This is my video tutorial on function hooking.
The hooking function:
1 2 3 4 5 6 7 8 | void WriteJMP(byte* location, byte* newFunction) { DWORD dwOldProtection; VirtualProtect(location, 5, PAGE_EXECUTE_READWRITE, dwOldProtection); location[0] = 0xE9; *((dword*)(location + 1)) = (dword)(newFunction - location) - 5; VirtualProtect(location, 5, dwOldProtection, &dwOldProtection); } |
Complete Source:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | // dllmain.cpp : Defines the entry point for the DLL application. #include "stdafx.h" #include <windows.h> typedef unsigned char byte; typedef unsigned short word; typedef unsigned int dword; byte countSwitch = 0; DWORD UpdateTimeCall = 0x01001D6C; //This call calls the UpdateTime function DWORD UpdateTimeRetn = 0x01001D71; //This is the place where we will return 0x01001D6C + 0x05 DWORD UpdateTimeFunc = 0x01002FE0; //This is the updateTime function void WriteJMP(byte* location, byte* newFunction){ DWORD dwOldProtection; VirtualProtect(location, 5, PAGE_EXECUTE_READWRITE, &dwOldProtection); location[0] = 0xE9; *((dword*)(location + 1)) = (dword)(newFunction - location) - 5; VirtualProtect(location, 5, dwOldProtection, &dwOldProtection); } void _declspec(naked) hTimeFunc(){ if(countSwitch == 0) { countSwitch = 1; _asm { JMP UpdateTimeRetn } } else { countSwitch = 0; _asm { CALL UpdateTimeFunc JMP UpdateTimeRetn } } } void initHooks(){ WriteJMP((byte*)UpdateTimeCall,(byte*)hTimeFunc); //Writes a jump from the original call to our custom function } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: initHooks(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } |
Enjoy.
What tool did u used in this video 😀 ?
Olly Debugger?
is there a 64 bit version ? cause i could only find 32 …
You need the 32-bit version and I believe Olly Phantom Plugin so it runs on 64-bit machines. It cannot debug 64-bit apps though.
Thanks
Could you also post your source code for the win mine tut dll?
Done.
That would be great too.
Well I can make a tut on how to make a DLL Trainer in C++ with injection and how to freeze an address the way Cheat Engine does and a more elegant way.
Oh, and a few other ideas.
How to freeze an address the way cheat engine does
How to use CreateRemoteThread to inject a dll
How to Instead of writing a separate DLL, coping your code to the remote process directly with WriteProcessMemory, and execute it with CreateRemoteThread
I’ve been interested in learning how to make a trainer in C++, similiar to how you make one in C#.
This tutorials are awesome!!!! They have helped me a lot. I look forward to your next one.
Thanks a lot for your comment! If you have any suggestions for future tutorials, post here.