Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Injecting A DLL


  • This topic is locked This topic is locked
15 replies to this topic

#1 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 14 February 2012 - 12:35 AM

I know this has be asked before and I have researched but did not find anything but this thread.

I am using the Inject code below and compiled it as instructed.

Now I used the compiled program they made and it works 100%, but when I comiple it then it will not work..I can post the program they gave if needed (didn't want to post and get in trouble for it). Any help would be appreciated!

(Based on the code below, I always get error -4)

AutoIt         
; <AUT2EXE VERSION: 3.2.1.14> ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-START: C:Documents and SettingsHDesktophans'sAuto-it projectsLoaderLoader.au3> ; ---------------------------------------------------------------------------- #cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.1.14 (beta) Author:      myName Script Function: Template AutoIt script. #ce ---------------------------------------------------------------------------- ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-START: C:Documents and SettingsHDesktophans'sAuto-it projectsLoaderInjectDLL.au3> ; ---------------------------------------------------------------------------- Func _InjectDll($hWnd, $dllpath) ;make sure the user passed valid parameters If $hWnd <= 0 Then   SetError(-1)   Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then   SetError(-2)   Return False EndIf Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") ;get the pid from the window provided $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0) If IsArray($pid) Then   $pid = $pid[2] Else   SetError(-3)   Return False EndIf ;open the process for writing $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid) If IsArray($pHandle) And $pHandle[0] > 0 Then   $pHandle = $pHandle[0] Else   SetError(-4)   Return False EndIf $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4) If IsArray($pLibRemote) Then   If $pLibRemote[0] > 0 Then    ;debug    ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)    $pLibRemote = $pLibRemote[0]   Else    SetError(-5)    Return False   EndIf Else   SetError(-6)   Return False EndIf For $i = 0 To StringLen($dllpath)   $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)   If IsArray($ret) Then    If $ret[0] = 0 Then     SetError(-7)     Return False    EndIf   Else    SetError(-8)    Return False   EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then   If $modHandle[0] > 0 Then    $modHandle = $modHandle[0]   Else    SetError(-9)    Return False   EndIf Else   SetError(-10)   Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then   If $LoadLibraryA[0] > 0 Then    $LoadLibraryA = $LoadLibraryA[0]   Else    SetError(-11)    Return False   EndIf Else   SetError (-12)   Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then   ConsoleWrite($hThread[0] & @CR)   If $hThread[0] > 0 Then    $hThread = $hThread[0]   Else    SetError(-13)    Return False   EndIf Else   SetError(-14)   Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-END: C:Documents and SettingsHDesktophans'sAuto-it projectsLoaderInjectDLL.au3> ; ---------------------------------------------------------------------------- $switches = IniRead ( "global.ini", "global", "windowname", ""); $rundown = IniRead ( "global.ini", "global", "dllpath", ""); $ret = _InjectDll(WinGetHandle($switches), $rundown) $err = @error If $err < 0 Then     MsgBox(16, $ret, $err) Else     MsgBox(64, $ret, "DLL Injected sucssfully") EndIf ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-END: C:Documents and SettingsHDesktophans'sAuto-it projectsLoaderLoader.au3> ; ----------------------------------------------------------------------------

Edited by kalans, 14 February 2012 - 12:37 AM.








#2 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 15 February 2012 - 07:13 PM

Bump

#3 Shaggi

Shaggi

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 309 posts

Posted 16 February 2012 - 12:28 AM

Try calling _WinApi_GetLastError() and see what return is, after the call to "openprocess". Are you sure you're running it as admin, doing it on the same process? etc.
Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

#4 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 16 February 2012 - 07:07 PM

I am honored Shaggi, I have seen all your work on bh and have appreciated all of your work!

I compiled the script and ran as admin and still have the same issue (-4), which when I use lolp's loader it will work just fine without admin. I tried to run _WinApi_GetLastError() after opening the kernel32.dll and it does not give anything new (do I need to prompt for it to display?).

