Blizzhackers

Home of the Dupe since 2001

* Login   * Register    * FAQ    * Search

Join us on IRC: #bh@irc.synirc.net (or Mibbit Web IRC)


It is currently Thu Apr 19, 2018 4:42 pm


All times are UTC [ DST ]





Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Need help too
PostPosted: Sat Jun 27, 2009 3:50 pm 
 
User
User

Joined: Sat Jun 27, 2009 3:44 pm
I have tryed the CreateRemoteThread Method too...
at first i had some linkererrors but including the Shlwapi.lib in the additional options of my visual studio project fixed it....
then it linked right but when i start the injector nothing happend...
WHEN i close the targetApplication the dll was loaded... so i decided to try the code cave method... but i get a compiler error
error C4430: missing type specifier - int assumed. Note: C++ does not support default-int
at __declspec(naked) loadDll(void)
so what im doing wrong?
im pretty new to visual studio so maybe i just missed setting up some options

thx in advace

Top
 Profile  
 Post subject:
PostPosted: Sat Jun 27, 2009 3:55 pm 
 
User
User

Joined: Sat Jun 27, 2009 3:44 pm
okey i just added void so there is
__declspec(naked) void loadDll(void) ...
but now i get a runtime error
Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

ohh.. maybe the loaded dlls are intresting?! dont know ^^
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\ntdll.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\kernel32.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\shlwapi.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\advapi32.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\rpcrt4.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\secur32.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\gdi32.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\user32.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\msvcrt.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_597c3456\msvcr90d.dll', Symbols loaded.
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\imm32.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\lpk.dll'
'L4DHook.exe': Loaded 'C:\WINDOWS\system32\usp10.dll'
'L4DHook.exe': Loaded 'C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd.dll'
'L4DHook.exe': Loaded 'C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll'
'L4DHook.exe': Loaded 'C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll'
Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.


The thread 'Win32 Thread' (0xe60) has exited with code 0 (0x0).
The thread 'Win32 Thread' (0xaec) has exited with code 0 (0x0).
The thread 'Main Thread' (0x934) has exited with code 0 (0x0).
The program '[3616] L4DHook.exe: Native' has exited with code 0 (0x0).

Top
 Profile  
 Post subject:
PostPosted: Wed Jul 01, 2009 11:28 am 
 
User
User

Joined: Sat Jun 27, 2009 3:44 pm
Nobody there?

Top
 Profile  
 Post subject:
PostPosted: Thu Jul 09, 2009 1:00 am 
 
User
User

Joined: Sat Jun 27, 2009 3:44 pm
Okey http://www.codeproject.com/KB/threads/c ... nject.aspx helped

Top
 Profile  
 Post subject:
PostPosted: Fri Sep 18, 2009 4:36 pm 
 
User
User

Joined: Fri Jun 08, 2007 10:27 am
First of all, Thanks a lot Darawk for this awesome piece of e-Paper.
Makes everything so much clearer.

I'm sorry for bumping this thread, but I would really like to get some help and I didn't want to open a new topic.

Well, I've been trying to use the CreateRemoteThread method to Inject a silly DLL into a basically any Process.
The DLL is supposed to show a message box when it gets attached.

It does find the process, and apparently does attach the DLL,
but my Message Box won't pop up.
Any idea why?

Anyway, here's the code:

Main.cpp

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#define PROCESS_NAME "notepad.exe"
#define DLL_NAME "BlahDLL.dll"
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

unsigned long GetTargetProcessIdFromProcname_Fixed(const char *process)
{
   PROCESSENTRY32 pe = {0};
   HANDLE thSnapshot = {0};
   BOOL retval = false;

   // Try to create a toolhelp snapshot and verify that it was actually created
   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "Loader", MB_ICONERROR);
      return 0;
   }

   // Need to have this set for the WinAPI structures
   pe.dwSize = sizeof(PROCESSENTRY32);

   // Try to get the first process
    retval = Process32First(thSnapshot, &pe);

   // While we have processes to go through
   while(retval)
   {
      // As soon as we find the process id, return it
      if(StrStrI(pe.szExeFile, process))
      {
         return pe.th32ProcessID;
      }

      // Otherwise, get try to get the next process
      retval = Process32Next(thSnapshot,&pe);
   }

   // If we get here, no process ID was found, so return no
   // process ID instead of the last process found.
   return 0;
}

void main()
{
   
   if (InjectDLL(GetTargetProcessIdFromProcname_Fixed("notepad.exe")))
   {
      printf("Hello world!");
   }
   else
   {
      printf("Process not found");
   }

}

BOOL InjectDLL(DWORD ProcessID)
{
   HANDLE Proc;
   char buf[50]={0};
   LPVOID RemoteString, LoadLibAddy;

   if(!ProcessID)
      return false;

   Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);

   if(!Proc)
   {
      sprintf(buf, "OpenProcess() failed: %d", GetLastError());
      MessageBox(NULL, buf, "Loader", NULL);
      return false;
   }

   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);
   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);   
   CloseHandle(Proc);

   

   return true;
}


BlahDLL.cpp

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            MessageBox(0, "Injection successful!", "Yay!", MB_OK);
            // return FALSE to fail DLL load
            break;

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // successful
}


Top
 Profile  
 Post subject:
PostPosted: Sat Sep 19, 2009 2:38 pm 
 
User Gold
User Gold

Joined: Tue Mar 14, 2006 1:40 am
You sure it injects right ?
Try getting debug privileges.

