This is certainly cleaner. You should understand I'm not exactly
an expert on the OS loader and module layout... Inspecting
On Wed, 25 Jul 2007 11:29:55 -0700, "Alexander Nickolov"
<agnickolov@mvps.org>
wrote:
It is a reference to the importlib for user32.dll. You'd want to
patch it to the address of CallWindowProc in the target process'
copy of user32.dll (e.g. LoadLibrary/GetProcAddress).
Thanks again Alexander. I did finally get it. But I noticed something
peculiar. When my injected function ended like this:
return CallWindowProc(OldWndProc, hwnd, uMsg, wParam, lParam);
patching (4 bytes for 4 bytes) the import lib reference (mentioned above)
with
CallWindowProc's address (from GetProcAddress) didn't work.
when I changed my injected function so it ended like this:
return ((LRESULT (WINAPI *)(WNDPROC, HWND, UINT, WPARAM, LPARAM))
0x12345678)(OldWndProc, hwnd, uMsg, wParam, lParam);
and later patched it (overwrote the hard-coded address with the address
from
GetProcAddress) it did work.
So I wonder if a reference to the import lib is handled in the executable
code
in the same way as a hard-coded location of a function.
I also noticed that the change to the injected function's return statement
made
the injected code 1 byte longer.
--
- Vince