Thanks again for checking in here :)

#5 Shaggi

Shaggi

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 309 posts

Posted 17 February 2012 - 07:04 PM

some processes wont be opened, and you sometimes need to hack away the protection (if you really need to inject the dll :)). you can study this program i usually use (should be able to inject into everything). also note that it might not work in x64 mode.

AutoIt         
;###################################################### ;~>          <~; ;~>  AutoIt Version: 3.3.6.1      <~; ;~>  Author:        Shaggi    <~; ;~>          <~; ;~>  Script Function:      <~; ;~>  Inject custom DLLs into a selected Process <~; ;~>          <~; ;~>  Credits:        <~; ;~>  Rain and asp for openSecureProcess   <~; ;~>          <~; ;~>  Darawk for Inject() function in C++   <~; ;~>          <~; ;###################################################### ;################################## ;~> Directories ;################################## #AutoIt3Wrapper_UseX64=n ;################################## ;~> Includes ;################################## #include <WinApi.au3> #include <Memory.au3> #include <GuiConstants.au3> #include <Windowsconstants.au3> #include <Array.au3> #include <Constants.au3> ;################################## ;~> General Variables ;################################## Global  $Version     = "1.0" Global  $DLL_Array_List[20][2]         $DLL_Array_List[0][0]  = 0 Global  $searchparameters ;################################## ;~> General Windows variables ;################################## Global $Create_Thread_Access      = BitOR($PROCESS_CREATE_THREAD, $PROCESS_QUERY_INFORMATION, $PROCESS_VM_OPERATION, $PROCESS_VM_WRITE, $PROCESS_VM_READ) Global $MAX_PATH         = 0x00000104 Global $SE_KERNEL_OBJECT       = 6 Global $DACL_SECURITY_INFORMATION    = 0x00000004 Global $ERROR_SUCCESS       = 0 Global $WRITE_DAC        = 0x00040000 Global $UNPROTECTED_DACL_SECURITY_INFORMATION  = 0x20000000 Global $READ_CONTROL        = 0x00020000 ;################################## ;~> Gui section ;################################## $hGui     = GUICreate("AutoInject " & $Version, 490, 200) $pID_List    = GUICtrlCreateList("", 88, 32, 202, 128) $DLL_List    = GUICtrlCreateList("", 300, 32, 180, 128) $Label_Process   = GUICtrlCreateLabel("Specify an open process..:", 8, 8, 177, 17) $Label_DLL   = GUICtrlCreateLabel("Specify a dll..:", 300, 8, 177, 17) $Button_Inject    = GUICtrlCreateButton("Inject", 8, 32, 73, 25, $WS_GROUP) $Button_About    = GUICtrlCreateButton("About", 8, 96, 73, 25, $WS_GROUP) $Button_Exit    = GUICtrlCreateButton("Exit", 8, 128, 73, 25, $WS_GROUP) $Input_Search   = GUICtrlCreateInput("Search process...", 88, 32 + 128 + 8, 202, 20, $WS_GROUP) $Button_AddDLL    = GUICtrlCreateButton("  Add DLL to list...  ", 300, 32 + 128 + 8 - 2.5, -1, 25, $WS_GROUP) $Button_UpdateLists  = GUICtrlCreateButton("Update lists...", 8, 64, 73, 25, $WS_GROUP)                           GUISetState(@SW_SHOW,$hGui) ;################################## ;~> Tips for the GUI ;##################################                           GUICtrlSetTip($Button_UpdateLists, "Reset and search for new processes")                           GUICtrlSetTip($pID_List, "Select a target process")                           GUICtrlSetTip($DLL_List, "Select a dll to inject")                           GUICtrlSetTip($Button_Inject, "Inject selected DLL to selected process")                           GUICtrlSetTip($Input_Search, "Search for specefic processes...")                           