Caliber Posted March 10, 2008 Posted March 10, 2008 (edited) this is a console app. what it is supposed to do is list the info for notepad.exe and then inject the .dll into the notepad.exe executable space.it seems to list the program info correctly, but the injection does not work. (verified with ollydbg, the .dll isn't present)anyone can help would be appreciated.best,Calhere's the main code:// List Processes and Modules.cpp : Defines the entry point for the console application.//#include "stdafx.h"// test.cpp : Defines the entry point for the console application.//#include <windows.h>#include <tlhelp32.h>#include <tchar.h>#include <stdio.h>#include <string>#define MAXWAIT 10000// Forward declarations:BOOL GetProcessList( );BOOL ListProcessModules( DWORD dwPID );BOOL ListProcessThreads( DWORD dwOwnerPID );void printError( TCHAR* msg );bool insertDll(DWORD procID, std::string dll);void main( ){ GetProcessList( );}BOOL GetProcessList( ){ HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; DWORD dwPriorityClass; CHAR filename[260] = "notepad.exe"; // Take a snapshot of all processes in the system. hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) { printError( TEXT("CreateToolhelp32Snapshot (of processes)") ); return( FALSE ); } // Set the size of the structure before using it. pe32.dwSize = sizeof( PROCESSENTRY32 ); // Retrieve information about the first process, // and exit if unsuccessful if( !Process32First( hProcessSnap, &pe32 ) ) { printError( TEXT("Process32First") ); // show cause of failure CloseHandle( hProcessSnap ); // clean the snapshot object return( FALSE ); } // Now walk the snapshot of processes, and // display information about each process in turn do { if (!strcmp(pe32.szExeFile,filename)) { printf( "\n\n=====================================================" ); _tprintf( TEXT("\nPROCESS NAME: %s"), filename);//pe32.szExeFile ); printf( "\n-----------------------------------------------------" ); // Retrieve the priority class. dwPriorityClass = 0; hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); if( hProcess == NULL ) printError( TEXT("OpenProcess") ); else { dwPriorityClass = GetPriorityClass( hProcess ); if( !dwPriorityClass ) printError( TEXT("GetPriorityClass") ); CloseHandle( hProcess ); } printf( "\n Process ID = 0x%08X", pe32.th32ProcessID ); printf( "\n Thread count = %d", pe32.cntThreads ); printf( "\n Parent process ID = 0x%08X", pe32.th32ParentProcessID ); printf( "\n Priority base = %d", pe32.pcPriClassBase ); if( dwPriorityClass ) printf( "\n Priority class = %d", dwPriorityClass ); // List the modules and threads associated with this process insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); // this is where we try to inject ListProcessModules( pe32.th32ProcessID ); ListProcessThreads( pe32.th32ProcessID ); } } while( Process32Next( hProcessSnap, &pe32 ) ); CloseHandle( hProcessSnap ); return( TRUE );}BOOL ListProcessModules( DWORD dwPID ){ HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { printError( TEXT("CreateToolhelp32Snapshot (of modules)") ); return( FALSE ); } // Set the size of the structure before using it. me32.dwSize = sizeof( MODULEENTRY32 ); // Retrieve information about the first module, // and exit if unsuccessful if( !Module32First( hModuleSnap, &me32 ) ) { printError( TEXT("Module32First") ); // show cause of failure CloseHandle( hModuleSnap ); // clean the snapshot object return( FALSE ); } // Now walk the module list of the process, // and display information about each module do { _tprintf( TEXT("\n\n MODULE NAME: %s"), me32.szModule ); _tprintf( TEXT("\n Executable = %s"), me32.szExePath ); printf( "\n Process ID = 0x%08X", me32.th32ProcessID ); printf( "\n Ref count (g) = 0x%04X", me32.GlblcntUsage ); printf( "\n Ref count (p) = 0x%04X", me32.ProccntUsage ); printf( "\n Base address = 0x%08X", (DWORD) me32.modBaseAddr ); printf( "\n Base size = %d", me32.modBaseSize ); } while( Module32Next( hModuleSnap, &me32 ) ); CloseHandle( hModuleSnap ); return( TRUE );}BOOL ListProcessThreads( DWORD dwOwnerPID ) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; // Take a snapshot of all running threads hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); // Fill in the size of the structure before using it. te32.dwSize = sizeof(THREADENTRY32 ); // Retrieve information about the first thread, // and exit if unsuccessful if( !Thread32First( hThreadSnap, &te32 ) ) { printError( TEXT("Thread32First") ); // show cause of failure CloseHandle( hThreadSnap ); // clean the snapshot object return( FALSE ); } // Now walk the thread list of the system, // and display information about each thread // associated with the specified process do { if( te32.th32OwnerProcessID == dwOwnerPID ) { printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID ); printf( "\n Base priority = %d", te32.tpBasePri ); printf( "\n