Questions tagged [dll-injection]
DLL Injection is a method of code injection in a Microsoft Windows environment.
76
questions
1
vote
0
answers
38
views
Injecting dll to x86 process above user-virtual-address
First, sorry for my bad english.
I have some program that heavely virtualized and doing dll injection behavior.
The target process is x86 process and execute in wow64 system.
When I saw the target ...
- 63
4
votes
2
answers
746
views
Forcing a legacy Windows application to use an older version of ntdll.dll
There is this old Windows application I've been using for more than a decade now: DesktopEarth. It got its last update in 2015 and the author's website is offline now, but it's been running fine on ...
- 141
2
votes
0
answers
159
views
Find an address of injected code via GetModuleHandleA
I am reversing really old game (20 years old).
l2.exe loads Dsetup.dll Network.dll. (not sure about order)
inside of the Dsetup.dll i found and injection (kind of protection) into module Network.dll. ...
- 121
2
votes
0
answers
67
views
Reversing internal function, can't call it with injected DLL
I'm currently learning RE. I've chosen to do so by trying to RE Skyrim for PC. I'm trying to call the ingame function for printing to the console, I'm doing this via an Injected DLL.
The function call ...
- 21
1
vote
1
answer
471
views
How to debug a malware that does DLL injection into explorer.exe?
What steps would you suggest for debugging a malware that injects a DLL into explorer.exe?
using X32dbg
have already attached explorer.exe to x32dbg
- 11
0
votes
1
answer
125
views
How to detect incorrectly named DLL?
I am trying a simple lab on malware analysis and we were given both an .exe and .dll file.
However, I am told that the DLL will need to be renamed to something for it to work.
How do I go about ...
- 1
2
votes
0
answers
187
views
Call function from dll
I am writing a program and I have injected "mydll" file into the program, but I cannot call the hello function in it. How can I call the hello function? My code:
import os
from ctypes import ...
- 21
1
vote
1
answer
689
views
How to extract specific data from memory
I'm totally new to this reverse engineering stuff.
I'm working on my own project and trying to parse poker games from PokerStars application. I have already done with injecting my DLL to the app, but ...
2
votes
1
answer
517
views
How to hook to a system function
How to hook to external library function, such as OpenGL for example.
I have a function used by the program I am trying to change behaviour of. The function is:
lVar17 = glfwCreateWindow(uVar22,uVar25,...
- 328
0
votes
2
answers
353
views
How to declare a constructor in reversed class?
I wonder how to declare the reference to a constructor to a reversed class, i.e. I have a class say Game and it has a constructor at a certain address.
It is declared like this:
game.h
namespace ...
- 328
1
vote
1
answer
159
views
Inconsistency in function addresses of the hooked functions (address shift)
I came across "a strange" inconsistency in terms of the function addresses in the particular application.
First, the main function is hooked successfully, the address is derived in a fashion:...
- 328
1
vote
1
answer
1k
views
DetourAttach breaks with Illegal Instruction 0xC000001D
I am trying to detour a function using DetourAttach() in the following fashion:
hooks::logDebug("swresample-3Proxy.log", fmt::format("Try to attach hook. Function {:p}, hook {:p}.",...
- 328
3
votes
1
answer
3k
views
Why address space is different for Ghidra, IDA and xDebug runtime and which one to use?
I have opened an executable with Ghidra, IDA and x64dbg (runtime).
It seems that the address space in IDA and x64dbg is the same, but it is different from the one I see in Ghidra.
When hooking through ...
- 328
0
votes
1
answer
157
views
How to call your version of the existing function using proxy dll?
I have bits of code which decompiles a small part of the existing program. I have added it to the proxy dll. The code to the existing functions is hooked through Detour and looks like below (gui.h and ...
- 328
0
votes
1
answer
415
views
Proxy dll doesn't load the original dll
I have relatively simple code here for the proxy DllMain() function:
BOOL APIENTRY DllMain(HMODULE hDll, DWORD reason, LPVOID reserved)
{
if (reason != DLL_PROCESS_ATTACH) {
return TRUE;
}
...
- 328