IDA(pro or demo, i'm using pro)
VC++(any version, ill use 2003.net as its my favorite)
Injector(winject works fine for this)
Open up IDA and select Work on your own:
http://img206.imageshack.us/i/idapic1.png/
Now go to C:\windows\ and drag notepad.exe into IDA and do as shown on these pictures:
http://img84.imageshack.us/i/idapic2.png/
http://img513.imageshack.us/i/idapic3.png/
Time to check the stuff notepad imports with IDA.
We know that it would need to get our systems time in order to print it out in notepad, please note that I put get in bold, since the import we need to find probably starts with get(e.g. gettime or something like that).
So order the imports by name and look at the commands that are time related and start with get:
Code: Select all
GetDateFormatW
GetLocalTime
GetTimeFormatW
http://img206.imageshack.us/i/idapic4.png/
Now right click on it and select 'Chart of xrefs to' which should give you the following screen.
http://img529.imageshack.us/i/idapic5.png/
Sub_1006F10 and Sub_1006773
lets find them in the Functions list
http://img193.imageshack.us/i/idapic6.png/
Lets check out the Sub_1006773 first.
http://img262.imageshack.us/i/idapic7.png/
Hmm thats a lot of variables for just inserting time :o this might be something else so lets check out Sub_1006F10
http://img198.imageshack.us/i/idapic8.png/
That looks a lot more like it :D Lets put a breakpoint on it by clicking the function name so it becomes yellow and then pressing F2 to place a breakpoint
http://img188.imageshack.us/i/idapic9.png/
Press F9 to run notepad and once notepad is open press F5(to insert date/time). Hey! whats that?!?! notepad got stuck on our breakpoint! :D this means we breakpointed the right function :D
now press F9 to make notepad continue(or press the continue button in IDA), close notepad and disable the breakpoint by pressing F2 again.
now we're gonna need a header for this function so press right click on the function name and press 'Set function type' which should show this:
Code: Select all
int __stdcall sub_1006F10(int)
Code: Select all
#include <windows.h>
#include <detours.h>
int (__stdcall * InsertDateTime_original)(int x);
int __stdcall InsertDateTime_hooked(int x)
{
MessageBox(NULL, L"Inserting Date and Time", L"ERROR - SUCCES", MB_OK); //create a messagebox
return InsertDateTime_original(x);
}
BOOL APIENTRY DllMain( HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
InsertDateTime_original = DetourFunction((PBYTE)0x01006F10, (PBYTE)InsertDateTime_hooked);
break;
case DLL_PROCESS_DETACH:
DetourRemove((PBYTE)0x01006F10, (PBYTE)InsertDateTime_hooked);
break;
}
return TRUE;
}
'error C2440: '=' : cannot convert from 'PBYTE' to 'int (__stdcall *)(int)'
which is because we need to typecast DetourFunction so replace the DetourFunction line with the following line:
Code: Select all
InsertDateTime_original = (int (__stdcall *)(int))DetourFunction((PBYTE)0x01006F10, (PBYTE)InsertDateTime_hooked);
Now you need to inject it into notepad with your favorite injector and its done :)
P.S. I'm tired so picture 7 to 9(and written text there) is bullshit :D place a breakpoint on Sub_1006773 and run notepad, insert date/time and it wont break(thats why its wrong function not because of the bs I wrote there :))