Dll inject

RayzKz · 12/21/2014, 15:15

Hallo,

ich habe ein Problem mit meinem Autoit Script. Ich möchte eine .dll in ein Spiel injecten, wenn dieses gestartet wird.

Die .dll wird aber mit meinem Script nicht injected. Wenn ich die .dll allerdings mit anderen Injectioren wie Faith oder hInjector injecte, funktioniert die .dll.
Das Script ist in x86 compiled und das Spiel ist auch x86.

Wo ist das Problem?

Spoiler

Code:

#include-once
#RequireAdmin

$hWnd= "Spiel.exe"
   $sPath =@ScriptDir & 'test.dll'
   $PID = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0)
   If IsArray($pid) Then
   $pid = $pid[2]
   Else
   SetError(-3)
   Return False
   EndIf

#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <Memory.au3>
#include <NomadMemory.au3>
#include <WinAPIError.au3>


While 1
  If Not ProcessExists $hWnd Then
    ToolTip('Waiting for Process...',0,0)
 Else
   ToolTip('Bypassed',0,0)


Func _InjectAttachDll($PID, $sPath)
 Local $hRemote, $iLen = StringLen($sPath), $hProcess, $pAllocAdresse, $vError, $hOpen, $pLoadLibraryA, $vStruct
 SetPrivilege("SeDebugPrivilege", 1)
 SetError(o)

 $hProcess = _MemoryOpen($PID)

 $vError = @error
 If $vError Then
  SetError(1)
  Return $vError
 EndIf

 $pAllocAdresse = _MemVirtualAllocEx($hProcess[1], 0, $iLen + 1, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)

 _MemoryWrite($pAllocAdresse, $hProcess, $sPath, 'char[' & $iLen & ']')

 $vError = @error
 If $vError Then
  SetError(2)
  Return $vError
 EndIf

 $hOpen = DllOpen("Kernel32.dll")

 $vError = @error
 If $vError Then
  SetError(3)
  Return $vError
 EndIf

 $pLoadLibraryA = DllCall($hOpen, "HANDLE", "GetProcAddress", "HANDLE", _WinAPI_GetModuleHandle("kernel32.dll"), "str", "LoadLibraryA")
 $hRemote = DllCall($hOpen, "HANDLE", "CreateRemoteThread", "HANDLE", $hProcess[1], "ptr", 0, "ptr", 0, "ptr", $pLoadLibraryA[0], "ptr", $pAllocAdresse, "DWORD", 0, "ptr", 0)

 _WinAPI_WaitForSingleObject($hRemote[0])
 $vStruct = DllStructCreate("HANDLE;")
 DllCall($hOpen, "BOOL", "GetExitCodeThread", "HANDLE", $hRemote[0], "ptr", DllStructGetPtr($vStruct, 1))
 $vError = DllStructGetData($vStruct, 1)

 DllClose($hOpen)
 _MemVirtualFreeEx($hProcess, $pAllocAdresse, $iLen, $MEM_DECOMMIT)
 _MemoryClose($hProcess)

 If $vError = False Then
  SetError(4)
  Return $vError
 EndIf

 Return $vError
EndFunc  


Func _InjectDetachDllEx($PID, $hModule)
 Local $hRemote, $hProcess, $vError, $hOpen, $pFreeLibrary, $vStruct
 SetPrivilege("SeDebugPrivilege", 1)
 SetError(o)

 $hProcess = _MemoryOpen($PID)

 $vError = @error
 If $vError Then
  SetError(1)
  Return $vError
 EndIf


 $hOpen = DllOpen("Kernel32.dll")

 $vError = @error
 If $vError Then
  SetError(2)
  Return $vError
 EndIf

 $pFreeLibrary = DllCall($hOpen, "HANDLE", "GetProcAddress", "HANDLE", _WinAPI_GetModuleHandle("kernel32.dll"), "str", "FreeLibrary")
 $hRemote = DllCall($hOpen, "HANDLE", "CreateRemoteThread", "HANDLE", $hProcess[1], "int", 0, "int", 0, "DWORD", $pFreeLibrary[0], "ptr", $hModule, "DWORD", 0, "DWORD*", 0)
 _WinAPI_WaitForSingleObject($hRemote[0])
 $vStruct = DllStructCreate("BOOL;")
 $vError = DllCall($hOpen, "BOOL", "GetExitCodeThread", "HANDLE", $hRemote[0], "ptr", DllStructGetPtr($vStruct, 1))
 $vError = DllStructGetData($vStruct, 1)

 DllClose($hOpen)
 _MemoryClose($hProcess)

 If $vError = False Then
  SetError(3)
  Return $vError
 EndIf

 Return $vError
EndFunc   


Func _InjectDetachDll($sPath, $PID)
 Local $aArray, $i, $vError
 $aArray = _InjectModulInfo($PID)
 $vError = @error
 If $vError Then
  SetError(-1)
  Return $vError
 EndIf

 For $i = 0 To UBound($aArray) - 1
  If $aArray[$i][9] = $sPath Then
   Return _InjectDetachDllEx($aArray[$i][7], $PID)
  EndIf
 Next

 SetError(-2)
 Return -1
EndFunc   


Func _InjectModulInfo($PID)
 Local $hModule, $hSnapshot, $hOpen, $iCount = 0, $aArray[1][10], $i, $vMODULEENTRY32, $vNext

 If Not ProcessExists($PID) Then
  SetError(1)
  Return -1
 EndIf

 SetPrivilege("SeDebugPrivilege", 1)
 $hOpen = DllOpen("Kernel32.dll")

