[SRC-Release] Injector with an embeddable DLL

Nyamochka · 05/19/2010, 10:15

Here's the injector I made for my Item Manager.

Loads a DLL from resource;
Writes a .dll with a random filename into System32 folder;
Injects using simple LoadLibrary/CreateRemoteThread method;
Schedules the .dll for deletion on reboot.

How to use it in your VC++ project:

Make sure your project is set to Unicode (Solution properties -> Configuration Properties -> General -> Character Set = Use Unicode Character Set);
Make your project require administrator privileges (Solution properties -> Configuration Properties -> Linker -> Manifest File -> UAC Execution Level = requireAdministrator);
Create a resource in your project with type of "BINARY" and ID of "IDR_DLL" and set its path to your DLL file.
Include 'Injection.h' in your main CPP.

Then use it like this- on a timer message or in a separate thread loop:

Code:

DWORD procId = GetTargetThreadIDFromProcName(L"S4 Client.exe");

if (procId) {
    Inject(procId);
}

Of course, this snippet lacks error handling, and you should have it, but it's up to you.

Feel free to add corrections and ask questions. Happy coding!

~~captaingenzo~~ · 05/19/2010, 10:19

what about 64 win7 ? is it same for 32 bit os ?

Nyamochka · 05/19/2010, 10:21

Quote:

Originally Posted by captaingenzo

what about 64 win7 ?

Reported working under Win7 64-bit.

The problem with some of the users was due to Unicode Windows usernames.

Update: Oh, you mean System32 can be a problem on 64-bit systems? As far as I remember, it's still there for compatibility purposes so it should be OK. It's just a trick to fool X-Trap.

~~mipez~~ · 05/19/2010, 11:48

Hm, that's nice. I don't use C++, but I got an idea for using with other languages ;D

Nyamochka · 05/19/2010, 11:51

Quote:

Originally Posted by mipez

Hm, that's nice. I don't use C++, but I got an idea for using with other languages ;D

It's easy to translate it into VB, Delphi or C# - API calls are the same.

Nyamochka · 05/19/2010, 13:23

LOL! Just noticed I haven't attached it. Here you go.

I wonder why no one noticed there should be something

cmpqz321 · 05/19/2010, 14:09

nice

casaAlex · 05/19/2010, 14:12

Gj you get a big Thx.
Alex.

Nyamochka · 05/19/2010, 15:25

This ****:

Code:

GetEnvironmentVariable(L"WINDIR", tempPath, MAX_PATH);
wcscat_s(tempPath, MAX_PATH, L"\\System32");

Should be replaced with:

Code:

GetSystemDirectory(tempPath, MAX_PATH);

It doesn't make a difference, yet it's a fail anyway

MrSm!th · 05/19/2010, 15:30

hm nice work, even if i dont think that's really necessary in the s4 section

maybe you could make a class and if its good, i will add it to the Gamehacking Foundation Classes (if you agree)

Nyamochka · 05/19/2010, 15:35

Quote:

Originally Posted by MrSm!th

hm nice work, even if i dont think that's really necessary in the s4 section
maybe you could make a class and if its good, i will add it to the Gamehacking Foundation Classes (if you agree)

I never heard of GFC, yet i think there should be an injector, or even a handful of them already. And my stealth mechanisms (which are currently failing) don't qualify for a separate class, I guess.

MrSm!th · 05/19/2010, 15:45

Quote:

Originally Posted by Nyamochka

I never heard of GFC, yet i think there should be an injector, or even a handful of them already. And my stealth mechanisms (which are currently failing) don't qualify for a separate class, I guess.

Yes, because i am working on it

It's a big collection of classes for (advanced) gamehacking, like detouring etc...
maybe you want to help me?

Nyamochka · 05/19/2010, 15:53

Quote:

Originally Posted by MrSm!th

Yes, because i am working on it

It's a big collection of classes for (advanced) gamehacking, like detouring etc...
maybe you want to help me?

Well, maybe I want to, but I don't know yet. I'm working on my manager while procrastinating from my job, but I'm not much of a game hacker

Let's see how it will go.

Nyamochka · 05/20/2010, 17:32

As you may have noticed, my injector had trouble with some of Vista/Win7 instances. Here's the fix.

Header:

Code:

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
  ULONG Length;
  HANDLE RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG Attributes;
  PVOID SecurityDescriptor;
  PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

typedef DWORD (WINAPI *NTCREATETHREADEX)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID Unknown
);

Replace this in the code:

Code:

hThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);

With this:

Code:

HANDLE hThread;
	NTCREATETHREADEX NtCreateThreadEx = (NTCREATETHREADEX)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
	if(NtCreateThreadEx) {
		NtCreateThreadEx(&hThread, GENERIC_ALL, NULL, hProc, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, FALSE, NULL, NULL, NULL, NULL);
	} else {
		hThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
	}