Register for your free account! | Forgot your password?

Go Back   elitepvpers Coders Den C/C++
DLL Injection + D3D9 Hook DLL Injection + D3D9 Hook
You last visited: Today at 20:33

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

DLL Injection + D3D9 Hook

Discussion on DLL Injection + D3D9 Hook within the C/C++ forum part of the Coders Den category.

Reply
 
Old   #1
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Apr 2007
Posts: 30
Received Thanks: 2
DLL Injection + D3D9 Hook

Hallo elitepvpers,
ich hab mich an versucht.
Die DLL hab ich einigermaßen hinbekommen. Hier der Code:
Code:
#pragma once
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")

#include <windows.h>
#include <cstdio>
#include <d3d9.h>
#include <d3dx9.h>

//Variablen Deklaration
//HRESULT __stdcall EndScene(LPDIRECT3DDEVICE9 pDevice);
typedef HRESULT(__stdcall* EndScene_t)(LPDIRECT3DDEVICE9);
LPDIRECT3DDEVICE9 pDevice;
EndScene_t pEndScene;
DWORD dwDrawIndexedPrimitive;
DWORD dwEndScene;
//--------------------------------------------------------


const D3DCOLOR txtPink = D3DCOLOR_ARGB(255, 255, 0, 255); // Alpha, Rot, Grün, Blau
ID3DXFont *pFont;
LPDIRECT3DTEXTURE9 texPink;
char* charWallhack;

HRESULT GenerateTexture(IDirect3DDevice9 *pD3Ddev, IDirect3DTexture9 **ppD3Dtex, DWORD colour32)
{
	if( FAILED(pD3Ddev->CreateTexture(8, 8, 1, 0, D3DFMT_A4R4G4B4, D3DPOOL_MANAGED,ppD3Dtex, NULL)) )
		return E_FAIL;
	WORD colour16 = ((WORD)((colour32>>28)&0xF)<<12)
					|(WORD)(((colour32>>20)&0xF)<<8)
					|(WORD)(((colour32>>12)&0xF)<<4)
					|(WORD)(((colour32>>4)&0xF)<<0);
	D3DLOCKED_RECT d3dlr;    
	(*ppD3Dtex)->LockRect(0, &d3dlr, 0, 0);
	WORD *pDst16 = (WORD*)d3dlr.pBits;

	for(int xy=0; xy < 8*8; xy++)
		*pDst16++ = colour16;

	(*ppD3Dtex)->UnlockRect(0);
	return S_OK;
}
 

void DrawRect (LPDIRECT3DDEVICE9 Device_t, int X, int Y, int L, int H, D3DCOLOR color)
{
	D3DRECT rect = {X, Y, X+L, Y+H};
	Device_t->Clear(1, &rect, D3DCLEAR_TARGET, color, 0,  0);
}

void DrawFont (int X, int Y, D3DCOLOR Color, char *format, ...)
{
        char buffer[256];
        va_list args; // deswegen: #include <cstdio>
        va_start (args, format);
        vsprintf (buffer,format, args);
                RECT FontRect = { X, Y, X + 120, Y + 16 };
				pFont->DrawText( NULL, (LPCWSTR)buffer, -1, &FontRect, DT_NOCLIP , Color ); // Zeichnen
        va_end (args);
}

HRESULT __stdcall hkEndScene(LPDIRECT3DDEVICE9 pDevice_t)  
{
	if(pDevice == NULL){
		pDevice = pDevice_t;
		GenerateTexture(pDevice, &texPink,txtPink);
	}
	else{
		//DrawFont ( 300, 50, txtPink, "Wallhack %s", charWallhack );
		DrawRect ( pDevice, 10, 10, 200, 200, txtPink);
	}
	return pEndScene(pDevice);
}


//------------------------------------------------------------------------------------------------
//Detour function von Game Deception
void *DetourFunc(BYTE *src, const BYTE *dst, const int len) // credits to gamedeception
{
	BYTE *jmp = (BYTE*)malloc(len+5);
	DWORD dwback;
	VirtualProtect(src, len, PAGE_READWRITE, &dwback);
	memcpy(jmp, src, len); jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
	src[0] = 0xE9;
	*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
	VirtualProtect(src, len, dwback, &dwback);
	return (jmp-len);
}

bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;
    return (*szMask) == NULL;
} 
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);
    
    return 0;
}

//Um sicher zu gehen, dass die dll geladen wurde
void InitHook()
{        HMODULE hModule = NULL;
        while( !hModule )
        {
                hModule = GetModuleHandleA( "d3d9.dll" ); // Handle zur DLL holen
                Sleep( 100 ); // 100ms warten
        }