Delta priority = %d", te32.tpDeltaPri ); } } while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap ); return( TRUE );}void printError( TCHAR* msg ){ DWORD eNum; TCHAR sysMsg[256]; TCHAR* p; eNum = GetLastError( ); FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, eNum, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null p = sysMsg; while( ( *p > 31 ) || ( *p == 9 ) ) ++p; do { *p-- = 0; } while( ( p >= sysMsg ) && ( ( *p == '.' ) || ( *p < 33 ) ) ); // Display the message _tprintf( TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );}bool insertDll(DWORD procID, std::string dll){ //Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process HMODULE hLocKernel32 = GetModuleHandle("Kernel32"); FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA"); //Open the process with all access HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); //Allocate memory to hold the path to the Dll File in the process's memory dll += '\0'; LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE); //Write the path to the Dll File in the location just created DWORD numBytesWritten; WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten); //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL); ResumeThread(hRemoteThread); //cout << hRemoteThread << endl; //Wait for the thread to finish bool res = false; if (hRemoteThread) res = (bool)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT; //Free the memory created on the other process VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE); //Release the handle to the other process CloseHandle(hProc); return res;} i included the project file for visual studio 2008 c++ in the attached .rar and also the Caliber.dll that gets injected.thanks for any help!best,CaliberProjects.rar Edited March 10, 2008 by Caliber
D1N Posted March 11, 2008 Posted March 11, 2008 (edited) Caliber where is the source for the dll? I'm willing to offer a suggestion but im not injecting your code into notepad. lol not unless I can see the source of the dll file. look at human's post count and time he joined here... I think what he means is include the source code for your library too! not just the "loader" this is a loader i use for injecting a library into hl2.exe // loader.cpp#include <windows.h>#include <TLHELP32.H> // PROCESSENTRY32#include <stdio.h> // sprintf#include "Loader.h"HWND hWnd;PROCESSENTRY32 PE32;char szTarget[] = "hl2.exe";char szPath[256], szDllToInject[256];// Forward declarations of functions used in this programLRESULT CALLBACK MainDlgProc( HWND hDlg, UINT Msg, WPARAM wParam, LPARAM lParam );DWORD WINAPI InjectionThread( LPVOID lpParam );int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd ){ char *intro = "Minimize Loader & Start Game"; MessageBox( NULL, intro, "Attention!", MB_ICONWARNING | MB_OK ); GetModuleFileName( 0, szPath, sizeof(szPath) ); strcpy( szDllToInject, szPath ); szDllToInject[ strlen(szPath) - 3] = 'd'; szDllToInject[ strlen(szPath) - 2] = 'l'; szDllToInject[ strlen(szPath) - 1] = 'l'; WIN32_FIND_DATA fnd; HANDLE DllHnd = FindFirstFile( szDllToInject, &fnd ); if( DllHnd == INVALID_HANDLE_VALUE ) { char szFailMsg[512] = { 0 }; sprintf( szFailMsg, "The library to be injected could not be found:\n\n\"%s\"", szDllToInject ); MessageBox( NULL, szFailMsg, "Error!", MB_ICONERROR | MB_OK ); return FALSE; } DWORD dwParam1, dwThreadID1, dwParam2, dwThreadID2; CreateThread( NULL, 0, InjectionThread, &dwParam1, 0, &dwThreadID1 ); DialogBox( hInstance, MAKEINTRESOURCE(IDD_MAIN), hWnd, (DLGPROC)MainDlgProc ); return 0;}LRESULT CALLBACK MainDlgProc( HWND hDlg, UINT Msg, WPARAM wParam, LPARAM lParam ){ switch( Msg ) { case WM_INITDIALOG: return TRUE; case WM_COMMAND: if( LOWORD( wParam ) == IDCANCEL ) { EndDialog( hDlg, LOWORD( wParam ) ); return TRUE; } break; } return FALSE;}DWORD WINAPI InjectionThread( LPVOID lpParam ){ while( 1 ) { HANDLE hSnapshot, hModule, hProcess; hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); PE32.dwSize = sizeof(PROCESSENTRY32); Process32First( hSnapshot, &PE32 ); while( Process32Next( hSnapshot, &PE32 ) ) { if( strcmp( PE32.szExeFile, szTarget ) == 0 ) { Sleep( 3 ); hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, PE32.th32ProcessID ); hModule = VirtualAllocEx( hProcess, 0, sizeof(szDllToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE ); WriteProcessMemory( hProcess, hModule, (LPVOID)szDllToInject, sizeof(szDllToInject), NULL ); CreateRemoteThread( hProcess, NULL, 0, (unsigned long(__stdcall *)(void *))GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), hModule, 0, NULL ); CloseHandle( hProcess ); ExitProcess( 0 ); break; } } CloseHandle(hSnapshot); Sleep( 5 ); } return 0;} Edited March 11, 2008 by D1N
revert Posted March 11, 2008 Posted March 11, 2008 Maybe a dumb remark but isn't it:insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); insertDll(pe32.th32ParentProcessID, "C:\\Caliber.dll");
human Posted March 11, 2008 Posted March 11, 2008 no i didnt ment that. i mean he sells his trainers and asks for our help. more and more, thats pathetic.so earns money on warez and our knowledge
rendari Posted March 11, 2008 Posted March 11, 2008 Teddy asks money too to run the site. Besides, the amount of money in question is so little that it's hardly worth mentioning =/
human Posted March 11, 2008 Posted March 11, 2008 (edited) maybe he asks, due all do that, but this is free will. not everybody pay. and doesnt ask new members to pay again.like cheathappens. where calibre is. so its 180 degree different. if you wanna help its your choice i just express my opinion about it.what you do its up to you. Edited March 11, 2008 by human
Teddy Rogers Posted March 11, 2008 Posted March 11, 2008 Teddy asks money too to run the site. Besides, the amount of money in question is so little that it's hardly worth mentioning =/ But you don't get charged for being here. It is a donation not a fee, if you choose to donate. I'll argue against your point there Anyway, I certainly don't make any money from running this site, I only ask for donations to cover a certain amount of the running costs - if you like and enjoy the site. Nothing more and nothing less. There are no guarantees or a request by me that an amount has to be reached every year for the site to remain online. Donations or not it'll still be here... Ted.
Caliber Posted March 12, 2008 Author Posted March 12, 2008 Teddy asks money too to run the site. Besides, the amount of money in question is so little that it's hardly worth mentioning =/ But you don't get charged for being here. It is a donation not a fee, if you choose to donate. I'll argue against your point there Anyway, I certainly don't make any money from running this site, I only ask for donations to cover a certain amount of the running costs - if you like and enjoy the site. Nothing more and nothing less. There are no guarantees or a request by me that an amount has to be reached every year for the site to remain online. Donations or not it'll still be here... Ted. i sure don't want to cause any problems here. i apologize for the disruptions. a couple things- 1) regarding the website i work with: everyone of our trainers is put out for free within a month of their release date. nobody has to buy anything. i've done hundreds of trainers for games at this point (including the patches). i don't want to debate the right or wrong of it here. i apologize if people are upset with what we do, but nobody has to buy anything. we post our full version trainers on gamecopyworld, filefront, etc. for free several weeks after we release them to our members. i spend ungodly amounts of time doing this an helping members with troubleshooting, etc. unfortunately we aren't making the millions people think we are. i just enjoy doing this and the funds we get help to keep the site going and to pay for our time and server, etc. i don't understand the hate. i myself have put out tutorials and helped the so called 'newbs' get a handle on some of these gamehacking topics/concepts. now i have made the move from another language to c++ mainly to try to get around the 32/64 bit hurdle. my previous language/programming suite only creates 32 bit files so in essence i am starting over, trying to learn the api calls from vis c++. i have had quite a run in the 32 bit world and now i am trying to move to 64 bit. learning to do these things in 32 bit vis c++ is the first step. regarding the code above- 1) you can inject any .dll you desire. i just included the .dll to complete the code. inject any windows .dll or one of your own. i just want the code to work, that's all. 2) i note with the visual studio IDE that the line: HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); after this line is executed, hProc still is 0x00000000 so for some reason the handle is not being give by the OpenProcess() api call. Any idea why? this might be why it is not injected or certainly a big part of it- thanks again for all the responses above! Mike
human Posted March 12, 2008 Posted March 12, 2008 (edited) well sheep was earlier in flt and other groups doing trainers. now also sells them. its not scene like way.if i do something i do it for fun, learning not money. for money i got a job. like most crackers,dox people do.i stoped doing trainers when gry-online.pl started to sell my free trainers(also pay year fee or send sms for 1 trainer). and they response for my req to remove stolen stuff was "it free on web so we dont steal"i wonder why then fbi,mpaa and riaa chase so many if its also free on web. nobody paid for mp3,movie,game.D1N you cant openprocess on some exe with all_access, better is set only those required also Adjust Process Token Privileges Edited March 12, 2008 by human
