如何在Windows7 x64中使用ollydbg注入Windows API调用

Question

I am using Windows7 x64, and OllyDbg 2.01(alpha 2)

I have an exe, and I want to popup a MessageBox to show some information during execution, and there is a great tutorial shows you how to do this: How to inject code into a exe file , basically, it is about adding a MessageBoxA API call with the wanted information:

PUSH 0                 ; BUTTONS = <OK ONLY>
PUSH 1008751           ; CAPTION  = Our adress of the "INJECTED NOTEPAD"
PUSH 1008751           ; MESSAGE  = Same like above.
PUSH 0                 ; ICON        = <NO ICON>
CALL MessageBoxA       ; Run MessageBoxA with the Params above.

It does work when in live debug session: I injected the code, and then debug it - the message box does pops up. But after I save the executable (RMB->Edit->Select all; RMB->Edit->Copy to executable; In the new window, RMB->save file), and then execute, it just crashed.

Here are what I've observed:

Before save, the CALL MessageBoxA is actually CALL 74DAFD1E, which means 74DAFD1E is the address of API MessageBoxA, but after save, the address is changed to some other value.

Also, do you think ASLR would virtually stop up from injecting windows API call?

Any ideas? how could I managed to show the information I wanted from that exe?
Thanks in advance!

Answer 1

This is caused by ASLR, to make it work in Windows7, one approach is to disable ASLR (at your own risk).

You can download the Enhanced Mitigation Experience Toolkit (EMET) tool, install and run EMET_GUI.exe, in the pop up dialog, disable the ASLR and reboot:

You may want to re-enable ASLR after finishing your work, as it has impact on your OS's security.