Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 09-24-2004, 03:14 PM
armand armand is offline
Junior Member
 
Join Date: Sep 2004
Posts: 1
Default call a function not loaded

I would like to call a function (InsertMenu) which is not in the list of used functions.
I suppose I have to use GetModuleHandle or LoadLibrary and then GetProcAddress
But these functions are not used.
Is there a way to call InsertMenu?
Reply With Quote
  #2  
Old 09-24-2004, 06:33 PM
rous rous is offline
Member
 
Join Date: Jan 2004
Posts: 38
Default

What system are you using?

rous
Reply With Quote
  #3  
Old 09-25-2004, 06:48 AM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default Using functions not imported

RE: Call a function not imported

Vanilla phpBB doesn't support merging of threads so we'll do it this way instead:

Quote:
It's on win98 mainly but i'd like to do it on xp too
(new thread deleted)

Now, you have a couple of choices depending on the context. The main module (exe file) of a process will always load at it's preferred base address. This means that being inside the address space of said process you'll have full access to the main module's various elements and structures by directly addressing them.

Here's how MSDN describes 'imagebase':

Quote:
Preferred address of the first byte of the image when it is loaded in memory. This value is a multiple of 64K bytes.
A vicious plan to overthrow authorities begin to take form. Reach into the import table of the main module and grab an address to a function inside user32.dll, any function will do. Then round the address downwards to the nearest boundary of 64K and see if you find an IMAGE_DOS_HEADER there. No? subtract 64K and try again. When you do find the header, check e_lfanew and verify that there is also an IMAGE_NT_HEADERS structure following it. You can be fairly certain that you have found the base address of user32.dll when there is.

The next step is to write a GetProcAddress() replacement. There are source codes and ideas spread across the entire net and finding them shouldn't be too difficult. Also, for the first part where you obtain the base address of user32.dll, as a saftey guard against forwarded exports you might want to implement the code as a procedure and try a couple different function addresses.

Regards, sna
Reply With Quote
  #4  
Old 09-25-2004, 10:30 AM
armend armend is offline
Junior Member
 
Join Date: Sep 2004
Posts: 1
Default I see

I see. I'm going try something like that.
Maybe you're going see me again here :wink:
Thank you very much for your answer
S
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.