		DWORD* VTableStart = 0;                  
		DWORD FoundByGordon = dwFindPattern((DWORD)hModule, 0x128000,
		(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
		if(FoundByGordon != 0){
			memcpy(&VTableStart, (void*)(FoundByGordon+2), 4);
			dwDrawIndexedPrimitive = (DWORD)VTableStart[82]; // für mehr: blick in die d3d9.h werfen!
			dwEndScene = (DWORD)VTableStart[42];

			pEndScene = ( EndScene_t )DetourFunc((PBYTE) 0x73E4412C,(PBYTE)hkEndScene, 5);
			if(pDevice != NULL && pFont != NULL){
				//D3DXCreateFont(pDevice, 14, 0, FW_NORMAL, 1, 0, DEFAULT_CHARSET,  OUT_DEFAULT_PRECIS, ANTIALIASED_QUALITY, DEFAULT_PITCH | FF_DONTCARE, (LPCWSTR)"Arial", &pFont ); 
				GenerateTexture(pDevice, &texPink,txtPink);
			}
		}
		else{
			MessageBox(NULL, TEXT("No Pattern found"), NULL, MB_OK);
		}
}


//Die Main
int WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
        switch(reason)
        {
        case DLL_PROCESS_ATTACH:
                CreateThread(0, 0, (LPTHREAD_START_ROUTINE) InitHook, 0, 0, 0);
                break;
        }
        return true;
}
Der DLL Injector in C#:
Code:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Threading;

namespace DLLInjector
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        [DllImport("kernel32")]
        public static extern IntPtr CreateRemoteThread(
          IntPtr hProcess,
          IntPtr lpThreadAttributes,
          uint dwStackSize,
          UIntPtr lpStartAddress, // raw Pointer into remote process
          IntPtr lpParameter,
          uint dwCreationFlags,
          out IntPtr lpThreadId
        );

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(
            UInt32 dwDesiredAccess,
            Int32 bInheritHandle,
            Int32 dwProcessId
            );

        [DllImport("kernel32.dll")]
        public static extern Int32 CloseHandle(
        IntPtr hObject
        );

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern bool VirtualFreeEx(
            IntPtr hProcess,
            IntPtr lpAddress,
            UIntPtr dwSize,
            uint dwFreeType
            );

        [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
        public static extern UIntPtr GetProcAddress(
            IntPtr hModule,
            string procName
            );

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocEx(
            IntPtr hProcess,
            IntPtr lpAddress,
            uint dwSize,
            uint flAllocationType,
            uint flProtect
            );

        [DllImport("kernel32.dll")]
        static extern bool WriteProcessMemory(
            IntPtr hProcess,
            IntPtr lpBaseAddress,
            string lpBuffer,
            UIntPtr nSize,
            out IntPtr lpNumberOfBytesWritten
        );

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern IntPtr GetModuleHandle(
            string lpModuleName
            );

        [DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
        internal static extern Int32 WaitForSingleObject(
            IntPtr handle,
            Int32 milliseconds
            );

        public Int32 GetProcessId(String proc)
        {
            Process[] ProcList;
            ProcList = Process.GetProcessesByName(proc);
            return ProcList[0].Id;
        }

        public void InjectDLL(IntPtr hProcess, String strDLLName)
        {
            IntPtr bytesout;

            // Length of string containing the DLL file name +1 byte padding
            Int32 LenWrite = strDLLName.Length + 1;
            // Allocate memory within the virtual address space of the target process
            IntPtr AllocMem = (IntPtr)VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40); //allocation pour WriteProcessMemory

            // Write DLL file name to allocated memory in target process
            WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
            // Function pointer "Injector"
            UIntPtr Injector = (UIntPtr)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

            if (Injector == null)
            {
                MessageBox.Show(" Injector Error! \n ");
                // return failed
                return;
            }

