Remote Call

Remote Call Dialog
This dialog allows you to make call inside any hooked process.

   - General
   - Parameter syntax
   - Buffer Overrun protection in action

   - Examples
       1) Simple Call
       2) Value passed by reference
       3) Buffer
       4) Output Buffer
       5) Struct
       6) Pointer on Struct
       7) double/float
       8) double*/float*
       9) Exe_Internal
       10) ASM


Dll Name
Enter the name (or full path for not system dll) of the dll inside which you want to make your call.
By the way in the screenshot this is "user32.dll".

Using the same syntax as monitoring file, by specifying a virtual address, you can make a call of a not exported function inside an exe or inside a dll.
For an EXE :
where RelativeAddress is the relative address from Base Address of the exe

For a DLL :
DLL_INTERNAL@0xRelativeAddress DLL_INTERNAL_POINTER@0xRelativeAddress for a dll.
where RelativeAddress is the relative address from Base Address of the dll (see monitoring files).

Function call
Enter the name of the function followed by parameters : Beep(500,0x3e8)

Show after call registers and floating result
Use this option to force the result window to show after call details including after call registers and floating result.

Do call inside specified threadt
Use this function to do a call inside a specified thread (specify a thread ID only if necessary as a thread context switching is required). It as been introduce for functions using local thread storage (and so some COM method).

Call Timeout
Max time for function to execute.

Enter the state of registers as you want they are filled just before function call

Make Call inside the selected process
Select the process into wish you want to make the call.

Parameters syntax :
Notice : more examples are given below

   - Direct value : 500, 0x12, -45

   - Pointer to value : &500, &0x12, &-45
You can use &OutValue for reference value that don't require initialisation GetWindowThreadProcessId(0x1234,&OutValue)

   - String : "string" for ansi string and L"string" for unicode string. Notice: this syntax allow you standard escape sequence \b, \f, \r, \n, \\, \t, \', \"

   - Buffer : &Buffer= followed by a byte array. Warning buffer has length of provided byte array. Make sure it is enough for function call
MessageBoxA(0,&Buffer=46 6F 6F 00,&Buffer=46 00,0)

   - Out Buffer &OutBuffer[N] where N is the size. Like GetTempPathA(255,&OutBuffer[255])

   - Structures : Buffer= followed by a byte array used for direct structure parameters.
To pass a POINT pt {200,300} (or {0xC8,0x12C}in hexa) structure like for ChildWindowFromPoint(HWND hWndParent,POINT Point) function,
Use Buffer=C8 00 00 00 2C 01 00 00

   - double : double= followed by value ex: double=0.5

   - pointer to double : &double= followed by value ex: &double=0.5

   - float : float= followed by value ex: float=0.5

   - pointer to float : &float= followed by value ex: &float=0.5

   - variants : The following keywords are supported : VT_EMPTY, VT_NULL, VT_I1, VT_I2, VT_I4, VT_I8, VT_INT, VT_UI1, VT_UI2, VT_UI4, VT_UI8, VT_UINT, VT_BOOL, VT_ERROR, VT_R4, VT_R8, VT_CY, VT_DATE, VT_DISPATCH, VT_UNKNOWN, VT_BSTR
You can pass some value as reference by adding the _BYREF suffix (like VT_I1_BYREF=0x500000). In this case (like for VT_BSTR), the provided value must be the address of pointer in remote process.
To allocate such memory in remote process, get pointer on it, and read/write value, just use the WinAPIOverride memory window
ex: VT_I1=7, VT_BSTR=0x12345, VT_UI2_BYREF=0x23456

   - pointer to variants : add an & prefix to the previously defined keywords. &VT_EMPTY, &VT_NULL, &VT_I1, &VT_I2....
ex : VariantCopy(&VT_EMPTY,&VT_I2=78)

As soon as one of you parameter is passed as reference, a detail window is shown to display parameter values,
after call registers and floating results. Else only a MessageBox containing the function return will appear.

The result window don't parse parameters, as no monitoring is requiered to do a remote call. So there's no way to know the types of parameters.

You can log your own calls (take care of modules filters as calls are made by apioverride.dll, you need to temporary uncheck "Only Base Module" and "Use list" inside the "Modules Filters" group in the WinApiOverride main dialog)

Remote call provides 3 protections to avoid hooked process to crash :
   - Call is done inside a try{} catch() block
   - Buffer overrun protection
   - A stack protection is done: if you forgot someparameters they are set to 0.
By the way if you call the Add(int,int) function of TargetSample with "Add()" the result is
But even with these protections, providing a bad pointer can still make process crash.

