CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 4 of 4

Threaded View

  1. July 13th, 2010, 12:30 AM #1
    sonnyk88
    sonnyk88 is offline Junior Member
    Join Date
    Jan 2010
    Posts
    10

    Unhappy Hooking ReadFile() HELP PLEASE!

    Well, I have hooked the ReadFile() and I could play a lot with it, like injecting MessageBox()es and all that but I could never replace the arguments it writes, I've read a lot about ReadFile and I still can't handle this...

    Let's see... the application whose IAT I patched is "FileEditor.exe" (it's like Windows Notepad)...now FileEditor.exe uses myKernel32.dll.


    This is a snipped of MyKernel.CPP
    Code:
    extern "C"  __stdcall __E__675__(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
{
MessageBox(0,"We are in the ReadFile function!","Info",0);
char* newbuffer = "ReadFile was hooked!"
ReadFile(hFile,lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead,lpOverlapped);

}
    Obviously, the code above invokes ReadFile with the very same parameters with which the hooked function has been called. The only thing I want to change is the second parameter, i.e lpBuffer and replace it with newbuffer so that the FileEditor.exe displays "ReadFile hooked!" instead of the original file's content.

    Any idea how could I do it? I even tried to figure out what ReadFile() pushes onto the stack, I've figured out it pushes 3 values (it takes 5 to work but only 3 are output values i.e: lpNumberOfBytesRead, lpOverlapped and, most importantly, lpBuffer)

    then I added this to the code above:

    Code:
        LPVOID xlpBuffer;
    LPDWORD xnNumberOfBytesRead;
    LPOVERLAPPED xlpOverlapped;
	
		
	__asm{

pop xlpOverlapped        
pop xnNumberOfBytesRead 
pop xlpBuffer            //  <---


push newbuffer
push xnNumberOfBytesRead
push xlpOverlapped  //<-- this is where things are supossed to change!

	}
    unfortunately it didn't work either... it was as if I added nothing to the code. Then I simply added, instead of that __asm crap this:

    Code:
    lpBuffer = newbuffer;
    and still, the FileEditor.exe successfully loads any TXT file as if I could never "touch" the information it pushes onto the stack... now... WHERE is this lpBuffer stored? and HOW can I find it and replace it?
    Last edited by sonnyk88; July 13th, 2010 at 12:33 AM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules




Click Here to Expand Forum to Full Width

Featured