BOOL EnablePriv(LPWSTR lpszPriv)
{
    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tkprivs;
    ZeroMemory(&tkprivs, sizeof(tkprivs));
    if(!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken)) return FALSE;
    if(!LookupPrivilegeValue(NULL, lpszPriv, &luid)){ CloseHandle(hToken); return FALSE; }
    tkprivs.PrivilegeCount = 1;
    tkprivs.Privileges[0].Luid = luid;
    tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);
    CloseHandle(hToken);
    return bRet;
}

//Call
EnablePriv(SE_DEBUG_NAME);


This is the unicode version, you might need to change a bit.

_________________
Image

Top
 Profile  
 Post subject:
PostPosted: Sat Sep 19, 2009 5:32 pm 
 
User
User

Joined: Fri Jun 08, 2007 10:27 am
Well. First of all, thanks a lot for the reply..
I was kinda losing hope anyone would see this.

I added the privileges function, yet no change..
I'm sure it injects right because I've added a ReadProcessMemory() to check if the injection worked..

Tried injecting into many processes, none have worked.

I'm sure it's the "Injector" code, since i've tried injecting my DLL using SpamFilter's Injector and it worked perfectly fine..

Any more ideas?

Top
 Profile  
 Post subject:
PostPosted: Sat Sep 19, 2009 6:19 pm 
 
User Gold
User Gold

Joined: Tue Mar 14, 2006 1:40 am
sorry if this question is insulting but did you call it with SE_DEBUG_PRIVILEGE before injecting ;) ?

anyways here the functions i use for injection.

BOOL InjectDLL(DWORD ProcessID,char* DLL_NAME)
{
   HANDLE Proc;
   char buf[50]={0};
   LPVOID RemoteString, LoadLibAddy;
   if(!ProcessID)
      return false;
   Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);
   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);   
   CloseHandle(Proc);

   return true;
}

unsigned long GetPid(char *procName)
{
   PROCESSENTRY32 pe;
   HANDLE thSnapshot;
   BOOL retval, ProcFound = false;

   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

   if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
      return false;
   }

   pe.dwSize = sizeof(PROCESSENTRY32);

    retval = Process32First(thSnapshot, &pe);

   while(retval)
   {
      if(StrStrI(pe.szExeFile, procName) )
      {
         ProcFound = true;
         break;
      }

      retval    = Process32Next(thSnapshot,&pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
   }
   if (!ProcFound) return 0;
   return pe.th32ProcessID;
}


ANSII this time. Since i stole em from this paper too, they should be the same but you can check for differences.

_________________
Image

Top
 Profile  
 Post subject:
PostPosted: Sat Sep 19, 2009 7:06 pm 
 
User
User

Joined: Fri Jun 08, 2007 10:27 am
Kane49 wrote:
sorry if this question is insulting but did you call it with SE_DEBUG_PRIVILEGE before injecting ;) ?


Heh. kinda insulting.. yea. :P
I did call it before injecting..
and it's SE_DEBUG_NAME, isn't it?

Anyway, my main file now looks like this..

unsigned long GetPid(char *procName);
BOOL InjectDLL_new(DWORD ProcessID, char* DLL_NAME);

int main(int argc, const char* argv[])
{
   printf("Press any key to inject.\n");
   _getch();

   EnablePriv(SE_DEBUG_NAME);
   InjectDLL_new(GetPid("notepad.exe"), "SimpleDLL.dll");
}


EDIT:
Solved.
Thanks for all the help.
Problem was InjectDLL requires full path of the DLL.
i.e. "C:\\TestProject\\SimpleDLL.dll"

Top
 Profile  
 Post subject:
PostPosted: Fri Sep 25, 2009 4:28 pm 
 
User
User

Joined: Fri Sep 25, 2009 4:25 pm
JOIN http://gamers-elite.forumotion.com for the latest + cheapest vip hacks and tips.

Top
 Profile  
 Post subject:
PostPosted: Sat Sep 26, 2009 2:24 am 
 
User
User

Joined: Fri Jun 08, 2007 10:27 am
Could someone please elaborate on how the SetWindowsHookEx method injects a DLL to a process...