GUICtrlSetTip($Button_AddDLL , "Opens a file dialog") ;################################## ;~> Startupcheck too see if there's ;~> any DLLs in scriptfolder ;################################## $Stdout = Run(@ComSpec & " /c " & 'dir', @ScriptDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) Sleep(1000) Local $line, $oldline While 1     $line = StdoutRead($Stdout)     If Not @error Then         $oldline = $line     Else         ExitLoop     EndIf WEnd $Split_string = StringSplit($oldline, @LF) For $element In $Split_string     $pos = StringInStr($element, ".dll")     If $pos > 0 Then         $startpos = StringInStr($element, " ", 0, -1, $pos)         $trimmed_string = StringStripCR(StringTrimLeft($element, $startpos))         If $DLL_Array_List[0][0] < 20 Then             $DLL_Array_List[0][0] += 1             $DLL_Array_List[$DLL_Array_List[0][0]][0] = @ScriptDir & "" & $trimmed_string             $DLL_Array_List[$DLL_Array_List[0][0]][1] = $trimmed_string         EndIf     EndIf Next ;################################## ;~> Maintenace ;################################## _UpdateList() $searchparameters = GUICtrlRead($Input_Search) AdlibRegister("_CheckInput") OnAutoItExitRegister("_onExit") ;################################## ;~> Main loop ;################################## While 1     $nMsg = GUIGetMsg()     Switch $nMsg         Case $GUI_EVENT_CLOSE             Exit 0         Case $Button_Exit             Exit 0         Case $Button_Inject             If Not GUICtrlRead($pID_List) Then                 print("Please choose a process, and try again...", True, 48)                 ContinueLoop             EndIf             If Not GUICtrlRead($DLL_List) Then                 print("Please choose a DLL to inject, and try again...", True, 48)                 ContinueLoop             EndIf             $_ = StringSplit(GUICtrlRead($pID_List), "[", 1)             $Pid = StringTrimRight(StringStripWS($_[2], 8), 1)             $Dll_NO = StringSplit(GUICtrlRead($DLL_List), ".")             $Current_dll = $DLL_Array_List[$Dll_NO[1]][0]             If Not Inject($Pid, $Current_dll) Then                 print("DLL Not Loaded!", True, 16)             Else                 print("DLL Loaded successfully!", True, 64)             EndIf         Case $Button_AddDLL             $File = FileOpenDialog("Select an .dll file", @WorkingDir, "Dynamic Link Libraries (*.dll)")             If FileExists($File) Then                 If $DLL_Array_List[0][0] < 20 Then                     $DLL_Array_List[0][0] += 1                     $DLL_Array_List[$DLL_Array_List[0][0]][0] = $File                     $Dll_path_split = StringSplit($File, "")                     $File_short = $Dll_path_split[$Dll_path_split[0]]                     $DLL_Array_List[$DLL_Array_List[0][0]][1] = $File_short                     _UpdateList()                 EndIf             EndIf         Case $Button_UpdateLists             _UpdateList()         Case $Button_About             MsgBox(64, "AutoInject " & $Version, "AutoInject is created by Shaggi." & @CRLF & "Written in AutoIt " & @AutoItVersion, 0, $hGui)     EndSwitch WEnd ;################################## ;~> _OnExit() ;~> Called on exit, cleans up resources ;################################## Func _OnExit()     AdlibUnRegister("_UpdateList")     AdlibUnRegister("_CheckInput")     Exit $ERROR_SUCCESS EndFunc   ;==>_OnExit ;################################## ;~> _UpdateList() ;~> Updates the lists in the GUI ;################################## Func _UpdateList()     GUICtrlSetData($pID_List, "")     GUICtrlSetData($DLL_List, "")     $_List = ProcessList()     For $i = 1 To $_List[0][0]         GUICtrlSetData($pID_List, $i & ". " & $_List[$i][0] & " - [" & $_List[$i][1] & "]|")     Next     For $i = 1 To $DLL_Array_List[0][0]         GUICtrlSetData($DLL_List, $i & ". " & $DLL_Array_List[$i][1] & "|")     Next EndFunc   ;==>_UpdateList ;################################## ;~> _CheckInput() ;~> Filters the process lists for the search query ;################################## Func _CheckInput()     If GUICtrlRead($Input_Search) <> $searchparameters Then         $searchparameters = GUICtrlRead($Input_Search)         If $searchparameters = "" Then             _UpdateList()             Return         EndIf         GUICtrlSetData($pID_List, "")         $_List = ProcessList()         For $i = 1 To $_List[0][0]             If StringInStr($_List[$i][0], $searchparameters) > 0 Then                 GUICtrlSetData($pID_List, $i & ". " & $_List[$i][0] & " - [" & $_List[$i][1] & "]|")             EndIf         Next     EndIf EndFunc   ;==>_CheckInput ;################################## ;~> Inject() ;~> Injects a DLL into a process ;################################## Func Inject($Pid, Const $DLL_NAME)     Local $Proc     Local $hLib     Local $RemoteString     Local $LoadLibAddy     Local $iWritten     Local $DLL_BUFFER     Local $thread     ;##################################     If Not ProcessExists($Pid) Then         print("Invalid process ID: " & $Pid, True, 48)         Return     EndIf     ;##################################     $Proc = _WinAPI_OpenProcess($CREATE_THREAD_ACCESS, False, $Pid, True)     If Not $Proc Then         print("OpenProcess() failed: " & _WinAPI_GetLastError() & @CRLF & _WinAPI_GetLastErrorMessage() & @CRLF & "Continuing with openSecureProcess()", True, 16)         $Proc = openSecureProcess($Pid, $PROCESS_ALL_ACCESS)         If Not $Proc Then             print("openSecureProcess() failed: " & _WinAPI_GetLastError() & @CRLF & _WinAPI_GetLastErrorMessage(), True, 16)             Return False         EndIf     EndIf     ;##################################     $LoadLibAddy = GetProcAddress(_WinAPI_GetModuleHandle("kernel32.dll"), "LoadLibraryA")     If Not $LoadLibAddy Then         print("GetProcAddress() failed: " & _WinAPI_GetLastError() & @CRLF & _WinAPI_GetLastErrorMessage(), True, 16)         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Allocate space in the process for our DLL     ;##################################     $RemoteString = _MemVirtualAllocEx($Proc, 0, StringLen($DLL_NAME), BitOR($MEM_RESERVE, $MEM_COMMIT), $PAGE_READWRITE)     print($RemoteString)     If Not $RemoteString Then         print("_MemVirtualAllocEx() failed: " & _WinAPI_GetLastError() & @CRLF & _WinAPI_GetLastErrorMessage(), True, 16)         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Create a buffer which holds the string name     ;##################################     $DLL_BUFFER = DllStructCreate("char[" & BinaryLen($DLL_NAME) & "]")     DllStructSetData($DLL_BUFFER, 1, $DLL_NAME)     $iWritten = BinaryLen($DLL_NAME)     ;Write the string name of our DLL in the memory allocated     If Not _WinAPI_WriteProcessMemory($Proc, $RemoteString, DllStructGetPtr($DLL_BUFFER), BinaryLen($DLL_NAME), $iWritten) Then         print("WriteProcessMemory() failed: " & _WinAPI_GetLastError() & @CRLF & _WinAPI_GetLastErrorMessage(), True, 16)         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ; Create a thread which should inject our dll,     ; and pass the pointer which holds the DLL path     ; as an argument to the LoadLibraryA function     ;##################################     $thread = CreateRemoteThread($Proc, 0, 