All geek questions in one place

Connecting GetTickCount Using C ++

I don't really like C ++, more from C # and the PHP guy. I was assigned a project that requires me to use GetTickCount and connect to the application. I need help, because for some reason it doesn’t work as planned ... Here is the connection code, I know that it works, because I used it in projects before. The only thing I'm not sure about is the GetTickCount part. I tried GetTickCount64 to think that this was a problem for my problem (it did not crash what I injected into it), but found out that instead it just didn't work, so it didn't crash it.

 bool APIENTRY DllMain(HINSTANCE hDll, DWORD dwReason, LPVOID lpReserved) { switch(dwReason) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hDll); CreateThread(0,0, (LPTHREAD_START_ROUTINE)KeyHooks, 0, 0, 0); GetTickCount_orig = (DWORD (__stdcall *)(void))DetourFunction((PBYTE)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetTickCount"), (PBYTE)GetTickCount_hooked); case DLL_PROCESS_DETACH: DetourRemove((PBYTE)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetTickCount"), (PBYTE)GetTickCount_hooked); break; } return true; }

Here is the rest of the code that is used for GetTickCount

 DWORD oldtick=0; DWORD (WINAPI *GetTickCount_orig)(void); DWORD WINAPI GetTickCount_hooked(void) { if(oldtick==0) { oldtick=(*GetTickCount_orig)(); return oldtick; } DWORD factor; DWORD ret; ret = (*GetTickCount_orig)(); factor = 3.0; DWORD newret; newret = ret+((oldtick-ret)*(factor-1)); oldtick=ret; return newret; }

Can you see something wrong or change? Any help is appreciated. Thanks!

+4
source share
2 answers

What are KeyHooks? If it expects a call to pending APIs, you must join before creating the stream.

Is GetTickCount_orig set at all?

GetTickCount is most likely a very, very short API causing problems for Detours (there are simply not enough bytes to connect to).

Your DetourRemove is being deleted for GetTickCount64, not GetTickCount.

Separately, if Detours does not work, there is a mhook library that has much simpler licensing.

+3
source

Do not change oldtick !

You need to save it only once and then

 // accelerating time by factor of "factor" return oldtick + (realtick - oldtick) * factor;

EDIT:

Another possible problem is that GetTickCount (at least on my computer, XP 32bit) does not have a standard β€œaccessible” preamble:

 8B FF mov edi, edi 55 push ebp 8B EC mov ebp, esp

Without it, it can only be connected from the IAT, and this needs to be done for each module that calls it. I suspect DetourFunction works for every process, so it intercepts the APIs using the preamble.

To solve this problem, you can either try to connect the IAT of each module, or fix it manually, but then you cannot call the original version when you connect it.

EDIT2 : using a jump is the most common way, but that means we have to overwrite 5 bytes at the beginning of the function. The main problem is not the size of the function, but at the beginning of the code. Of course, everything can be overwritten, but if you want to be able to call the old function at the time of inclusion (as in this question), you should know that you are overwriting. You do not want to rewrite half of the operation code, and you need to complete the rewritten part. This means that in general you will need a complete disassembler for this.

To simplify this, most functions start with an additional 2-byte NOP: mov edi, edi , so their preamble has 5 bytes, which are standard and easy to carry.

+1
source

Source: https://habr.com/ru/post/1337413/

More articles:


All Articles