            // Create thread in target process, and store handle in hThread
            IntPtr hThread = (IntPtr)CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
            // Make sure thread handle is valid
            if (hThread == null)
            {
                //incorrect thread handle ... return failed
                MessageBox.Show(" hThread [ 1 ] Error! \n ");
                return;
            }
            // Time-out is 10 seconds...
            int Result = WaitForSingleObject(hThread, 10 * 1000);
            // Check whether thread timed out...
            if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
            {
                /* Thread timed out... */
                MessageBox.Show(" hThread [ 2 ] Error! \n ");
                // Make sure thread handle is valid before closing... prevents crashes.
                if (hThread != null)
                {
                    //Close thread in target process
                    CloseHandle(hThread);
                }
                return;
            }
            // Sleep thread for 1 second
            Thread.Sleep(1000);
            // Clear up allocated space ( Allocmem )
            VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
            // Make sure thread handle is valid before closing... prevents crashes.
            if (hThread != null)
            {
                //Close thread in target process
                CloseHandle(hThread);
            }
            // return succeeded
            return;
        }

        private void button1_Click_1(object sender, EventArgs e)
        {
            String strDLLName = textBox2.Text;
            String strProcessName = textBox1.Text;

            Int32 ProcID = GetProcessId(strProcessName);
            if (ProcID >= 0)
            {
                IntPtr hProcess = (IntPtr)OpenProcess(0x1F0FFF, 1, ProcID);
                if (hProcess == null)
                {
                    MessageBox.Show("OpenProcess() Failed!");
                    return;
                }
                else
                    InjectDLL(hProcess, strDLLName);
            }
        }
    }
}
Da das alles eher mit c&p als mit Verstand gemacht wurde, läuft das ganze natürlich nicht und ich hab einige Fragen dazu:

Zur InjectDLL:
Auf welches Signal wartet WaitForSingleObject? Sobald ich die DLL Injection starte stürzt das DirectX9 Programm (Ein Sample aus dem SDK) ab. Kurz darauf gibt es die Fehlermeldung "hTreahd[2] Error".

Zum D3DHook:
Da versteh ich recht wenig. Vor allem die Detours Funktion nicht.
So wie ich es verstanden hab, soll sie die Startadresse der EndScene()
Funktion zurückgeben. Aber was soll ich damit anstellen?

Ich hab beides auf einem 64Bit Rechner für 32Bit Systeme kompiliert.
Es läuft auf keinem von beiden, egal ob ich das Pattern von Gordon oder
eine statische Adresse benutze um die EndScene zu finden..
niko_d is offline  
Old   #2
 
xNopex's Avatar
 
elite*gold: 0
The Black Market: 1/0/0
Join Date: May 2009
Posts: 827
Received Thanks: 471
Lalalala:


Remarks lesen. Und logisch denken.


Die Detour Funktion gibt dir die Adresse des Trampolins zurück.
xNopex is offline  
Old   #3
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Apr 2007
Posts: 30
Received Thanks: 2
Quote:
Originally Posted by xNopex View Post
Lalalala:


Remarks lesen. Und logisch denken.


Die Detour Funktion gibt dir die Adresse des Trampolins zurück.
Danke für die schnelle Antwort.
Hab dummerweise nicht weit genug runtergescrollt XD
Die Antwort hab ich in den Remarks von gefunden (ohne logisch nachzudenken :P).
Code:
When a thread terminates, the thread object attains a signaled state, which satisfies the threads that are waiting for the object.
The thread object remains in the system until the thread has terminated and all handles to it are closed through a call to CloseHandle.
Zu der Detours-Funktion: Trampolin sagt mir nicht viel
Ich geh mal stark davon aus es ist die Rücksprungadresse zu der original EndScene() Funktion. Ich weiß jetzt noch immer nicht was ich damit machen soll. Die Detours-Funktion erledigt doch den Rücksprung oder nicht?

Bitte nehmt mir das nicht übel, aber das ist das 1. mal dass ich mit der
WinAPI und DirectX arbeite. Programmiere normalerweise in Java.
niko_d is offline  
Old   #4


 
MrSm!th's Avatar
 
elite*gold: 7110
The Black Market: 28/0/0
Join Date: Jun 2009
Posts: 28,913
Received Thanks: 25,415
Ich rate zu Microsoft Detours anstatt dieser GD Funktion.
MrSm!th is offline  
Old   #5
 
Dr. Coxxy's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Feb 2011
Posts: 1,206
Received Thanks: 736
kannst dir auch mal das tut hier ansehen:
Dr. Coxxy is offline  
Thanks
1 User
Old   #6
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Apr 2007
Posts: 30
Received Thanks: 2
Thx das Tutorial hat geholfen.
Btw. der DLL-Injector den ich oben gepostet habe funktioniert nicht, aber
damit beschäftige ich mich später.
niko_d is offline  
Old   #7
 