I mean, doesn't it just intercepts the windows message coming from the Kernel, and calls the Hook function before it reaches the client (i.e. Game.exe)?

Is the function that we hook executes within the process's context?
Also, how would you use a CBT Hook in a DLL for hacking a game..?
Which game receives such a message?

This really got me confused. :oops:


Thanks a lot for all the help,
Nihil.

Top
 Profile  
 Post subject:
PostPosted: Sat Sep 26, 2009 11:16 am 
 
Section Leader
Section Leader

Joined: Fri Jul 05, 2002 8:51 pm
Location: /sbin/
Darawk wrote:
What you should do is create a new thread in DllMain and then just return, and let the new thread do all your initialization.


Actually, what Microsoft recommends is to make an initialization function and make a thread for it outside of DllMain, i.e. in your loader. That's the method I now use for my .NET injector.

_________________
D2BS
Programming motherfuckers... DO YOU SPEAK IT?!
I, for one, welcome our new black overlo... I mean, president!
  1. Create signature generator.
  2. ???
  3. Profit!

Top
 Profile  
 Post subject: Process located but injection failed
PostPosted: Mon Sep 28, 2009 6:50 pm 
 
User
User

Joined: Mon Sep 28, 2009 6:42 pm
Hi, I've been trying to inject my DllMain.dll into the game Runes of Magic with no success so far. It pops a window that sais Process located but injection failed and error 87. I've been using the CreateRemoteThread method.
Here's my loader's code:
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#define PROCESS_NAME "Runes of Magic.exe"
#define DLL_NAME "DllMain.dll"


//I could just use PROCESS_ALL_ACCESS but it's always best to use the absolute bare minimum of priveleges, so that your code works in as
//many circumstances as possible.
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
 
BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize);

BOOL LoadDll(char *procName, char *dllName);
BOOL InjectDLL(DWORD ProcessID, char *dllName);
unsigned long GetTargetThreadIdFromWindow(char *className, char *windowName);

bool IsWindowsNT()
{
   // check current version of Windows
   DWORD version = GetVersion();
   // parse return
   DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
   DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
   return (version < 0x80000000);
}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
    if(IsWindowsNT())
       LoadDll(PROCESS_NAME, DLL_NAME);
    else
   MessageBox(0, "Your system does not support this method", "Error!", 0);

    return 0;
}


BOOL LoadDll(char *procName, char *dllName)
{
   DWORD ProcID = 0;
   char buf[50]={0};

   ProcID = GetTargetThreadIdFromWindow("Radiant Arcana", "Runes of Magic");
   
   if(!(InjectDLL(ProcID, dllName)))
      MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);
   
   return true;
}

BOOL InjectDLL(DWORD ProcessID, char *dllName)
{
   HANDLE Proc;
   char buf[50]={0};
   LPVOID RemoteString, LoadLibAddy;

   if(!ProcessID)
      return false;

   Proc = OpenProcess(CREATE_THREAD_ACCESS, false, ProcessID);

   if(!Proc)
   {
      sprintf_s(buf, "OpenProcess() failed: %d", GetLastError());
      MessageBox(NULL, buf, "Loader", NULL);
      return false;
   }

   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
   WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL);
        CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);   
   
   CloseHandle(Proc);

   return true;
}

unsigned long GetTargetThreadIdFromWindow(char *className, char *windowName)
{
    HWND targetWnd;
    HANDLE hProcess;
    unsigned long processId, pTID, threadID;
   
    targetWnd = FindWindow(className, windowName);
    GetWindowThreadProcessId(targetWnd, &processId);


    _asm {
   mov eax, fs:[0x18]
   add eax, 36
   mov [pTID], eax
    }

    hProcess = OpenProcess(PROCESS_VM_READ, false, processId);
    ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
    CloseHandle(hProcess);
    return threadID;
}


and here's my Dll code:
#include <windows.h>
#include <d3d9.h>
#include <stdio.h>

extern "C"
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            MessageBox(0, "Injection successful!", "Yea", MB_OK);
            // return FALSE to fail DLL load
            break;

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // successful
}



I'm not sure if my folders are put together correctly, or my code. I was wondering if anyone could help me with it. Thx

Top
 Profile  
 Post subject:
PostPosted: Mon Sep 28, 2009 7:18 pm 
 
User
User

Joined: Fri Jun 08, 2007 10:27 am
Try using the absolute path to your DLL.
for example, if your DLL is located in C:\MyDllProject\DllMain.dll

You should do this in your code:
#define DLL_NAME "C:\\MyDllProject\\DllMain.dll"

Top
 Profile  
 Post subject:
PostPosted: Tue Sep 29, 2009 3:00 am 
 
User
User

Joined: Mon Sep 28, 2009 6:42 pm
Still get error 87, and process located but injection failed message boxes. Thx for the fast reply.

Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron