How to compile Loader

How to compile Loader

Author: detten

1. What is loader? Why?
The so-called loader is used to load otherProgram. Of course, loader is used only when the loaded memory program needs to be modified. (Memory patch)
Loader is often used to allow gamers to modify the game.
There are many reasons for us to choose loader instead of general patches. We may need to modify the program after CRC verification, or modify the memory data at the beginning, and then restore the original data in the program .....
I'm sure you can find other purposes.

2. How does Loader Work?
OK. Find your win32.hlp and sit down :)
First, loader must create a process to start the target program. We will use the CreateProcess function to do this (obviously ). When the target program is loaded into the memory, we need to interrupt the process for our modifications.
Let's take a look at win32.hlp's explanation of this API function:
Bool CreateProcess (

Lptstr lpapplicationname, // executable module name pointer
Lptstr lpcommandline, // command line string pointer
Lpsecurity_attributes lpprocessattributes, // process Security Attribute pointer
Lpsecurity_attributes lpthreadattributes, // thread Security Attribute pointer
Bool binherithandles, // handle inheritance tag
DWORD dwcreationflags, // create a tag
Lpvoid lpenvironment, // New Environment block pointer
Maid directory, // The current path pointer
Lpstartupinfo, // startupinfo pointer
Lpprocess_information lpprocessinformation // process_information pointer
);
For more information about the API functions, see win32.hlpl.
Lpapplicationname indicates the path + name of the Target Program (for example, c: \ somedir \ crackme.exe)
Lpcommandline can be used to specify command line parameters, if needed.
Dwcreationflags is also very important, because we need to interrupt the loaded process at any time, so here we set create_suincluded lpstartupinfo to a structure that represents the startup information (view win32.hlp for details ).
Lpprocessinformation points to an empty structure, which is filled in the memory when the process is loaded. The structure contains the Process Handle, thread handle, and process/thread ID.
Note: We recommend that you use a Process Handle instead of a thread handle. If you use a process handle, you have the process_all_access operation permission on the entire process body. That is to say, you have read and write permissions for the entire process, but if the thread ID is used, you need to set the write permission again.

Now the target program is loaded. We can use the following API functions to run or stop processes:

DWORD resumethread (
Handle hthread // identifies thread to restart
); Process recovery

DWORD suspendthread (
Handle hthread // handle to the thread
); Suspends the process
Hthread can be obtained from the lpprocess_information structure.

Finally, you can use the following function to read and write processes:
bool writeprocessmemory (
handle hprocess, // handle of the process to be modified
lpvoid lpbaseaddress, // start the write address
lpvoid lpbuffer, // point to the written data
DWORD nsize, // number of written bytes
lpdword lpnumberofbyteswritten // return the length of written data
);
This is a typical message self-return (self-explanatory ). Hprocess can be obtained from the lpprocess_information structure.
read data from a process:
bool readprocessmemory (
handle hprocess, // handle of the process whose memory is read
lpcvoid lpbaseaddress, // address to start reading
lpvoid lpbuffer, // address of buffer to place read data
DWORD nsize, // number of bytes to read
lpdword lpnumberofbytesread // address of number of bytes read
);

You can see the following content after understanding the above information.

3. loader example
In the following example, I will start a crackme and change the window title to "detten's caption ". I will start the process for five seconds and then suspend it.
Here we fix the string, of course, this method can also fix the byte or word :). As a preparation, we need to instruct the address of the string in the process. Open your favorite disassembly software and find the address: 004050fch.

<------------- Code snippet ----------------->
. 386
. Model flat, stdcall
Option Casemap: None

Include \ masm32 \ include \ windows. inc
Include \ masm32 \ include \ user32.inc
Include \ masm32 \ include \ kernel32.inc
Includelib \ masm32 \ Lib \ user32.lib
Includelib \ masm32 \ Lib \ kernel32.lib

. Data
Filename DB "C: \ somedir \ crackme.exe", 0
Notloaded DB "it did not work:-(", 0
Letsgo DB "the process is started", 13, 10,
"Let's change smthg and run it now :-)", 0
Newtext DB "dettens caption", 0

Startup startupinfo <>
Processinfo process_information <>

. Data?
Hinstance?
Byteswritten dd?
Uexitcode dd?

. Code
Start:

Invoke getmodulehandlea, null
MoV hinstance, eax
; Create a new process, load crackme, and immediately suspend this thread
Invoke CreateProcess, ADDR filename, null, create_suincluded,
Null, null, ADDR startup, ADDR processinfo
. If eax = NULL; process creation failed?
Invoke MessageBox, null, ADDR notloaded, null, mb_iconexclamation
. Else
Invoke MessageBox, null, ADDR letsgo, null, mb_ OK; Display message
; Modify the string (004050fch)
Invoke writeprocessmemory, processinfo. hprocess, 004050fch, ADDR newtext,
13, byteswritten
; Process recovery
Invoke resumethread, processinfo. hthread
Let the process run for 5 seconds and then kill it
Invoke sleep, 5000
Invoke terminateprocess, processinfo. hprocess, uexitcode
. Endif
Invoke exitprocess, eax
End start
<------------- End code snippet ------------->

This is the entire process of writing loader.