FOPEN Redirection

Dear Tyfane, Now I have a ideal which may solve your problem; perhaps it`s too late. My ideal is that you hook CreateFile and WriteFile at the same time. In this way, you can get the HANDLE of log.txt firstly; then monitor the WriteFille. My means is following: BOOL MyWriteFile(HANDLE hFile, ......) { BOOL res = OriginalWriteFile(HANDLE hFile, ......); if(hFile belong to Log.txt) { **FlushFileBuffers**(hFile);//you can get information from log.txt! } return res; } If writing file is not the cause which result in to crash, I think it is a way to solve your problem. Good Luck! JuneDeng

Thank your help. Best wish for you. June

Dear Iain, Now I encounter another problem that is how to get file`s name by HANDLE of a file. Do you know it??? If you know it, please help me. Thank you. Enjoy! June.

Dear Iain, Thank you. Your ideal is right. But there is a mistake in your demo code. Perhaps, you lose a function call. I believe your original thought is following: HANDLE FileToHandle (FILE *f) { return (HANDLE)(**_get_osfhandle**(f->_file)); } I have tried the method and verified it is right. Enjoy! June

Is there a Windows API or a method which can convert FILE* to HANDLE of a file or convert HANDLE to FILE* ??? The background of application :I want to monitor the I/O of a special file by hooking WriteFile and the file be opened by 'fopen'.In addition, I can`t modify the function form 'fopen' to 'CreateFile'. Therefore I can`t know which handle of file should be monitored according to the first parameter of WriteFile.So I hope there is a way that can convert HANDLE or FILE* to another. If you know it ,please tell me . Thank you.

DavidCrow wrote:

Why would you expect it not to crash?

Because calling 'LoadLibraryA(NULL);' is ok in local process.

Dear maciu2020, I know your method of injection. I just want to learn my code why to crash.In addition, I have step up the privilege of process`s handle before the to call the function 'Inject'. In you code, LoadLibraryA is a parameter of CreateRemoteThread. Given the address of LoadLibraryA is 0x7c801d77, the following code is ok. HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, **0x7c801d77**, pRemotelyAllocatedStringContainigPathToTheDll, 0, &dwWriteBytes); Why it`s ok ??? There is only one reason which the address of LoadLibraryA is same in all process! In other words, LoadLibraryA==0x7c801d77 in process A and LoadLibraryA==0x7c801d77 in process B at the same time. Do you agree with my opinion ??? This is the key of my question, which, in my code, local calling LoadLibraryA is jmp/call 0x7c801d77 and the calling LoadLibraryA in remote thread proceduer is also jmp/call 0x7c801d77. Why the latter must crash?

Hi everybody, Could you give me the answer which concern to inject code to other process.My questions are: [1]Must Windows API function have the same address in all process? [2]Why would crash when a remote thread proceduer directly call Windows API function? Now I show my code: DWORD __stdcall RemoteThreadProc(LPVOID lParam) { LoadLibraryA(NULL); //_**crash!!! Why crash???**_ return 0; } DWORD Inject(HANDLE hTargetProcess) { //Compare local calling with calling in remote thread proceduer. LoadLibraryA(NULL); //Ok!!! //======================================================= DWORD dwWriteBytes; //The size of thread procedure code. Estimated it. DWORD dwThreadSize = 5000; //Allocate memory in another process space void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //Write thread procedure code to target process. if (!WriteProcessMemory(hTargetProcess, pRemoteThread, RemoteThreadProc, dwThreadSize, 0)) { //Failed!!! return 0; } //Create remote thread HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread, NULL, 0, &dwWriteBytes); if (!hRemoteThread) { //Failed!!! return -1; } return 1; //Successfully } //============================================ //Base on WinsowsXP sp2 、VC6.0 //============================================ As far as known, Windows API function have same address in all process, but I can`t make sure it. For example, the address of "LoadLibraryA" is 0x7c801d77 in some process which I tested.[I get the address by printf(TEXT("%x"), LoadLibraryA ); ]. If Winsows API function have same address in all process, there are no reason to crash when the remote thread proceduer call API function . Please give me an answer or an illumination. Thank you.

TCHAR tchFilePath_Name[200]; //Call windows API to get absolute path + file name GetModuleFileName(GetModuleHandle(NULL), tchFilePath_Name200); //Then pick-up the file name //...

The result of '1 << 256' is out range of WORD. 1 << 256 equal to 2^256! 65536 = 2^16

The function 'freopen' is about redirecting. But I don`t know whether it can help you; because I don`t know that [1]the detail of your method of to open second console window and [2]how to get handle of file stream of log.txt in your .dll. Could you detailedly describe you method which how to open second Console window and how to get handle of file stream???