quote:
Originally posted by Mnjul
I think it involves calling WriteProcessMemory, but Cookie, how do you know which part of the text segment is free to use?
I've done this too to call my own function. Here is how I did it (it can probably be adapted to your use):
- Obtain a DataBloc filled with the bytes you want to inject.
- Call VirtualAlloc, passing 0 for lpAddress, the size of the DataBloc for dwSize, MEM_COMMIT (0x1000) for flAllocationType, and PAGE_EXECUTE_READWRITE (0x40) for flProtect.
- Call WriteProcessMemory to write the contents of the DataBloc at the pointer to the allocated memory.
- To actually call the newly allocated function, I used CreateThread with the pointer to the function I got.
- Call WaitForSingleObject to wait for the function to end.
- Call CloseHandle for the thread handle.
- Call VirtualFree to remove the function you allocated.
This was done (with some help
) to call a function not otherwise possible to call from JScript and without a dll. You can pass another databloc parameter to CreateThread to give the function extra data. If you were looking to subclass, just inject a message handler written in ASM into memory. Then, instead of calling CreateThread to call it yourself, just pass the pointer to SetWindowLong. You'll also have to change when you call VirtualFree to make sure it gets freed when you're done using it.
/ 
