[SRC-Release] Injector with an embeddable DLL

05/19/2010 10:15 Nyamochka#1
Here's the injector I made for my Item Manager.
  • Loads a DLL from resource;
  • Writes a .dll with a random filename into System32 folder;
  • Injects using simple LoadLibrary/CreateRemoteThread method;
  • Schedules the .dll for deletion on reboot.

How to use it in your VC++ project:
  • Make sure your project is set to Unicode (Solution properties -> Configuration Properties -> General -> Character Set = Use Unicode Character Set);
  • Make your project require administrator privileges (Solution properties -> Configuration Properties -> Linker -> Manifest File -> UAC Execution Level = requireAdministrator);
  • Create a resource in your project with type of "BINARY" and ID of "IDR_DLL" and set its path to your DLL file.
  • Include 'Injection.h' in your main CPP.

Then use it like this- on a timer message or in a separate thread loop:
Code:
DWORD procId = GetTargetThreadIDFromProcName(L"S4 Client.exe");

if (procId) {
    Inject(procId);
}
Of course, this snippet lacks error handling, and you should have it, but it's up to you.

Feel free to add corrections and ask questions. Happy coding!
05/19/2010 10:19 captaingenzo#2
what about 64 win7 ? is it same for 32 bit os ?
05/19/2010 10:21 Nyamochka#3
Quote:
Originally Posted by captaingenzo View Post
what about 64 win7 ?
Reported working under Win7 64-bit.

The problem with some of the users was due to Unicode Windows usernames.

Update: Oh, you mean System32 can be a problem on 64-bit systems? As far as I remember, it's still there for compatibility purposes so it should be OK. It's just a trick to fool X-Trap.
05/19/2010 11:48 mipez#4
Hm, that's nice. I don't use C++, but I got an idea for using with other languages ;D
05/19/2010 11:51 Nyamochka#5
Quote:
Originally Posted by mipez View Post
Hm, that's nice. I don't use C++, but I got an idea for using with other languages ;D
It's easy to translate it into VB, Delphi or C# - API calls are the same.
05/19/2010 13:23 Nyamochka#6
LOL! Just noticed I haven't attached it. Here you go.

I wonder why no one noticed there should be something :p
05/19/2010 14:09 cmpqz321#7
nice :D
05/19/2010 14:12 casaAlex#8
Gj you get a big Thx.
Alex.
05/19/2010 15:25 Nyamochka#9
This shit:
Code:
GetEnvironmentVariable(L"WINDIR", tempPath, MAX_PATH);
wcscat_s(tempPath, MAX_PATH, L"\\System32");
Should be replaced with:
Code:
GetSystemDirectory(tempPath, MAX_PATH);
It doesn't make a difference, yet it's a fail anyway :D
05/19/2010 15:30 MrSm!th#10
hm nice work, even if i dont think that's really necessary in the s4 section ;)
maybe you could make a class and if its good, i will add it to the Gamehacking Foundation Classes (if you agree)
05/19/2010 15:35 Nyamochka#11
Quote:
Originally Posted by MrSm!th View Post
hm nice work, even if i dont think that's really necessary in the s4 section ;)
maybe you could make a class and if its good, i will add it to the Gamehacking Foundation Classes (if you agree)
I never heard of GFC, yet i think there should be an injector, or even a handful of them already. And my stealth mechanisms (which are currently failing) don't qualify for a separate class, I guess.
05/19/2010 15:45 MrSm!th#12
Quote:
Originally Posted by Nyamochka View Post
I never heard of GFC, yet i think there should be an injector, or even a handful of them already. And my stealth mechanisms (which are currently failing) don't qualify for a separate class, I guess.
Yes, because i am working on it ;)

It's a big collection of classes for (advanced) gamehacking, like detouring etc...
maybe you want to help me?
05/19/2010 15:53 Nyamochka#13
Quote:
Originally Posted by MrSm!th View Post
Yes, because i am working on it ;)

It's a big collection of classes for (advanced) gamehacking, like detouring etc...
maybe you want to help me?
Well, maybe I want to, but I don't know yet. I'm working on my manager while procrastinating from my job, but I'm not much of a game hacker :) Let's see how it will go.
05/20/2010 17:32 Nyamochka#14
As you may have noticed, my injector had trouble with some of Vista/Win7 instances. Here's the fix.

Header:
Code:
typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
  ULONG Length;
  HANDLE RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG Attributes;
  PVOID SecurityDescriptor;
  PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

typedef DWORD (WINAPI *NTCREATETHREADEX)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID Unknown
);
Replace this in the code:
Code:
hThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
With this:
Code:
HANDLE hThread;
	NTCREATETHREADEX NtCreateThreadEx = (NTCREATETHREADEX)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
	if(NtCreateThreadEx) {
		NtCreateThreadEx(&hThread, GENERIC_ALL, NULL, hProc, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, FALSE, NULL, NULL, NULL, NULL);
	} else {
		hThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
	}