HadesMem: Creating a Process and Injecting a DLL

[GliderPro]

I finally got some time to play with Cypher's HadesMem library. I noticed that the new Injector class doesn't have a method to create a process and inject like his old Loader code did. I ripped the code from his old loader and reworked it to work with HadesMem. I thought I would share it.

Code:

// C++ Standard Library
#include <limits>
#include <memory>
#include <fstream>
#include <iterator>
#include <iostream>

// HadesMem
#include "HadesMem/Memory.h"
#include "HadesMem/EnsureCleanup.h"
#include "HadesMem/Injector.h"

// Windows API
#include <Windows.h>

// Create suspended process and use HadesMem to inject DLL
DWORD CreateAndInject(std::shared_ptr<Hades::Memory::MemoryMgr>& 
  MyMemory, std::wstring const& Path, std::wstring const& Args, 
  std::wstring const& Module, std::string const& Export)
{
  // Set up structures for CreateProcess
  STARTUPINFOW WoWSi;
  ZeroMemory(&WoWSi, sizeof(WoWSi));
  WoWSi.cb = sizeof(WoWSi);
  PROCESS_INFORMATION WoWPi;
  ZeroMemory(&WoWPi, sizeof(WoWPi));

  // Ensure cleanup
  Hades::Util::EnsureCloseHandle(WoWPi.hProcess);
  Hades::Util::EnsureCloseHandle(WoWPi.hThread);

  // Construct command line.
  std::wstring CommandLine(L"\"" + Path + L"\" " + Args);
  // Copy command line to buffer
  std::vector<wchar_t> ProcArgs(CommandLine.begin(), CommandLine.end());
  // Null-terminate buffer
  ProcArgs.push_back(L'\0');
  // Attempt process creation
  if (!CreateProcessW(Path.c_str(), &ProcArgs[0], NULL, NULL, FALSE, 
    CREATE_SUSPENDED, NULL, NULL, &WoWSi, &WoWPi))
  {
    throw std::runtime_error("Injector::InjectLib: Could not create process.");
  }

  // Exception handling
  try
  {
    // Create memory manager
    MyMemory.reset(new Hades::Memory::MemoryMgr(WoWPi.dwProcessId));

    // Create DLL injector
    Hades::Memory::Injector MyInjector(*MyMemory);

    // Inject DLL
    HMODULE ModBase = MyInjector.InjectDll(Module);
    std::wcout << "Module Base: " << ModBase << "." << std::endl;

    // If export has been specified
    if (!Export.empty())
    {
      // Call remote export
      DWORD ExportRet = MyInjector.CallExport(Module, ModBase, Export);
      std::wcout << "Export Returned: " << ExportRet << "." << std::endl;
    }
  }
  // Catch exceptions
  catch (std::exception const& /*e*/)
  {
    // Terminate process if injection failed
    TerminateProcess(WoWPi.hProcess, 0);
    // Rethrow exception
    throw;
  }

  // Success! Let the process continue execution.
  ResumeThread(WoWPi.hThread);

  // Return ProcID for use in further calls
  return WoWPi.dwProcessId;
}

// Program entry-point.
int wmain(int /*argc*/, wchar_t* /*argv*/[], wchar_t* /*envp*/[])
{
  try
  {
    std::wcout << "Welcome to WoWHack." << std::endl;

    // create memory manager
    std::shared_ptr<Hades::Memory::MemoryMgr> MyMemory;

    // create process, attach HadesMem, and inject DLL
    CreateAndInject(MyMemory,L"c:\\wow\\wow.exe",L"",L"HadesMemHackDll_IA32.dll","_Initialize@4");
  }
  catch (boost::exception const& e)
  {
    // Dump error information
    std::cout << boost::diagnostic_information(e);
  }
  catch (std::exception const& e)
  {
    // Dump error information
    std::wcout << "Error! " << e.what() << std::endl;
  }

  // Pause for input before continuing
  std::wcin.clear();
  std::wcin.sync();
  std::wcin.get();
}

[Cypher]

Yeah, been meaning to add that but haven't gotten around to it yet. Glad to see it wasn't too hard to get working.

One small thing though (that's actually my fault), the following code needs to go BELOW the CreateProcess call:

Code:

  // Ensure cleanup
  Hades::Util::EnsureCloseHandle(WoWPi.hProcess);
  Hades::Util::EnsureCloseHandle(WoWPi.hThread);

I just noticed that I fixed that internally but never pushed the change.

It's not a big deal because the handles will be freed when the process terminates, but if you're calling that function repeatedly there will be a small handle leak until that time.

[Steveiwonder]

Nice work.+REP

[GliderPro]

Here is an updated version that uses the CreateAndInject function that is now part of HadesMem. Took me a while to figure out that I needed to define BOOST_FILESYSTEM_VERSION=3. Without that you will get linker errors.

Code:

// C++ Standard Library
#include <iostream>

// Windows API
#include <tchar.h>
#include <Windows.h>

// Hades
#define BOOST_FILESYSTEM_VERSION 3 
#include "Hades-Memory/Injector.h"

// Program entry-point.
int wmain(int /*argc*/, wchar_t* /*argv*/[], wchar_t* /*envp*/[])
{
  try
  {
    std::wcout << "Welcome to WoWHack." << std::endl;

	// create process, attach HadesMem, and inject DLL
	Hades::Memory::CreateAndInject(
		"c:\\wow\\wow.exe",
		L"",
		L"HadesMemHackDll_IA32.dll",
		"_Initialize@4" );
  }
  catch (boost::exception const& e)
  {
    // Dump error information
    std::cout << boost::diagnostic_information(e);
  }
  catch (std::exception const& e)
  {
    // Dump error information
    std::wcout << "Error! " << e.what() << std::endl;
  }

  // Pause for input before continuing
  std::wcin.clear();
  std::wcin.sync();
  std::wcin.get();
}