I'm creating a code that modifies live memory on a function, the offset where the data structure is held has a buffer that's too small to handle the data I write though. I figured the easiest and most effective way (not to mention I've tried EVERYTHING else) would be to jmp to a codecave instead of the current offset where the structure is held. Here is the assembly (not the whole function, just where the structure is held.)
IDA View:
1 2 3 4
|
1. push offset word_97F2B8
2. push 4
3. mov word_97F2B8, ax
4. call sub_64A430
|
Explanation:
1 2 3 4 5 6
|
/*
* 1. Pushes offset where the data for the function is held
* 2. Unknown, not used and not needed
* 3. Moves register ax (containing the data) into the previous declared buffer
* 4. Calls the function that carries out the execution of this data
*/
|
My current working C++ code works and carries out this function with my edits flawlessly, but the buffer is too small to accept sizes greater than 128. The current function I'm using has parameters Data and Size.
What it then does is use a WriteProcessMemory type function to edit the BYTE of memory where size is held (right above Data, but I didn't include that in the IDA View because I don't need help with it) with whatever you set the size parameter to. Size parameter is always set as sizeof(Data) with "Data" being the data structure your passing as a parameter.
Then for Data, you will use a typedef struct's data in a pointer when calling this function and it will write 0x97F2B8 (data locations address) with the data that was contained in the structure you pointed to. That will effectively replace whatever the previous data and size was so that when you call the function in the exe it gets passed with your parameters and not the normal ones.
Unfortunately, the buffer in which the data is held for this function has a size of 128 and many of the structures I declare are larger, resulting in a crash. I have tried such a ridiculous amount of methods, many of which I think are really smart at the time and then turn out to be nothing more than another waste of time on fixing this.
I decided it may be a good idea to use a codecave. For those that don't know what a codecave is, it is basically an area somewhere in the exe with enough space for whatever function you need to carry out that is either never called or called very little so as to not interrupt any normal functions that may call it.
What you do once you find this codecave (unused space in the exe) is you write whatever data you want in it that you couldn't write anywhere else due to protected code or small buffer in my case. Then you use a jmp or some other method to call that codecaves data, which is usually always coded in assembly when it is in the exe.
You can also write a set of code in your DLL and call it from the exe, which is usually a more reliable method. You must inject your DLL into the exe before calling the codecave, I am not sure if I'll put it in the exe or a DLL at this point but I'm just looking for some advice on how I would go about doing this either way. For more information about codecaves for those that are good programmers but have never heard of it (if your a good programmer it'll take you a few minutes to fully understand) click the link below.
http://www.codeproject.com/KB/cpp/codecave.aspx
Now what I need help with finally after that huge write up! I need to know exactly how I can write my data to this codecave (DLL preferred, but it honestly makes not the slightest difference to me) and then call it from the exe. I have a general idea of how I would go about it, but not quite sure for sure.
I assume that I would first find a codecave in the exe to be a faster method and to test it easier. Then I would write up my structure and use WriteProcessMemory to copy the data into my new codecave. Then I assume I would replace the line
mov word_97F2B8, ax
with
mov pNewCodeCaveOffset, ax
I imagine I would also have to change the
with
|
push offset pNewCodeCaveOffset
|
Or perhaps an easier, more effective method is staring me in the face and I'm missing it? All I really need help with right now is increasing the size of this buffer, if you have a better idea than a codecave then shoot, I'm all ears! Any help would be great, I've been struggling on this for a week or so now.
Thanks!!