 If @error Then
  SetError(2)
  Return -1
 EndIf

 $vMODULEENTRY32 = DllStructCreate("DWORD dwSize; DWORD th32ModuleID; DWORD th32ProcessID; DWORD GlblcntUsage; DWORD ProccntUsage; ptr modBaseAddr; DWORD modBaseSize; HANDLE hModule; CHAR szModule[256]; CHAR szExePath[260];")
 DllStructSetData($vMODULEENTRY32, 1, DllStructGetSize($vMODULEENTRY32))
 $hSnapshot = DllCall($hOpen, "HANDLE", "CreateToolhelp32Snapshot", "DWORD", 8, "DWORD", $PID)
 DllCall($hOpen, "BOOL", "Module32First", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($vMODULEENTRY32))

 Do
  ReDim $aArray[$iCount + 1][10]
  For $i = 1 To 10
   $aArray[$iCount][$i - 1] = DllStructGetData($vMODULEENTRY32, $i)
  Next
  $iCount += 1
  $vNext = DllCall($hOpen, "BOOL", "Module32Next", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($vMODULEENTRY32))
 Until Not $vNext[0]

 DllClose($hOpen)

 Return $aArray
 EndFunc   
Exit
 EndIf
 WEnd

YatoDev · 12/21/2014, 16:02

$sPath =@ScriptDir & '\test.dll'

RayzKz · 12/21/2014, 16:59

Ah ja, hab ich ausversehen beim posten geändert.
Geht trotzdem nicht..

YatoDev · 12/21/2014, 17:40

hast du ja schön kopiert. woher hast du das? ich bin mir sicher es gab mal einen autoit dll injector von einem Mod aus der section versuch das mal(epvp suche).

ProcessExists returned übrigens die PID von Spiel.exe
GetWindowThreadProcessId nicht

KDeluxe · 12/22/2014, 12:55

Spoiler

Code:

;=================================================================================================
; Function:          _InjectDll($processId, $dllPath)
; Description:       Injects a .dll into a running program.
; Return Value(s):   On Success - Returns true
;                    On Failure - Returns false
;                    @Error - 0 = No error.
;                             1 = Invalid ProcessId
;                             2 = File does not exist
;                             3 = File is not a .dll (invalid file)
;                             4 = Failed to open 'Kernel32.dll'
;                             5 = Failed to get the full path
;                             6 = Failed to open the process
;                             7 = Failed to call 'GetModuleHandle'
;                             8 = Failed to call 'GetProcAddress'
;                             9 = Failed to call 'VirtualAllocEx'
;                             10 = Failed to write the memory
;                             11 = Failed to create the 'RemoteThread'
; Author(s):        KDeluxe
;=================================================================================================

Func _InjectDll($processId, $dllPath)
    If ProcessExists($processId) == 0 Then Return SetError(1, "", False)
    If Not FileExists($dllPath) Then Return SetError(2, "", False)
    If Not StringRight($dllPath, 4) == ".dll" Then Return SetError(3, "", False)

    $dllKernel32 = DllOpen("Kernel32.dll")
    If @error Then Return SetError(4, "", False)

    $dllPathStruct = DllStructCreate("char[255]")
    DllCall($dllKernel32, "DWORD", "GetFullPathNameA", "str", $dllPath, "DWORD", 255, "ptr", DllStructGetPtr($dllPathStruct), "int", 0)
    If @error Then Return SetError(5, "", False)

    $PROCESS_ALL_ACCESS = 0x001F0FFF
    If @OSBuild >= 6000 Then $PROCESS_ALL_ACCESS = BitOR($PROCESS_ALL_ACCESS, 0xF000)

    $process = DllCall($dllKernel32, "DWORD", "OpenProcess", "DWORD", $PROCESS_ALL_ACCESS, "int", 0, "DWORD", $processId)
    If @error Then Return SetError(6, "", False)

    $module = DllCall($dllKernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll")
    If @error Then Return SetError(7, "", False)

    $startAddress = DllCall($dllKernel32, "DWORD", "GetProcAddress", "DWORD", $module[0], "str", "LoadLibraryA")
    If @error Then Return SetError(8, "", False)

    $parameter = DllCall($dllKernel32, "DWORD", "VirtualAllocEx", "int", $process[0], "int", 0, "ULONG_PTR", DllStructGetSize($dllPathStruct), "DWORD", 0x3000, "int", 4)
    If @error Then Return SetError(9, "", False)

    DllCall($dllKernel32, "BOOL", "WriteProcessMemory", "int", $process[0], "DWORD", $parameter[0], "str", DllStructGetData($dllPathStruct, 1), "ULONG_PTR", DllStructGetSize($dllPathStruct), "int", 0)
    If @error Then Return SetError(10, "", False)

    DllCall($dllKernel32, "int", "CreateRemoteThread", "DWORD", $process[0], "int", 0, "int", 0, "DWORD", $startAddress[0], "DWORD", $parameter[0], "int", 0, "int", 0)
    If @error Then Return SetError(11, "", False)

    DllCall($dllKernel32, "BOOL", "CloseHandle", "DWORD", $process[0])
    DllClose($dllKernel32)

    Return SetError(0, "", True)
EndFunc

Code:

Const $processName = "Spiel.exe"
Const $dllPath = @ScriptDir & "\test.dll"
$processId = ProcessExists($processName)
If $processId == 0 Then
    ; MsgBox()
Else
    _InjectDll($processId, $dllPath)
    If @error Then
        ; MsgBox()
    EndIf
EndIf

Das Script von dir ist wirklich nur schlecht zusammen kopiert. Achte doch wenigstens darauf, dass du diese "richtig" kopierst.