are not debugging should start debugging and will break at the entry point.
ctrl+, will give you some kind of search for member thing, then you look for your main function and it will possibly give you where it is declared.
I am trying to inject a DLL into another process with not much success. While doing my research I found out that there is more then one way to do this. The question is : What is the optimal way or When should I use let's say CreateRemoteThread() instead of LoadLibrary()?
Please look at Detours?
Also this - http://www.codeproject.com/Articles/30140/API-Hooking-with-MS-Detours
I need a way to edit the resources (A String Table, to be exact) of a compiled executable and I need to do it in C++.
Can anybody offer any guidance/sample code on how I can go about doing this?
Start with LoadLibrary() that and load an executable(the one you want to edit)
Then FindResource() and UpdateResource() as necessary.
Read all about it here:
PE format Resource Functions
If you're on Linux or OS X there's always the "strings" command that will print out all of the static strings in the executable. Combine that with something like "objdump" and some knowledge with a hex editor you may be able to cobble something together.
I don't know if that is even possible, once you have a compiled executable & it's just machine code, there isn't really a specific way to understand how to interpret it (and therefore find/edit the resources you're looking for)...i.e. once you have just the executable, you can't for sure know whether a word is an instruction in assembly or just a word representing a number, label, etc in assembly...
As far as I know.
You can have a look at the good old reference and source code of PeDump of Matt Pietrek. He does handle (read-only) the resources of PE files in C++. Maybe it will inspires you to solve your problem...
I want to print the code of a function in a DLL.
I loaded the dll, I have the name of the desired function, what's next?
Thank you!
Realistically, next is getting the code. What you have in the DLL is object code -- binary code in the form ready for the processor to execute, not ready to be printed.
You can disassemble what's in the DLL. If you're comfortable working with assembly language, that may be useful, but it's definitely not the original source code (nor probably anything very close to it either). If you want to disassemble it, loading it in your program isn't (usually) a very good starting point. Try opening a VS command line and using dumpbin /disasm yourfile.dll. Be prepared for a lot of output unless the DLL in question is really tiny.
Your only option to retrieve hints about the actual implemented functionality of said function inside the DLL is to reverse engineer whatever the binary representation of assembly happens to be. What this means is that you pretty much have to use a disassembler(IDA Pro, or debugger, e.g. OllyDbg) to translate the opcodes to actual assembly mnemonics and then just work your way through it and try to understand the details of how it functions.
Note, that since it is compiled from C/C++ there is lots and lots of data lost in the process due to optimization and the nature of the process; the resulting assembly can(and probably will) seem cryptic and senseless, but it still does it's job the exact same way as the programmer programmed it in higher level language. It won't be easy. It will take time. You will need luck and nerves. But it IS doable. :)
Nothing. A DLL is compiled binary code; you can't get the source just by downloading it and knowing the name of the function.
If this was a .NET assembly, you might be able to get the source using reflection. However, you mentioned C++, so this is doubtful.
Check out this http://www.cprogramming.com/challenges/solutions/self_print.html and this Program that prints its own code? and this http://en.wikipedia.org/wiki/Quine_%28computing%29
I am not sure if it will do what you want, but i guess it may help you.
If you could help me with this dilemma I have. Now, I know C \ C++, I know asm, I know about dll injection, I know about virtual memory addressing, but I just can't figure out how
software like CheatEngine, and others, manage to change a variable's value in another process.
For those who don't know, 3rd party cheat engine tools can scan for values in the memory space of a program and identify the location of a variable with a given value and change it.
My question is, how do they do it?
Given an address, if I were to write C code, how could I change the value at that address belonging to another process without getting an invalid addressing error?
Thanks.
I'm fairly certain those programs are pretending to be debuggers. On Windows, I would start with DebugActiveProcess() and go from there.
Oh, and the very useful looking ReadProcessMemory() function (and WriteProcessMemory()).
On unix: ptrace()
You can't do this with Standard C or C++ - you have to use operating system specific features. So you need to tell us which OS you are interested in.
You may also be interested in Detours:
Software packaged for detouring Win32 and application APIs.