Use the String Hex dialog for string to bytes buffer conversion

All values can be entered as decimal or hexadecimal (Use "0x" as prefix for hex values)

Multiple instances of this dialog can be launched

If you want to log your remote call, you have to disable the module filter defined for the apioveride.dll (See modules filters)
Temporary uncheck "Only Base Module" and "Use list" inside the "Modules Filters" group in the WinApiOverride main dialog)

Due to .Net framework exception handling way, you musn't call .NET functions throwing exceptions (even if exceptions are catched in .NET code)

Buffer overrun protection

By the way if you are doing the following call GetTempPathA(260,&OutBuffer[20])
You can quickly see that first parameter (supposed to be the size of buffer) does'nt match.
Doing such call in real life will do a buffer overrun and can crash your process.
But with buffer protection introduced in version 6.0, you will get the following result
Parameter index reported in buffer overrun message is 1 based parameter index

Buffer overrun report for parameter 2
Result after buffer overrun report
In previous case we can see that value return by GetTempPathA (0x24 = 36) is the size of the provided buffer (OutBuffer[20]) + the size of the overrun 16.

Examples :

1) Simple Call

For functions requiering simple parameters like the Beep function, write it like you do in your one code
This work for any 4 bytes or less types (int,DWORD, long, char, BYTE, short....)

2) Value passed by reference

Just preceed value by an '&'
For out only value we can use the &OutValue key word which will act like an &0
As we use reference values, the remote call result will popup automatically displaying the results of the function call

3) Buffer

In the following example we are going to display a messagebox with "Foo" as text and "F" as caption.
We need an ASCII string buffer so we use the String Hex dialog to convert text to byte array.
As "Foo" is 46 6F 6F 00 and "F" 46 00, we do the following
That's good : the result is the expected one
Notice: since WinAPIOverride 4.0 strings can be written directly like MessageBoxA(0,"Foo","F",2)

4) Out Buffer

We are going to make a call to GetTempPathA function. It require a quite big buffer, so instead of doing &Buffer=000.....0000
we use the &OutBuffer[255] which provides a quite speedest way
With Param2= 433A5C444F43554D457E315C4D59555345527E315C4C4F43414C537E315C54656D705C000000000...
and using the String Hex dialog to convert bytes to an ascii string we get the following:

5) Struct

Structures are considered as memory buffer. So to use them , you have to use the same representation that your computer use.

By the way for a structure defined by
typedef struct{
DWORD dw1;
DWORD dw2;
DWORD dw3;

It's memory representation is LittleEndian(dw1)LittleEndian(dw2)LittleEndian(dw3)
So with dw1=1, dw2=2 and dw3=3 we got the following 12 bytes buffer for the struct representation:
01 00 00 00 02 00 00 00 03 00 00 00
So a func f(Foo) will be called by f(Buffer= 01 00 00 00 02 00 00 00 03 00 00 00)

Notice : it's the easiest way because structure is already 4 bytes aligned.

As memory representation depends of alignment, you have to take care of structures using not 4 bytes multiple types :
( see the #pragma pack preprocessor help for more information)
Example with point struct {0xC8,0x12C}

6) Struct*

With the same Foo struct and same condition defined in 5), the only differency is the '&'
So function f2(Foo*) will be called by f2(&Buffer= 01 00 00 00 02 00 00 00 03 00 00 00)

7) double/float

You have to put keyword before the use of these types.
Don't forget to check the "Show after call registers ans floating result" if function return a float or a double

8) double*/float*

You have to mark the reference by '&' and use the same keywords defined in 7)

9) Exe_Internal

With the TargetSample.exe provided for tutorials (Notice : can be found at "Overriding Dll SDK\API\ExeInternal (with target sample)\ReleaseUnicode")
The function add(int,int) is at address 0x401000
So with the following parameters we can call the Add function of TargetSample.exe by doing the following

Easy isn't it ?

10) ASM

To check asm call, we will use another exe provide for tutorial : Target32.exe (Notice : can be found at "Overriding Dll SDK\ASM\AsmExeInternal (with asm target sample)\x86 example\Asm Target32").
The RotateRegisters function address is at 0x4010A0.
Don't forget to check the "Show after call registers ans floating result" option.
The function RotateRegisters just do the following :
The registers result
And if you make a logging during the same time, the details view will show the following :
We find our data in the "Registers Before Call" row and the result in the "Registers After Call" row.
All is OK.