[WoW] [C++] Hack Loader (DLL Injection Example)

[namreeb]

If you insist. I was avoiding that on purpose because I don't fully understand. My best guess is that when I tried yours and had it failed I had not yet rebooted after disabling DEP. Every time I've tried yours since, it has worked. As for mine, I forgot to call the function to prepend the absolute path to my library, so was passing my inject function an un-initialized variable.

[amadmonk]

If you insist. I was avoiding that on purpose because I don't fully understand. My best guess is that when I tried yours and had it failed I had not yet rebooted after disabling DEP. Every time I've tried yours since, it has worked. As for mine, I forgot to call the function to prepend the absolute path to my library, so was passing my inject function an un-initialized variable.

I haven't looked at Cypher's code, but I seriously doubt it has anything to do with DEP unless he's doing something really, really, really weird. Data Execution Prevention - Wikipedia, the free encyclopedia

More likely, unaccounted-for solar neutrinos.

[namreeb]

I turned it off after finding forum posts searching google (sorry, don't remember specifically which one) that said their injection attempts were unsuccessful on Vista until they disabled DEP. *shrug*

[Cypher]

Quick question. Why the **** are you disabling DEP? That's like rejecting free health insurance.

EDIT: Shit, left this window open too long before replying, missed the extra replies.

I haven't looked at Cypher's code, but I seriously doubt it has anything to do with DEP unless he's doing something really, really, really weird. Data Execution Prevention - Wikipedia, the free encyclopedia

More likely, unaccounted-for solar neutrinos.

I turned it off after finding forum posts searching google (sorry, don't remember specifically which one) that said their injection attempts were unsuccessful on Vista until they disabled DEP. *shrug*

All of my CODE is DEP-safe, ASLR-safe, etc etc. I like to do things properly, not just do it as quickly as possible and pray it works.

[miyu]

The sample code can't be download?

[ziinus]

Link is dead, and doesn't work with 7 7600 x32, uac disabled runned as administrator, but works on XP 32, any idea ?

[Cypher]

Link is dead, and doesn't work with 7 7600 x32, uac disabled runned as administrator, but works on XP 32, any idea ?

Use the other one I posted, this one is much much older.

[Tanaris4]

Link is dead, any chance of a re-post? I'll host it as well

[Cypher]

Link is dead, any chance of a re-post? I'll host it as well

Whoops. Cleaned out my dropbox a while ago. Figured something like this might happen.

I don't know if I have a mirror tbh. HadesMem is open source though and contains a much better injector.

I can hunt around for the code to this if you really want, but honestly, you're prob better off just using that to whip together a quick standalone injector.

[NerieX]

i dont seem to understand what you mean with this :P

[SKU]

i dont seem to understand what you mean with this :P

Please be less specific.

[mnbvc]

copy/pasta from anywhere out of teh interwebz, but works :P

Code:

#include "stdafx.h"
#include <string>
#include <windows.h>
#include <iostream>

using namespace std;

HMODULE TryInjectDll(DWORD adw_ProcessId, const std::wstring& as_DllFile)
{
    //Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process
    HMODULE hLocKernel32 = GetModuleHandleW(L"KERNEL32");
    FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryW");
    
    //Adjust token privileges to open system processes
    HANDLE hToken;
    TOKEN_PRIVILEGES tkp;
    if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    {
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
        tkp.PrivilegeCount = 1;
        tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL);
        CloseHandle(hToken);
    }

    //Open the process with all access
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, adw_ProcessId);
    if (hProc == NULL)
        return NULL;

    //Allocate memory to hold the path to the Dll File in the process's memory
    LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, as_DllFile.size()*sizeof(wchar_t), MEM_COMMIT, PAGE_READWRITE);

    //Write the path to the Dll File in the location just created
    DWORD numBytesWritten;
    WriteProcessMemory(hProc, hRemoteMem, as_DllFile.c_str(), as_DllFile.size()*sizeof(wchar_t), &numBytesWritten);

    //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer
    HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);

    //Wait for the thread to finish
    ::WaitForSingleObject( hRemoteThread, INFINITE );
    DWORD  hLibModule = 0;
    ::GetExitCodeThread( hRemoteThread, &hLibModule );

    //Free the memory created on the other process
    ::VirtualFreeEx(hProc, hRemoteMem, as_DllFile.size()*sizeof(wchar_t), MEM_RELEASE);

    //Release the handle to the other process
    ::CloseHandle(hProc);

    return (HMODULE)hLibModule;
}


bool TryUnInjectDll(DWORD adw_ProcessId, HMODULE ah_ModuleHandle)
{
    //Open the process with all access
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, adw_ProcessId);
    if (hProc == NULL)
        return false;

    bool lb_ReturnValue = false;

