Extend your apps functionality
Posted: Wed Jun 19, 2013 5:25 pm
Hello guys.
Today i bring you a simple script (what the script does is not the important part, but what you can learn from it) which will teach you how to extend your apps functionality.
This method is commonly used to extend the functionality of compiled pe executables and dll libraries. In fact, is microzoft who provides you the tools to perform such operations. (some ppl uses also to hack application, which is not legal
... 
)
This script shows how to redirect a network-oriented application to a new address and/or port. If you have any application that would be fit whit this kind of stuff, you may use this as example to build bigger extenders
[cpp] /* * author: BiggBoss */ #include<windows.h>#include<winsock2.h> #pragma comment(lib,"ws2_32.lib") typedef int (__stdcall*OldConnect)(SOCKET socket, struct sockaddr *name, int namelen);OldSend system_connect; int __stdcall NewConnect(SOCKET socket, struct sockaddr *name, int namelen) { struct sockaddr_in * net_data = (struct sockaddr_in *)name; const char * new_host = "127.0.0.1"; //New Redirect address const UINT16 new_port = 1111; // New Redirect port net_data->sin_addr.S_un.S_addr = inet_addr(new_host); net_data->sin_port = htons(new_port); return system_connect(socket,name,namelen);} BOOL InjectFunction() { HMODULE dll = LoadLibrary(L"ws2_32.dll"); BYTE *addr = (BYTE*)GetProcAddress(dll, "connect"); if(addr == 0) return FALSE; // Alloc whole memory page BYTE *instruction_backup = (BYTE*)VirtualAllocEx(GetCurrentProccess(),NULL,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE); BYTE clear_space = 5; //check for dll export new method //wrap function with relative jump if(*addr == 0xe9) { int relative_addr = *(int*)(addr + 1); DWORD32 original_addr = (DWORD32)(relative_addr + (addr + 5)); int new_relative_addr = (int)(original_addr - (instruction_backup + 5)); *instruction_backup = 0xe9; *(int*)(instruction_backup + 1) = new_relative_addr; } else { memcpy(instruction_backup,addr,clear_space); *(instruction_backup + clear_space) = 0xe9; *(int*)(instruction_backup + clear_space + 1) = (BYTE*)addr - (instruction_backup + 5); } system_connect = (OldConnect)instruction_backup; DWORD old_mem_protection; VirtualProtect(addr,5,PAGE_EXECUTE_READWRITE,&old_mem_protection); *addr = 0xe9; *(int*)(addr + 1) = (BYTE*)&NewConnect - (addr + 5); VirtualProtect(addr,5,old_mem_protection,&old_mem_protection); return TRUE;} __declspec(dllexport) BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if(ul_reason_for_call == DLL_PROCESS_ATTACH) { return InjectFunction(); } return TRUE;} [/cpp]
Today i bring you a simple script (what the script does is not the important part, but what you can learn from it) which will teach you how to extend your apps functionality.
This method is commonly used to extend the functionality of compiled pe executables and dll libraries. In fact, is microzoft who provides you the tools to perform such operations. (some ppl uses also to hack application, which is not legal
... )This script shows how to redirect a network-oriented application to a new address and/or port. If you have any application that would be fit whit this kind of stuff, you may use this as example to build bigger extenders
[cpp] /* * author: BiggBoss */ #include<windows.h>#include<winsock2.h> #pragma comment(lib,"ws2_32.lib") typedef int (__stdcall*OldConnect)(SOCKET socket, struct sockaddr *name, int namelen);OldSend system_connect; int __stdcall NewConnect(SOCKET socket, struct sockaddr *name, int namelen) { struct sockaddr_in * net_data = (struct sockaddr_in *)name; const char * new_host = "127.0.0.1"; //New Redirect address const UINT16 new_port = 1111; // New Redirect port net_data->sin_addr.S_un.S_addr = inet_addr(new_host); net_data->sin_port = htons(new_port); return system_connect(socket,name,namelen);} BOOL InjectFunction() { HMODULE dll = LoadLibrary(L"ws2_32.dll"); BYTE *addr = (BYTE*)GetProcAddress(dll, "connect"); if(addr == 0) return FALSE; // Alloc whole memory page BYTE *instruction_backup = (BYTE*)VirtualAllocEx(GetCurrentProccess(),NULL,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE); BYTE clear_space = 5; //check for dll export new method //wrap function with relative jump if(*addr == 0xe9) { int relative_addr = *(int*)(addr + 1); DWORD32 original_addr = (DWORD32)(relative_addr + (addr + 5)); int new_relative_addr = (int)(original_addr - (instruction_backup + 5)); *instruction_backup = 0xe9; *(int*)(instruction_backup + 1) = new_relative_addr; } else { memcpy(instruction_backup,addr,clear_space); *(instruction_backup + clear_space) = 0xe9; *(int*)(instruction_backup + clear_space + 1) = (BYTE*)addr - (instruction_backup + 5); } system_connect = (OldConnect)instruction_backup; DWORD old_mem_protection; VirtualProtect(addr,5,PAGE_EXECUTE_READWRITE,&old_mem_protection); *addr = 0xe9; *(int*)(addr + 1) = (BYTE*)&NewConnect - (addr + 5); VirtualProtect(addr,5,old_mem_protection,&old_mem_protection); return TRUE;} __declspec(dllexport) BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if(ul_reason_for_call == DLL_PROCESS_ATTACH) { return InjectFunction(); } return TRUE;} [/cpp]
