I Write a dll to hook RIL.dll but i have a problem in this code.
I put a hook opcode to RIL_Dial Function adress by WriteProcessMemory but not work correctly.

please help me.


// The patching code that is declared in RilPatch() as an external
// module.
extern "C" void RilPatch();

// The offset of first code that should be transfered from Ril.dll
// to RilPatch().
int MainOpcodeOffset;

// This routine will be used for installing RilPatch().
BOOL InstallPatch()
{
DWORD Opcode, OperatedBytes;
int offBytes;

// Loading Ril.dll and getting lpRIL_Dial start address
HMODULE RilDllModule = LoadLibrary(L"Ril.Dll");
FARPROC lpRIL_Dial = GetProcAddress(RilDllModule,L"RIL_Dial");
// Trace and finding The first replacement part of RilPatch()
// for transfering opcode from Ril.dll to RilPatch().
Opcode = 0;
offBytes = 0;
while (Opcode != 0xE1A00000)
{
if (!ReadProcessMemory(GetCurrentProcess(),(DWORD *)((DWORD)RilPatch + offBytes), &Opcode,4,&OperatedBytes))
return FALSE;
offBytes += 4;
}
MainOpcodeOffset = offBytes - 4;
// Reading opcode that should be transfered.
if (!ReadProcessMemory(GetCurrentProcess(),(DWORD *)((DWORD)lpRIL_Dial + 4),&Opcode,4,&OperatedBytes))
return FALSE;
// Transfering opcode.
if (!WriteProcessMemory(GetCurrentProcess(),(DWORD *)RilPatch + MainOpcodeOffset,&Opcode,4,&OperatedBytes))
return FALSE;
// Calculating opcode for Jump from Ril.dll to RilPatch().
Opcode = ((((DWORD)RilPatch) - ((DWORD)lpRIL_Dial) - 8) >> 2) | 0xEA000000;
// Inserting Jump opcode in Ril.dll
if (!WriteProcessMemory(GetCurrentProcess(),(DWORD *)((DWORD)lpRIL_Dial + 4),&Opcode,4,&OperatedBytes))
return FALSE;
DWORD NewOpcode;
if (!ReadProcessMemory(GetCurrentProcess(),(DWORD *)((DWORD)lpRIL_Dial + 4),&NewOpcode,4,&OperatedBytes))
return FALSE;

/************ BIG PROPLEM ***************/
/************ BIG PROPLEM ***************/
/************ BIG PROPLEM ***************/
/************ BIG PROPLEM ***************/
/************ BIG PROPLEM ***************/

if(NewOpcode != Opcode)
MessageBeep(MB_ICONASTERISK);

// Trace and finding The second replacement part of RilPatch()
// for adding Jump opcode from RilPatch() to Ril.dll
Opcode = 0;
offBytes = 0;
while (Opcode != 0xE1A00000)
{
if (!ReadProcessMemory(GetCurrentProcess(),(DWORD *)((DWORD)RilPatch + offBytes),&Opcode,4,&OperatedBytes))
return FALSE;
offBytes += 4;
}
offBytes -= 4;
// Calculating opcode for Jump from RilPatch() to Ril.dll
Opcode = ((((DWORD)lpRIL_Dial) - ((DWORD)RilPatch) - 8) >> 2) | 0xEA000000;
// Inserting Jump opcode in RilPatch()
if (!WriteProcessMemory(GetCurrentProcess(),(DWORD *)RilPatch + offBytes,&Opcode,4,&OperatedBytes))
return FALSE;
return TRUE;
}

// This routine will be used for uninstalling RilPatch().
BOOL UninstallPatch()
{
DWORD Opcode, OperatedBytes;

// Loading Ril.dll and getting lpRIL_Dial start address
HMODULE RilDllModule = LoadLibrary(L"Ril.Dll");
FARPROC lpRIL_Dial = GetProcAddress(RilDllModule,L"RIL_Dial");
// getting opcode that injected in RilPatch()
if (!ReadProcessMemory(GetCurrentProcess(),(DWORD *)RilPatch + MainOpcodeOffset,&Opcode,4,&OperatedBytes))
return FALSE;
// restoring opcode in Ril.dll
if (!WriteProcessMemory(GetCurrentProcess(),(DWORD *)((DWORD)lpRIL_Dial + 4),&Opcode,4,&OperatedBytes))
return FALSE;
return TRUE;
}

BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH :
// Installing Patch on loading DLL
return InstallPatch();
case DLL_PROCESS_DETACH:
// Uninstalling Patch on unloading DLL
return UninstallPatch();
}
return TRUE;
}[/code]

I have not read your code, but when DLL image is in ROM, you cannot overwrite its code section. In this case you should hook the import table of module that uses the DLL, or make a wrapper (I prefere this method) or hook module's export table. Hooking import/export should be done for every process that uses this DLL.

Thanks for replay.
I Want a create wraper dll but a need to a all functin param and orig dll.
a get a dll from iMate JAM by OSImageTools but this file is not work correctly.