    HMODULE hLocKernel32 = GetModuleHandleW(L"KERNEL32");
    FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "FreeLibrary");

    if(ah_ModuleHandle != NULL)
    {
        HANDLE hRemoteThread = ::CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, (void*)ah_ModuleHandle, 0, NULL );

        if( hRemoteThread != NULL )
        {
            DWORD ldw_ReturnCode;
            ::WaitForSingleObject( hRemoteThread, INFINITE );
            ::GetExitCodeThread( hRemoteThread, &ldw_ReturnCode );
            ::CloseHandle( hRemoteThread );

            lb_ReturnValue = ldw_ReturnCode != 0;
        }
    }

    ::CloseHandle(hProc);

    return lb_ReturnValue;
}

DWORD curwindowid;

void getProcessIdCur(LPCWSTR window)
{
	HWND curwindow;
	while(!(curwindow = FindWindow(NULL, window)));     //loop until we find the window

	GetWindowThreadProcessId(curwindow, &curwindowid);  
}


int _tmain(int argc, _TCHAR* argv[])
{
	char bla;
	HMODULE inj;
	getProcessIdCur(L"World of Warcraft");
	inj = TryInjectDll(curwindowid, L"C:\\haxx.dll");
	scanf_s(&bla);
	TryUnInjectDll(curwindowid, inj);
	return 0;
}

[Cypher]

copy/pasta from anywhere out of teh interwebz, but works :P

Code:

#include "stdafx.h"
#include <string>
#include <windows.h>
#include <iostream>

using namespace std;

HMODULE TryInjectDll(DWORD adw_ProcessId, const std::wstring& as_DllFile)
{
    //Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process
    HMODULE hLocKernel32 = GetModuleHandleW(L"KERNEL32");
    FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryW");
    
    //Adjust token privileges to open system processes
    HANDLE hToken;
    TOKEN_PRIVILEGES tkp;
    if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    {
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
        tkp.PrivilegeCount = 1;
        tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL);
        CloseHandle(hToken);
    }

    //Open the process with all access
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, adw_ProcessId);
    if (hProc == NULL)
        return NULL;

    //Allocate memory to hold the path to the Dll File in the process's memory
    LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, as_DllFile.size()*sizeof(wchar_t), MEM_COMMIT, PAGE_READWRITE);

    //Write the path to the Dll File in the location just created
    DWORD numBytesWritten;
    WriteProcessMemory(hProc, hRemoteMem, as_DllFile.c_str(), as_DllFile.size()*sizeof(wchar_t), &numBytesWritten);

    //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer
    HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);

    //Wait for the thread to finish
    ::WaitForSingleObject( hRemoteThread, INFINITE );
    DWORD  hLibModule = 0;
    ::GetExitCodeThread( hRemoteThread, &hLibModule );

    //Free the memory created on the other process
    ::VirtualFreeEx(hProc, hRemoteMem, as_DllFile.size()*sizeof(wchar_t), MEM_RELEASE);

    //Release the handle to the other process
    ::CloseHandle(hProc);

    return (HMODULE)hLibModule;
}


bool TryUnInjectDll(DWORD adw_ProcessId, HMODULE ah_ModuleHandle)
{
    //Open the process with all access
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, adw_ProcessId);
    if (hProc == NULL)
        return false;

    bool lb_ReturnValue = false;

    HMODULE hLocKernel32 = GetModuleHandleW(L"KERNEL32");
    FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "FreeLibrary");

    if(ah_ModuleHandle != NULL)
    {
        HANDLE hRemoteThread = ::CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, (void*)ah_ModuleHandle, 0, NULL );

        if( hRemoteThread != NULL )
        {
            DWORD ldw_ReturnCode;
            ::WaitForSingleObject( hRemoteThread, INFINITE );
            ::GetExitCodeThread( hRemoteThread, &ldw_ReturnCode );
            ::CloseHandle( hRemoteThread );

            lb_ReturnValue = ldw_ReturnCode != 0;
        }
    }

    ::CloseHandle(hProc);

    return lb_ReturnValue;
}

DWORD curwindowid;

void getProcessIdCur(LPCWSTR window)
{
	HWND curwindow;
	while(!(curwindow = FindWindow(NULL, window)));     //loop until we find the window

	GetWindowThreadProcessId(curwindow, &curwindowid);  
}


int _tmain(int argc, _TCHAR* argv[])
{
	char bla;
	HMODULE inj;
	getProcessIdCur(L"World of Warcraft");
	inj = TryInjectDll(curwindowid, L"C:\\haxx.dll");
	scanf_s(&bla);
	TryUnInjectDll(curwindowid, inj);
	return 0;
}

For certain interpretations of the word 'works'.

[tymezz]

"Hades-Memory/Injector.h" for a better example.