How do you find a functions virtual call address in assembly?_问答_开发者

How do you find a functions virtual call address in assembly?

开发者 https://www.devze.com 2022-12-31 03:56 出处：网络

I\'ve googled around but i\'m not sure i am asking the right question or not and i couldn\'t find much regardless, perhaps a link wouldbe helpful.

I've googled around but i'm not sure i am asking the right question or not and i couldn't find much regardless, perhaps a link would be helpful.

I made a c++ program that shows a message box, then I opened it up with Ollydbg and went to the part where it calls MessageBoxW.

The call address of MessageBoxW changes each time i run the app as windows is updating my Imports table to have the correct address of MessageBoxW. So my question is how do i find the virtual addres of MessageBoxW to my imports table and also how can i use this in ollydbg?

开发者_运维技巧

Basically I'm trying to make a code cave in assembly to call MessageBoxW again. I got fairly close once by searching the executable with a hex editor and found the position of the call, and I think I found the virtual address. But when i call that virtual address in olly and saved it to the executable, the next time i opened it the call was replaced with a bunch of DB xyz (which looked like the virtual address but why did the call get removed?

Sorry if my terminology is off as i'm new to this so i'm not quite sure what to call things.

(reply to comment on original post)

Ah, no, the address specified in the "call" opcode is relative to the call instruction. However, for imported functions, it's most likely an indirect call (which reads the function's address from a memory location).

There is really no "official"/reliable way to get the address of any function without having no access to the import segment. If you are patching a certain executable, just look at the values Windows places in its import segment. If you are injecting code from another process, you can rely on the fact that the address of a function in a system DLL will remain the same, relative to the DLL's load address. It is also possible to manually locate and parse the program's import segment in memory.

1- find address of message box in your executable module. suppose your exe file is a1.exe

Executable modules > select a1.exe > press ctrl + N and find the address of message box. suppose address is 00402008

2- use ff25 08204000 machine code to call message box but before push parameters and push your EIP for returning address.