Caliber Posted March 12, 2008 Author Posted March 12, 2008 Maybe a dumb remark but isn't it:insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); insertDll(pe32.th32ParentProcessID, "C:\\Caliber.dll");i tried this to be thorough but it doesn't work.i am sure that it needs to be pe32.th32ProcessID-thanks for the posting- i gave it try-best.Mike
D1N Posted March 12, 2008 Posted March 12, 2008 (edited) D1N you cant openprocess on some exe with all_access, better is set only those required also Adjust Process Token Privileges Yeah your right I was just thinking about that earlier when I was looking at the source. it works great right now but the objective is like you said openproc with all_access and yes I do need to adjust the Process Token Privileges. Thanks dude! Edited March 12, 2008 by D1N
Caliber Posted March 12, 2008 Author Posted March 12, 2008 D1N regarding your code you posted,i used: std::string szDllToInject = "c:\Caliber.dll"; HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID ); LPVOID hModule = VirtualAllocEx( hProcess, 0, sizeof(szDllToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE ); WriteProcessMemory( hProcess, hModule, szDllToInject.c_str(), sizeof(szDllToInject), NULL ); CreateRemoteThread( hProcess, NULL, 0, (unsigned long(__stdcall *)(void *))GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), hModule, 0, NULL ); CloseHandle( hProcess );however at:HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID );once again after this instruction is executed, you would expect hProcess to have a number but it is 0x00000000, which is why the injection isn't taking place.pe32.th32ProcessID has a value, so i don't understand why then OpenProcess() isn't working and filling hProcess with a value-any help would be appreciated-best,Mike
Caliber Posted March 12, 2008 Author Posted March 12, 2008 D1N regarding your code you posted,i used: std::string szDllToInject = "c:\Caliber.dll"; HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID ); LPVOID hModule = VirtualAllocEx( hProcess, 0, sizeof(szDllToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE ); WriteProcessMemory( hProcess, hModule, szDllToInject.c_str(), sizeof(szDllToInject), NULL ); CreateRemoteThread( hProcess, NULL, 0, (unsigned long(__stdcall *)(void *))GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), hModule, 0, NULL ); CloseHandle( hProcess );however at:HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID );once again after this instruction is executed, you would expect hProcess to have a number but it is 0x00000000, which is why the injection isn't taking place.pe32.th32ProcessID has a value, so i don't understand why then OpenProcess() isn't working and filling hProcess with a value-any help would be appreciated-best,Mikeif i change PROCESS_ALL_ACCES to PROCESS_VM_READ it gets past the OpenProcess() but then fails at VirtualAllocEx !?!!?! as hModule then gets set as 0x00000000. it's like something is blocking it or something. the injection from my other programs works fine. however from visual c++ IDE with this code, no joy-any help appreciated.best,Mike
Caliber Posted March 12, 2008 Author Posted March 12, 2008 OK i got it to finally work.here's the updated code:// List Processes and Modules.cpp : Defines the entry point for the console application.//#include "stdafx.h"// test.cpp : Defines the entry point for the console application.//#include <windows.h>#include <tlhelp32.h>#include <tchar.h>#include <stdio.h>#include <string>#define MAXWAIT 10000// Forward declarations:BOOL GetProcessList( );BOOL ListProcessModules( DWORD dwPID );BOOL ListProcessThreads( DWORD dwOwnerPID );void printError( TCHAR* msg );bool insertDll(DWORD procID, std::string dll);void main( ){ GetProcessList( );}BOOL GetProcessList( ){ HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; DWORD dwPriorityClass; CHAR filename[260] = "notepad.exe"; // Take a snapshot of all processes in the system. hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) { printError( TEXT("CreateToolhelp32Snapshot (of processes)") ); return( FALSE ); } // Set the size of the structure before using it. pe32.dwSize = sizeof( PROCESSENTRY32 ); // Retrieve information about the first process, // and exit if unsuccessful if( !Process32First( hProcessSnap, &pe32 ) ) { printError( TEXT("Process32First") ); // show cause of failure CloseHandle( hProcessSnap ); // clean the snapshot object return( FALSE ); } // Now walk the snapshot of processes, and // display information about each process in turn do { if (!strcmp(pe32.szExeFile,filename)) { printf( "\n\n=====================================================" ); _tprintf( TEXT("\nPROCESS NAME: %s"), filename);//pe32.szExeFile ); printf( "\n-----------------------------------------------------" ); // Retrieve the priority class. dwPriorityClass = 0; hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); if( hProcess == NULL ) printError( TEXT("OpenProcess") ); else { dwPriorityClass = GetPriorityClass( hProcess ); if( !dwPriorityClass ) printError( TEXT("GetPriorityClass") ); CloseHandle( hProcess ); } printf( "\n Process ID = 0x%08X", pe32.th32ProcessID ); printf( "\n Thread count = %d", pe32.cntThreads ); printf( "\n Parent process ID = 0x%08X", pe32.th32ParentProcessID ); printf( "\n Priority base = %d", pe32.pcPriClassBase ); if( dwPriorityClass ) printf( "\n Priority class = %d", dwPriorityClass ); // List the modules and threads associated with this process insertDll(pe32.th32ProcessID, "c:\CH.dll"); // this is where we try to inject ListProcessModules( pe32.th32ProcessID ); ListProcessThreads( pe32.th32ProcessID ); } } while( Process32Next( hProcessSnap, &pe32 ) ); CloseHandle( hProcessSnap ); return( TRUE );}BOOL ListProcessModules( DWORD dwPID ){ HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { printError( TEXT("CreateToolhelp32Snapshot (of modules)") ); return( FALSE ); } // Set the size of the structure before using it. me32.dwSize = sizeof( MODULEENTRY32 ); // Retrieve information about the first module, // and exit if unsuccessful if( !Module32First( hModuleSnap, &me32 ) ) { printError( TEXT("Module32First") ); // show cause of failure CloseHandle( hModuleSnap ); // clean the snapshot object return( FALSE ); } // Now walk the module list of the process, // and display information about each module do { _tprintf( TEXT("\n\n MODULE NAME: %s"), me32.szModule ); _tprintf( TEXT("\n Executable = %s"), me32.szExePath ); printf( "\n Process ID = 0x%08X", me32.th32ProcessID ); printf( "\n Ref count (g) = 0x%04X", me32.GlblcntUsage ); printf( "\n Ref count (p) = 0x%04X", me32.ProccntUsage ); printf( "\n Base address = 0x%08X", (DWORD) me32.modBaseAddr ); printf( "\n Base size = %d", me32.modBaseSize ); } while( Module32Next( hModuleSnap, &me32 ) ); CloseHandle( hModuleSnap ); return( TRUE );}BOOL ListProcessThreads( DWORD dwOwnerPID ) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; // Take a snapshot of all running threads hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); // Fill in the size of the structure before using it. te32.dwSize = sizeof(THREADENTRY32 ); // Retrieve information about the first thread, // and exit if unsuccessful if( !Thread32First( hThreadSnap, &te32 ) ) { printError( TEXT("Thread32First") ); // show cause of failure CloseHandle( hThreadSnap ); // clean the snapshot object return( FALSE ); } // Now walk the thread list of the system, // and display information about each thread // associated with the specified process do { if( te32.th32OwnerProcessID == dwOwnerPID ) { printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID ); printf( "\n Base priority = %d", te32.tpBasePri ); printf( "\n Delta priority = %d", te32.tpDeltaPri ); } } while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap ); return( TRUE );}void printError( TCHAR* msg ){ DWORD eNum; TCHAR sysMsg[256]; TCHAR* p; eNum = GetLastError( ); FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, eNum, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null p = sysMsg; while( ( *p > 31 ) || ( *p == 9 ) ) ++p; do { *p-- = 0; } while( ( p >= sysMsg ) && ( ( *p == '.' ) || ( *p < 33 ) ) ); // Display the message _tprintf( TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );}bool insertDll(DWORD procID, std::string dll){ //Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process HMODULE hLocKernel32 = GetModuleHandle("Kernel32"); FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA"); //Open the process with all access HANDLE hProc = OpenProcess(STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 4095, TRUE, procID); //Allocate memory to hold the path to the Dll File in the process's memory dll += '\0'; LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); //Write the path to the Dll File in the location just created DWORD numBytesWritten; WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten); //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, NULL, NULL); ResumeThread(hRemoteThread); //cout << hRemoteThread << endl; //Wait for the thread to finish bool res = false; if (hRemoteThread) { WaitForSingleObject(hRemoteThread, INFINITE); } //Free the memory created on the other process VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE); //Release the handle to the other process CloseHandle(hProc); return res;} note that if you run notepad.exe from Start-Programs it runs notepad.exe from system32 directory which the above code will not inject into a program run from system32 directoryif you copy notepad.exe to c: drive and then run it from there it injects fine.thanks for all the help and input. moving on to the next part-best,Cal
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now