SonyRazzer's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2012
Posts: 182
Received Thanks: 223
Quote:
Originally Posted by niko_d View Post
Hallo elitepvpers,
ich hab mich an versucht.
Die DLL hab ich einigermaßen hinbekommen. Hier der Code:
Code:
#pragma once
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")

#include <windows.h>
#include <cstdio>
#include <d3d9.h>
#include <d3dx9.h>

//Variablen Deklaration
//HRESULT __stdcall EndScene(LPDIRECT3DDEVICE9 pDevice);
typedef HRESULT(__stdcall* EndScene_t)(LPDIRECT3DDEVICE9);
LPDIRECT3DDEVICE9 pDevice;
EndScene_t pEndScene;
DWORD dwDrawIndexedPrimitive;
DWORD dwEndScene;
//--------------------------------------------------------


const D3DCOLOR txtPink = D3DCOLOR_ARGB(255, 255, 0, 255); // Alpha, Rot, Grün, Blau
ID3DXFont *pFont;
LPDIRECT3DTEXTURE9 texPink;
char* charWallhack;

HRESULT GenerateTexture(IDirect3DDevice9 *pD3Ddev, IDirect3DTexture9 **ppD3Dtex, DWORD colour32)
{
	if( FAILED(pD3Ddev->CreateTexture(8, 8, 1, 0, D3DFMT_A4R4G4B4, D3DPOOL_MANAGED,ppD3Dtex, NULL)) )
		return E_FAIL;
	WORD colour16 = ((WORD)((colour32>>28)&0xF)<<12)
					|(WORD)(((colour32>>20)&0xF)<<8)
					|(WORD)(((colour32>>12)&0xF)<<4)
					|(WORD)(((colour32>>4)&0xF)<<0);
	D3DLOCKED_RECT d3dlr;    
	(*ppD3Dtex)->LockRect(0, &d3dlr, 0, 0);
	WORD *pDst16 = (WORD*)d3dlr.pBits;

	for(int xy=0; xy < 8*8; xy++)
		*pDst16++ = colour16;

	(*ppD3Dtex)->UnlockRect(0);
	return S_OK;
}
 

void DrawRect (LPDIRECT3DDEVICE9 Device_t, int X, int Y, int L, int H, D3DCOLOR color)
{
	D3DRECT rect = {X, Y, X+L, Y+H};
	Device_t->Clear(1, &rect, D3DCLEAR_TARGET, color, 0,  0);
}

void DrawFont (int X, int Y, D3DCOLOR Color, char *format, ...)
{
        char buffer[256];
        va_list args; // deswegen: #include <cstdio>
        va_start (args, format);
        vsprintf (buffer,format, args);
                RECT FontRect = { X, Y, X + 120, Y + 16 };
				pFont->DrawText( NULL, (LPCWSTR)buffer, -1, &FontRect, DT_NOCLIP , Color ); // Zeichnen
        va_end (args);
}

HRESULT __stdcall hkEndScene(LPDIRECT3DDEVICE9 pDevice_t)  
{
	if(pDevice == NULL){
		pDevice = pDevice_t;
		GenerateTexture(pDevice, &texPink,txtPink);
	}
	else{
		//DrawFont ( 300, 50, txtPink, "Wallhack %s", charWallhack );
		DrawRect ( pDevice, 10, 10, 200, 200, txtPink);
	}
	return pEndScene(pDevice);
}


//------------------------------------------------------------------------------------------------
//Detour function von Game Deception
void *DetourFunc(BYTE *src, const BYTE *dst, const int len) // credits to gamedeception
{
	BYTE *jmp = (BYTE*)malloc(len+5);
	DWORD dwback;
	VirtualProtect(src, len, PAGE_READWRITE, &dwback);
	memcpy(jmp, src, len); jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
	src[0] = 0xE9;
	*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
	VirtualProtect(src, len, dwback, &dwback);
	return (jmp-len);
}

bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;
    return (*szMask) == NULL;
} 
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);
    
    return 0;
}

//Um sicher zu gehen, dass die dll geladen wurde
void InitHook()
{        HMODULE hModule = NULL;
        while( !hModule )
        {
                hModule = GetModuleHandleA( "d3d9.dll" ); // Handle zur DLL holen
                Sleep( 100 ); // 100ms warten
        }

		DWORD* VTableStart = 0;                  
		DWORD FoundByGordon = dwFindPattern((DWORD)hModule, 0x128000,
		(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
		if(FoundByGordon != 0){
			memcpy(&VTableStart, (void*)(FoundByGordon+2), 4);
			dwDrawIndexedPrimitive = (DWORD)VTableStart[82]; // für mehr: blick in die d3d9.h werfen!
			dwEndScene = (DWORD)VTableStart[42];

			pEndScene = ( EndScene_t )DetourFunc((PBYTE) 0x73E4412C,(PBYTE)hkEndScene, 5);
			if(pDevice != NULL && pFont != NULL){
				//D3DXCreateFont(pDevice, 14, 0, FW_NORMAL, 1, 0, DEFAULT_CHARSET,  OUT_DEFAULT_PRECIS, ANTIALIASED_QUALITY, DEFAULT_PITCH | FF_DONTCARE, (LPCWSTR)"Arial", &pFont ); 
				GenerateTexture(pDevice, &texPink,txtPink);
			}
		}
		else{
			MessageBox(NULL, TEXT("No Pattern found"), NULL, MB_OK);
		}
}


//Die Main
int WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
        switch(reason)
        {
        case DLL_PROCESS_ATTACH:
                CreateThread(0, 0, (LPTHREAD_START_ROUTINE) InitHook, 0, 0, 0);
                break;
        }
        return true;
}
Der DLL Injector in C#:
Code:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Threading;

namespace DLLInjector
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        [DllImport("kernel32")]
        public static extern IntPtr CreateRemoteThread(
          IntPtr hProcess,
          IntPtr lpThreadAttributes,
          uint dwStackSize,
          UIntPtr lpStartAddress, // raw Pointer into remote process
          IntPtr lpParameter,
          uint dwCreationFlags,
          out IntPtr lpThreadId
        );

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(
            UInt32 dwDesiredAccess,
            Int32 bInheritHandle,
            Int32 dwProcessId
            );

        [DllImport("kernel32.dll")]
        public static extern Int32 CloseHandle(
        IntPtr hObject
        );

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern bool VirtualFreeEx(
            IntPtr hProcess,
            IntPtr lpAddress,
            UIntPtr dwSize,
            uint dwFreeType
            );

        [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
        public static extern UIntPtr GetProcAddress(
            IntPtr hModule,
            string procName
            );

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocEx(
            IntPtr hProcess,
            IntPtr lpAddress,
            uint dwSize,
            uint flAllocationType,
            uint flProtect
            );

        [DllImport("kernel32.dll")]
        static extern bool WriteProcessMemory(
            IntPtr hProcess,
            IntPtr lpBaseAddress,
            string lpBuffer,
            UIntPtr nSize,
            out IntPtr lpNumberOfBytesWritten
        );

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern IntPtr GetModuleHandle(
            string lpModuleName
            );

        [DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
        internal static extern Int32 WaitForSingleObject(
            IntPtr handle,
            Int32 milliseconds
            );

        public Int32 GetProcessId(String proc)
        {
            Process[] ProcList;
            ProcList = Process.GetProcessesByName(proc);
            return ProcList[0].Id;
        }

        public void InjectDLL(IntPtr hProcess, String strDLLName)
        {
            IntPtr bytesout;

            // Length of string containing the DLL file name +1 byte padding
            Int32 LenWrite = strDLLName.Length + 1;
            // Allocate memory within the virtual address space of the target process
            IntPtr AllocMem = (IntPtr)VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40); //allocation pour WriteProcessMemory

            // Write DLL file name to allocated memory in target process
            WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
            // Function pointer "Injector"
            UIntPtr Injector = (UIntPtr)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

            if (Injector == null)
            {
                MessageBox.Show(" Injector Error! \n ");
                // return failed
                return;
            }

            // Create thread in target process, and store handle in hThread
            IntPtr hThread = (IntPtr)CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
            // Make sure thread handle is valid
            if (hThread == null)
            {
                //incorrect thread handle ... return failed
                MessageBox.Show(" hThread [ 1 ] Error! \n ");
                return;
            }
            // Time-out is 10 seconds...
            int Result = WaitForSingleObject(hThread, 10 * 1000);
            // Check whether thread timed out...
            if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
            {
                /* Thread timed out... */
                MessageBox.Show(" hThread [ 2 ] Error! \n ");
                // Make sure thread handle is valid before closing... prevents crashes.
                if (hThread != null)
                {
                    //Close thread in target process
                    CloseHandle(hThread);
                }
                return;
            }
            // Sleep thread for 1 second
            Thread.Sleep(1000);
            // Clear up allocated space ( Allocmem )
            VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
            // Make sure thread handle is valid before closing... prevents crashes.
            if (hThread != null)
            {
                //Close thread in target process
                CloseHandle(hThread);
            }
            // return succeeded
            return;
        }

        private void button1_Click_1(object sender, EventArgs e)
        {
            String strDLLName = textBox2.Text;
            String strProcessName = textBox1.Text;

            Int32 ProcID = GetProcessId(strProcessName);
            if (ProcID >= 0)
            {
                IntPtr hProcess = (IntPtr)OpenProcess(0x1F0FFF, 1, ProcID);
                if (hProcess == null)
                {
                    MessageBox.Show("OpenProcess() Failed!");
                    return;
                }
                else
                    InjectDLL(hProcess, strDLLName);
            }
        }
    }
}
Da das alles eher mit c&p als mit Verstand gemacht wurde, läuft das ganze natürlich nicht und ich hab einige Fragen dazu:

Zur InjectDLL:
Auf welches Signal wartet WaitForSingleObject? Sobald ich die DLL Injection starte stürzt das DirectX9 Programm (Ein Sample aus dem SDK) ab. Kurz darauf gibt es die Fehlermeldung "hTreahd[2] Error".

Zum D3DHook:
Da versteh ich recht wenig. Vor allem die Detours Funktion nicht.
So wie ich es verstanden hab, soll sie die Startadresse der EndScene()
Funktion zurückgeben. Aber was soll ich damit anstellen?

Ich hab beides auf einem 64Bit Rechner für 32Bit Systeme kompiliert.
Es läuft auf keinem von beiden, egal ob ich das Pattern von Gordon oder
eine statische Adresse benutze um die EndScene zu finden..
Du kannst mich Skype [Cribfex3] gerne mal hinzufügen, kann dir viel zum Hooking beibringen ( Detours, .. )
SonyRazzer is offline  
Reply

« IF & Else | [Brauchehilfe]Bots erstellen! »

Similar Threads Similar Threads
[Release] Krischkros D3D9 Hook 1.1 [20.01.2011]
12/18/2012 - Shaiya Hacks, Bots, Cheats & Exploits - 19 Replies
Hallo... Das ist mein aller erster D3D9 Hack ------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------- ------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------...
[Problem] D3D9-Hook funzt nur manchmal
01/31/2012 - C/C++ - 7 Replies
Hallo Leute, ich wende mich voller Verzweifelung an euch, da mal wieder etwas nicht funktioniert. :o Ich habe gerade einen D3D9 Endscene Hook aus dem Tutorial von SilverDeath fertiggestellt. Ich habe den vom Autor empfohlenen Injector benutzt, um meine DLL in ein D3D9-Testprogramm (Credits an wen von MPGH) zu injizieren (im Anhang + Virustotal). Am Anfang ist das Testprogramm immer wieder abgeschmiert. Erst als ich den "add_log"-Aufruf in der gehookten Funktion reingestellt habe, ist es...
[Frage] DllCall, EndScence, Hook, LUA Injection
04/24/2011 - General Coding - 10 Replies
Hallihallo, ich bin mir nicht ganz sicher, ob da hier richtig ist, da es sich auf WoW bezieht. Ich möchte via AutoIt ein kleines Tool schreiben, mit dem ich z.B. den 'Charakter erstellen' Button drücken kann, ohne das WoW Fenster maximiert zu haben (ControlClick, Mouseclick plus funktionieren bei WoW nicht). Dazu hab ich mich natürlich schon schlau gemacht und bin auf einige Begriffe wie Endscene, Hook, LUA Injection und die Funktion WowLuaDoString gestoßen. Jetzt meine Frage: Besteht...
D3D8/D3D9 Device Hook
01/30/2008 - Soldier Front - 4 Replies
http://rapidshare.com/files/86461541/d3dx8.zip.htm l http://rapidshare.com/files/86461553..._v2.3.zip. html http://rapidshare.com/files/86461559..._v2.3.zip. html



All times are GMT +2. The time now is 20:35.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2026, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2026 elitepvpers All Rights Reserved.