Execute remote function with memory address as parameter

408 views Asked by At

I'm trying to execute a function in a running (old) Win32 Borland application (Window has class OLW_WINDOW). By using OllyDbg I've found out that the function has one parameter which is a memory address. One variable/value used by the function is stored at an offset of that address. My idea is to find that memory address (which is at an constant offset in a memory block), change the variable/value to what I want and then execute the function. To use WriteProcessMemory and CreateRemoteThread to execute is okey, but the problem is how to find the memory address/block? When opening "Memory map" in OllyDbg the memory block has no owner, section or contains. Is it possible to get a list of memory blocks created by a specified thread? Or could I get it from the application somehow? Btw: the function is normally executed when a button is clicked and the variable/value I want to set is a database ID listed (by name) in a listview (or equivalent).

1

There are 1 answers

0
GuidedHacking On

The best thing to do is just call the function.

As an example here is a function which prints output to a console:

void ConsoleOutput(char* text);

To call it, we would find the address of this function in the target binary. Let's say it's found at 0xDEADC0DE.

We would form a typedef for a function pointer:

typedef void(__cdecl* tConsoleOutput)(char* text);

We would create an instance of that function pointer type

tConsoleOutput ConsoleOutput = (ConsoleOutput)0xDEADC0DE;

To call the function we would simply do:

ConsoleOutput("Hello");

Likewise for your project, you would input whatever argument you required.