Solved How to hook WriteProcessMemory?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Hey.


I'm currently programming a WPM hook.

Here is the code:


C++:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <iostream>
#include <Windows.h>
#include "detours.h"
#include <sstream>      // std::stringstream, std::stringbuf
#include <string>       // std::string
#include <iostream>     // std::cout
#include <sstream>      // std::stringstream, std::stringbuf
#include <conio.h>

using namespace std;

typedef void ( APIENTRY *WriteProcessMemory_t )( _In_   HANDLE hProcess,
  _In_   LPVOID lpBaseAddress,
  _In_   LPCVOID lpBuffer,
  _In_   SIZE_T nSize,
  _Out_  SIZE_T *lpNumberOfBytesWritten );

WriteProcessMemory_t pWriteProcessMemory = NULL;

// Hooked WPM
void APIENTRY Hooked_WPM(_In_   HANDLE hProcess,
  _In_   LPVOID lpBaseAddress,
  _In_   LPCVOID lpBuffer,
  _In_   SIZE_T nSize,
  _Out_  SIZE_T *lpNumberOfBytesWritten)
{
	(*pWriteProcessMemory) (hProcess,
   lpBaseAddress,
   lpBuffer,
  nSize,
  _Out_ lpNumberOfBytesWritten);

}

void *DetourFunc( BYTE *src, const BYTE *dst, const int len )
{
	BYTE *jmp = (BYTE*)malloc( len + 5 );
	DWORD dwback;
	VirtualProtect( src, len, PAGE_READWRITE, &dwback );
	memcpy( jmp, src, len );
	jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)( jmp + 1 ) = (DWORD)( src + len - jmp ) - 5;
	src[0] = 0xE9;
	*(DWORD*)( src + 1 ) = (DWORD)( dst - src ) - 5;
	VirtualProtect( src, len, dwback, &dwback );
	return ( jmp - len );
}


void HookWPM() // This hooks WPM
{
		HMODULE Kernel32 = GetModuleHandle("kernel32.dll");
		pWriteProcessMemory = (WriteProcessMemory_t)DetourFunc( (LPBYTE)GetProcAddress(Kernel32, "WriteProcessMemory" ), (LPBYTE)&Hooked_WPM, 6); 
}

DWORD WINAPI dwMainThread( LPVOID )
{	
	HookWPM();
	return TRUE;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		{
			CreateThread(0,0,dwMainThread,0,0,0);
		}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}


The hook itself obviously works (MessageBox comes up when I code it in Hooked_WPM. But after that a message comes up with "... has stopped working". I can even read out the address where the process wrote sth. So I dont think something is wrong with the hook itself. But it obviously can't jump back to the original function.


Would be glad for some suggestions or solutions:)
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,497
78,998
2,417
This is how you hook WriteProcessMemory, only 6 years too late :)

C++:
bool Hook32(char* src, char* dst, const intptr_t len)
{
    if (len < 5) return false;

    DWORD  curProtection;
    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);

    intptr_t  relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;

    *src = (char)'\xE9';
    *(intptr_t*)((intptr_t)src + 1) = relativeAddress;

    VirtualProtect(src, len, curProtection, &curProtection);
    return true;
}

char* TrampHook32(char* src, char* dst, const intptr_t len)
{
    // Make sure the length is greater than 5
    if (len < 5) return 0;

    // Create the gateway (len + 5 for the overwritten bytes + the jmp)
    void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    //Write the stolen bytes into the gateway
    memcpy(gateway, src, len);

    // Get the gateway to destination addy
    intptr_t  gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;

    // Add the jmp opcode to the end of the gateway
    *(char*)((intptr_t)gateway + len) = 0xE9; //truncation? 0xe9

    // Add the address to the jmp
    *(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;

    // Place the hook at the destination
    Hook32(src, dst, len);

    return (char*)gateway;
}

typedef BOOL (WINAPI* tWriteProcessMemory) (HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten);
tWriteProcessMemory oWriteProcessMemory = nullptr;

BOOL WINAPI hkWriteProcessMemory( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten )
{
    //do stuff
    return oWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
}

TrampHook32(oWriteProcessMemory, hkWriteProcessMemory, 5);
 

brinkz

Coder
Meme Tier VIP
Sep 3, 2012
209
1,688
12
Tried exactly what you are doing (just changed the return data type of wpm to bool) and used my detours and everything worked well.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Tried exactly what you are doing (just changed the return data type of wpm to bool) and used my detours and everything worked well.
So like that?:

bool APIENTRY Hooked_WPM(_In_ HANDLE hProcess, etc)

and then return true; at the end of it after calling original WPM?:)
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
19,938
76
If you'd get rid of those _In_ & _Out_ annotations, your code would remain a bit more readable, no?

And you can just return with a call to pointer
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
If you'd get rid of those _In_ & _Out_ annotations, your code would remain a bit more readable, no?

And you can just return with a call to pointer
Mh but how do I do that? I have to pass those parameters to the original function or not?
 

brinkz

Coder
Meme Tier VIP
Sep 3, 2012
209
1,688
12
yeah return pWriteProcessMemory (hProcess lpBaseAddress, lpBuffer,nSize, lpNumberOfBytesWritten);
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
yeah return pWriteProcessMemory (hProcess lpBaseAddress, lpBuffer,nSize, lpNumberOfBytesWritten);
Oh I what I did wrong here is only that I call the WPM not returning to it. Like this ?

C++:
bool APIENTRY Hooked_WPM(_In_   HANDLE hProcess,  _In_   LPVOID lpBaseAddress,  _In_   LPCVOID lpBuffer,  _In_   SIZE_T nSize,  _Out_  SIZE_T *lpNumberOfBytesWritten)
{
	return pWriteProcessMemory (hProcess lpBaseAddress, lpBuffer,nSize, lpNumberOfBytesWritten);
}
 
Last edited:

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Yeah this should work, if you add "," after hProcess ^^
I added comma etc. dis it like you saud but it didnt work. When I go to WriteProcessMemory there is a jmp to my own func btw so the hook should work - only the return doesnt work ;(
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
19,938
76
See where you land after return is executed with a debugger.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
See where you land after return is executed with a debugger.
Could you add me in Skype - ? Since you programmed a wpm hook yourself:)

I will try what you said tomorrow:)
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,497
78,998
2,417
Anyone have a simple external detour function so we can solve this thread?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods