[C++]WriteProcessMemory: Problems opening the process - WTF -

~~Hybrid~~~ · 01/05/2014, 16:57

Hello.
so, i'm tring to do a simple troll hack for a game, S4League.
whenever im trying to open the process,it wont let me o_o
Screen:

Source Code:

Code:

#include <iostream>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "user32.lib")




using namespace std;
bool SetPrivilege(LPCTSTR privilege, bool enablePriv) {
	LUID luid = {0};
	if (LookupPrivilegeValue(NULL, privilege, &luid) == FALSE)
		return false;

	HANDLE hToken = NULL;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE)
		return false;

	TOKEN_PRIVILEGES tokenPriv = {0};
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = enablePriv ? SE_PRIVILEGE_ENABLED : 0;
	if (AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, NULL, NULL, NULL) != FALSE) {
		CloseHandle(hToken);
		return GetLastError() == ERROR_SUCCESS;
	}
	

	CloseHandle(hToken);
	return false;
}

int main()
{
	////////////////////////////////////////////////////////////////////////////////////////////
	int test = SetPrivilege(SE_DEBUG_NAME, true);
	if (!test)
	{
	cout << "Failed to set SE_DEBUG_NAME Privilege" <<endl << endl;
	}
	else 
	{
		cout << "Setted SE_DEBUG_NAME Privilege succesfuly!"<<endl; 
		
	} 
	////////////////////////////////////////////////////////////////////////////////////////////
    int newValue = 2348565979;
    HWND hWnd = FindWindowA(0, "S4 Client");
	Sleep(150);
    if (hWnd == 0) {
        cout << "Cannot find the S4Client Window * o *" << endl;
		cout << "" << endl;
		cout << "Press [ENTER] to close the application ";
		std::cin.get();
		return 0;

    } else {
        DWORD pId = GetWindowThreadProcessId(hWnd, &pId);
		Sleep(100);
        HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
		cout << "S4Client pId: " << pId << endl<<endl;
        if (!hProc) {
            cout << "Can't open process." << endl;
            cout << "Press [ENTER] to close the application ";
		std::cin.get();
		return 0;
        } else {
            int isSuccessful = WriteProcessMemory(hProc, (LPVOID)0x19951880, (LPVOID)2348565979, sizeof(2348565979), 

NULL);

            if (isSuccessful > 0) {
                cout << "WriteProcessMemory Succesful!" << endl;
				MessageBoxA(NULL, "54", "200 HP by Hybrid      @      www.elitepvpers.com", MB_OK);
            } else {
                cout << "Cannot write process memory." << endl;
                cout << "Press [ENTER] to close the application ";
		std::cin.get();
		return 0;
            }

			
            CloseHandle(hProc);
        }
    }

    return 0;
}

Any help is appreciated :3

snow · 01/05/2014, 17:11

You have to adjust your privileges, you need SeDebugPrivilege to access S4 League.

~~Hybrid~~~ · 01/05/2014, 17:40

Quote:

Originally Posted by snow911

You have to adjust your privileges, you need SeDebugPrivilege to access S4 League.

Hello, thanks for reply!
All i found was this msdn link

But it's still kinda unclear how to do it.

Master674b · 01/05/2014, 18:53

My guess is that this program sets a higher security descriptor on startup. So you might need to embed a manifest to your application which requests more privileges. I would recommend "highestAvailable". After you did that you should adjust your process token privileges by requesting SE_DEBUG.

Code:

bool SetPrivilege(LPCTSTR privilege, bool enablePriv) {
	LUID luid = {0};
	if (LookupPrivilegeValue(NULL, privilege, &luid) == FALSE)
		return false;

	HANDLE hToken = NULL;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE)
		return false;

	TOKEN_PRIVILEGES tokenPriv = {0};
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = enablePriv ? SE_PRIVILEGE_ENABLED : 0;
	if (AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, NULL, NULL, NULL) != FALSE) {
		CloseHandle(hToken);
		return GetLastError() == ERROR_SUCCESS;
	}

	CloseHandle(hToken);
	return false;
}

Usage:

Code:

SetPrivilege(SE_DEBUG_NAME, true);

~~Hybrid~~~ · 01/05/2014, 19:19

Quote:
Originally Posted by Master674b
My guess is that this program sets a higher security descriptor on startup. So you might need to embed a manifest to your application which requests more privileges. I would recommend "highestAvailable". After you did that you should adjust your process token privileges by requesting SE_DEBUG.
Code:
bool SetPrivilege(LPCTSTR privilege, bool enablePriv) {
	LUID luid = {0};
	if (LookupPrivilegeValue(NULL, privilege, &luid) == FALSE)
		return false;

	HANDLE hToken = NULL;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE)
		return false;

	TOKEN_PRIVILEGES tokenPriv = {0};
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = enablePriv ? SE_PRIVILEGE_ENABLED : 0;
	if (AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, NULL, NULL, NULL) != FALSE) {
		CloseHandle(hToken);
		return GetLastError() == ERROR_SUCCESS;
	}

	CloseHandle(hToken);
	return false;
}
Usage:
Code:
SetPrivilege(SE_DEBUG_NAME, true);

Thank you so much for reply, but it still don't work.
This is pissing me off ._.

SCREEN:

bloodx · 01/05/2014, 19:33

Well S4 is using Hackshield or ? I think u need to load your DLL before Hackshield is loaded.

Master674b · 01/05/2014, 19:50

Quote:

Originally Posted by Hybrid~

Thank you so much for reply, but it still don't work.
This is ******* me off ._.

SCREEN:

Code:

if (test = 0)

is not the same as:

Code:

if (!test)

Did you do what I said? Did you embed the manifest with "requestedExecutionLevel" set to "highestAvailable"? Or "requireAdministrator"?

Try to run the program as admin to test. But you should still embed the manifest!

~~Hybrid~~~ · 01/06/2014, 12:58

Quote:
Originally Posted by Master674b
Code:
if (test = 0)
is not the same as:
Code:
if (!test)
Did you do what I said? Did you embed the manifest with "requestedExecutionLevel" set to "highestAvailable"? Or "requireAdministrator"?

Try to run the program as admin to test. But you should still embed the manifest!

No, but I'll try later today. Thanks

EDIT: I embedded it. still the same **** @_@
also changed the if (test = 0 ) to if (!test) and it still says that the Privilege has been setted succesfuly~

Padmak · 01/06/2014, 15:54

Quote:

Originally Posted by bloodx

Well S4 is using Hackshield or ? I think u need to load your DLL before Hackshield is loaded.

The are using Hackshield, so you have to inject before Hackshield starts up.
I released an open-source variant of such an Injector a very long time ago, but you can give it a shot:

Padmak

~~Hybrid~~~ · 01/06/2014, 16:01

Quote:

Originally Posted by Padmak

The are using Hackshield, so you have to inject before Hackshield starts up.
I released an open-source variant of such an Injector a very long time ago, but you can give it a shot:

Padmak

I have XTrap bypassed.
It shouldn't be a problem.
and it's a **** console application, not a DLL

Master674b · 01/06/2014, 16:05

Quote:

Originally Posted by Padmak

The are using Hackshield, so you have to inject before Hackshield starts up.
I released an open-source variant of such an Injector a very long time ago, but you can give it a shot:

Padmak

Once you managed to get the SE_DEBUG privilege it shouldn't matter unless this "Hack Shield" is installing some driver (I would suggest to write your own driver in this case to work around that stupid piece of ****).

It's basically a game of cat-and-mouse.

~~Hybrid~~~ · 01/06/2014, 16:17

Quote:

Originally Posted by Master674b

Once you managed to get the SE_DEBUG privilege it shouldn't matter unless this "Hack Shield" is installing some driver (I would suggest to write your own driver in this case to work around that stupid piece of ****).

It's basically a game of cat-and-mouse.

Imma just take a break. Thank you for ya help. i appreciate it ;3

Padmak · 01/06/2014, 17:52

Sorry, maybe i didn't read it as well as i should have. My bad. But you could give it a shot, though? Usually DLL-Injection makes ones life a lot easier

@Master674b:
It's exactly like you said: HackShield is using a driver to prevent programs from accessing their process

Padmak

Omdi · 01/06/2014, 19:11

You don't need to request PROCESS_ALL_ACCESS access.
Requesting PROCESS_VM_WRITE should work.

K1ramoX · 01/06/2014, 20:09

Code:

void SetDebugPrivilege()
{
	HANDLE hThis = GetCurrentProcess();

	HANDLE hToken;
	LUID luid;
	OpenProcessToken(hThis, TOKEN_ADJUST_PRIVILEGES, &hToken);
	LookupPrivilegeValue(0, "SeDebugPrivilege", &luid);

	TOKEN_PRIVILEGES priv;
	priv.PrivilegeCount = 1;
	priv.Privileges[0].Luid = luid;
	priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);

	CloseHandle(hToken);
	CloseHandle(hThis);
}

DWORD getProcessID(const std::string &strName)
{
	PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	DWORD result = 0;

	if (Process32First(hSnapshot, &pe))
	{
		while (Process32Next(hSnapshot, &pe))
		{
			if (std::string(pe.szExeFile) == strName)
			{
				result = pe.th32ProcessID;
				break;
			}
		}
	}

	CloseHandle(hSnapshot);
	return result;
}

int main()
{
	SetDebugPrivilege();

	std::string strProcessname = "S4Client.exe";
	DWORD dwProcessID = 0;

	while (!(dwProcessID = getProcessID(strProcessname)))
		std::this_thread::sleep_for(std::chrono::milliseconds(100));

	/*++
	
	PROCESS_ALL_ACCESS may cause problems, see:
	http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
	
	--*/
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
	if (!hProc)
	{
		std::cout << "OpenProcess failed! Errorcode: " << GetLastError() << std::endl;
		std::cin.get();
		return 0;
	}

	// your writeprocessmemory stuff...
	// maybe you put a sleep here to give themida time for unpacking the client

	CloseHandle(hProc);
	std::cout << "Done!" << std::endl;
	std::cin.get();
	return 0;
}

gl & hf