0, $LoadLibAddy, $RemoteString, 0, 0)     If Not $thread Then         print("CreateRemoteThread() failed: " & _WinAPI_GetLastError() & @CRLF & _WinAPI_GetLastErrorMessage(), True, 16)         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Clean up     ;##################################     _WinAPI_WaitForSingleObject($thread, 0xFFFFFFFF)     _MemVirtualFreeEx($Proc,$RemoteString, 0, $MEM_RELEASE)     _WinAPI_CloseHandle($thread)     _WinAPI_CloseHandle($Proc)     _WinAPI_FreeLibrary("kernel32.dll")     Return True EndFunc   ;==>Inject ;################################## ;~> CreateRemoteThread() ;~> Creates a thread in another process' ;~> virtual memory space ;################################## Func CreateRemoteThread($hProcess, $lpThreadAttributes, $dwStackSize, $lpStartAddress, $lpParameter, $dwCreationFlags, $lpThreadId)     Local $call = DllCall("Kernel32.dll", "ptr", "CreateRemoteThread", _             "ptr", $hProcess, _             "ptr", $lpThreadAttributes, _             "uint", $dwStackSize, _             "ptr", $lpStartAddress, _             "ptr", $lpParameter, _             "dword", $dwCreationFlags, _             "ptr", $lpThreadId)     Return $call[0] EndFunc   ;==>CreateRemoteThread ;################################## ;~> GetProcAddress() ;~> Gets a function address in a loaded DLL ;################################## Func GetProcAddress($hModule, $lpProcName)     Local $call = DllCall("Kernel32.dll", "ptr", "GetProcAddress", _             "handle", $hModule, _             "str", $lpProcName)     Return $call[0] EndFunc   ;==>GetProcAddress ;################################## ;~> print() ;~> Writes a message to the STDOUT-stream, ;~> and optionally opens a MessageBox ;################################## Func print($msg = @CRLF, $msgbox = False, $id = 0)     If $msg = "" Then Return     ConsoleWrite($msg & @CRLF)     If $msgbox Then         MsgBox($id, "AutoInject " & $Version, $msg, 0, $hGui)     EndIf EndFunc   ;==>print ;################################## ;/** openSecureProcess() ;* Opens a process. Overwrite the DACL of target process ;* as a fallback if the process has dropped rights. Doesn't ;* require the user to be logged in with system or admin ;* rights. ;* ;* Edited by Shaggi: ;* Tries with debug privilege first, then overwrites dacl, ;* and resets it back to original state. ;* ;* @author asp ;* @param wndclass Name of windowclass. ;* @param rights The process access rights you want. ;* @return 0 on failure. Otherwise handle to process. ;*/ ;~ Credits to Rain for converting it to AutoIt. ;################################## Func openSecureProcess($Pid, $Rights)     If NOT ProcessExists($pid) Then Return False     ; Try to open the process with the requested rights.     $process = _WinAPI_OpenProcess($Rights, False, $Pid, True);     If $process Then         Return $process     EndIf     ;Okay, didnt work, even with debug privilege.     ;Going to mirror our SID to target process,     ;open a handle, and reset SID     Local $process     Local $dacl = DllStructCreate("ptr")     Local $secdesc = DllStructCreate("ptr")     Local $dacl_target = DllStructCreate("ptr")     Local $secdesc_target = DllStructCreate("ptr")     ; Get the DACL of this process since we know we have     ; all rights in it. This really can't fail.     If(getSecurityInfo(_WinAPI_GetCurrentProcess(), _             $SE_KERNEL_OBJECT, _             $DACL_SECURITY_INFORMATION, _             0, _             0, _             DllStructGetPtr($dacl, 1), _             0, _             DllStructGetPtr($secdesc, 1)) <> $ERROR_SUCCESS) Then         Return False     EndIf     ; Open it with WRITE_DAC || READ_CONTROL access,     ; so that we can read and write to the DACL.     $process = _WinAPI_OpenProcess(BitOR($WRITE_DAC, $READ_CONTROL), 0, $Pid)     If NOT $process Then         _WinAPI_LocalFree($secdesc)         Return False     EndIf     ; Get the DACL of target process and store it,     ; so we can reset it later     If(getSecurityInfo($process, _             $SE_KERNEL_OBJECT, _             $DACL_SECURITY_INFORMATION, _             0, _             0, _             DllStructGetPtr($dacl_target, 1), _             0, _             DllStructGetPtr($secdesc_target, 1)) <> $ERROR_SUCCESS) Then         Return False     EndIf     ;Overwrite the Dacl with our own     If(setSecurityInfo($process, _             $SE_KERNEL_OBJECT, _             BitOR($DACL_SECURITY_INFORMATION, $UNPROTECTED_DACL_SECURITY_INFORMATION), _             0, _             0, _             DllStructGetData($dacl, 1), _             0) <> $ERROR_SUCCESS) Then         _WinAPI_LocalFree($secdesc)         Return False     EndIf     ; The DACL is overwritten with our own DACL. We     ; should be able to open it with the requested     ; privileges now.     _WinAPI_LocalFree($secdesc)     _WinAPI_CloseHandle($process)     $hProc = _WinAPI_OpenProcess($Rights, False, $Pid, True)     If NOT $hProc Then         Return False     EndIf     ;Assuming we got the process. Proceeding to revert the patch, and return the enabled process handle     If(setSecurityInfo($hProc, _             $SE_KERNEL_OBJECT, _             BitOR($DACL_SECURITY_INFORMATION, $UNPROTECTED_DACL_SECURITY_INFORMATION), _             0, _             0, _             DllStructGetData($dacl_target, 1), _             0) <> $ERROR_SUCCESS) Then         _WinAPI_LocalFree($secdesc_target)         Return False     EndIf     _WinAPI_LocalFree($secdesc_target)     Return $hProc EndFunc   ;==>openSecureProcess ;################################## ;~> getSecurityInfo() ;~> Gets security information about a process ;################################## Func getSecurityInfo($handle, $ObjectType, $SecurityInfo, $ppsidOwner, $ppsidGroup, $ppDacl, $ppSacl, $ppSecurityDescriptor)     Local $call = DllCall("Advapi32.dll", "long", "GetSecurityInfo", _             "ptr", $handle, _             "int", $ObjectType, _             "dword", $SecurityInfo, _             "ptr", $ppsidOwner, _             "ptr", $ppsidGroup, _             "ptr", $ppDacl, _             "ptr", $ppSacl, _             "ptr", $ppSecurityDescriptor)     Return $call[0] EndFunc   ;==>getSecurityInfo ;################################## ;~> setSecurityInfo() ;~> Sets security information about a process ;;################################## Func setSecurityInfo($handle, $ObjectType, $SecurityInfo, $psidOwner, $psidGroup, $pDacl, $pSacl)     Local $call = DllCall("Advapi32.dll", "long", "SetSecurityInfo", _             "ptr", $handle, _             "int", $ObjectType, _             "dword", $SecurityInfo, _             "ptr", $psidOwner, _             "ptr", $psidGroup, _             "ptr", $pDacl, _             "ptr", $pSacl)     Return $call[0] EndFunc   ;==>setSecurityInfo ;################################## ;~> GetFullPathName() ;~> Retrieves the full path of a filename ;################################## Func GetFullPathName($lpFileName, $nBufferLength, $lpBuffer, $lpFilePart)     Local $call = DllCall("Kernel32.dll", "ptr", "GetFullPathNameA", _             "str", $lpFileName, _             "dword", $nBufferLength, _             "str", $lpBuffer, _             "str", $lpFilePart)     Return $call[0] EndFunc   ;==>GetFullPathName

Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

#6 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 18 February 2012 - 04:46 AM

Much appreciated! I was able to get it working now with your script just by assigning after the movement to the tabber XD. Thanks again so much for the help!

#7 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 22 February 2012 - 09:40 PM

So I am trying to figure out how to unInject the same dll if called upon, it seems like it would be simple but I am not able to figure out if there is a command for it..Any help? Thanks!

#8 Shaggi

Shaggi

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 309 posts

Posted 23 February 2012 - 04:43 AM

So I am trying to figure out how to unInject the same dll if called upon, it seems like it would be simple but I am not able to figure out if there is a command for it..Any help? Thanks!

you need to preserve the handle recieved from the injection, or iterate through the modules in the process. then pass that handle onto freelibrary.
Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

#9 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 23 February 2012 - 05:14 AM

I understand, but what is freelibrary O.o..Could you give me an example if you have time, I appreciate it so much shaggi :)

#10 Shaggi

Shaggi

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 309 posts

Posted 23 February 2012 - 09:56 PM

I understand, but what is freelibrary O.o..Could you give me an example if you have time, I appreciate it so much shaggi Posted Image

FreeLibrary is the function that unloads a loaded DLL. It takes one parameter: A handle to the module. You can retrieve the handle from the injector function if you edit the last lines to this instead:
    ;##################################     ;Clean up     ;##################################     _WinAPI_WaitForSingleObject($thread, 0xFFFFFFFF)     Local $iECode = _GetExitCodeThread($Thread) ; handle returned by loadlibrary     _MemVirtualFreeEx($Proc,$RemoteString, 0, $MEM_RELEASE)     _WinAPI_CloseHandle($thread)     _WinAPI_CloseHandle($Proc)     _WinAPI_FreeLibrary("kernel32.dll")     Return $iECode EndFunc   ;==>Inject

You might also need this:
Spoiler

Basically, what you want to do is basically the same as for injection: You create a thread in the process, starting a FreeLibrary's address. You pass the module handle as the parameter in CreateThread. Done :)
Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

#11 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 23 February 2012 - 11:17 PM

Ok, having some issues on what I need to do. I can pass the PID over and the dll over just as when injected, but what exactly do I do in your code? Do I just add the code as a new function or do I change your code? I am so sorry but I just am not there yet :)

Below is the code I put to try to get it working and I can pass it fine, but it does not uninject..Also below that is your code I have edited for my purpose. Thanks!

AutoIt         
;################################## ;RemoveDll ;################################## ; /***************************************** ; *  Gets exit code of an thread ; *****************************************/ Func _GetExitCodeThread($thread) Local $Dummy = DllStructCreate("uint") Local $Call = DllCall("Kernel32.dll", "BOOL", "GetExitCodeThread", "handle", $thread, "ptr", DllStructGetPtr($Dummy)) Return Dec(Hex(DllStructGetData($Dummy, 1))) ; hack hack hack EndFunc   ;==>_GetExitCodeThread Func RemoveDll() Local $Proc Local $MHDirN $thread = $MHDirN $RemoteString = _MemVirtualAllocEx($Proc, 0, StringLen($thread), BitOR($MEM_RESERVE, $MEM_COMMIT), $PAGE_READWRITE) _WinAPI_WaitForSingleObject($thread, 0xFFFFFFFF) Local $iECode = _GetExitCodeThread($Thread) ; handle returned by loadlibrary _MemVirtualFreeEx($Proc,$RemoteString, 0, $MEM_RELEASE) _WinAPI_CloseHandle($thread) _WinAPI_CloseHandle($Proc) _WinAPI_FreeLibrary("kernel32.dll") Return $iECode EndFunc   ;==>Inject


AutoIt         
;###################################################### ;~>       <~; ;~>  AutoIt Version: 3.3.6.1      <~; ;~>  Author:        Shaggi    <~; ;~>       <~; ;~>  Script Function:     <~; ;~>  Inject custom DLLs into a selected Process <~; ;~>       <~; ;~>  Credits:       <~; ;~>  Rain and asp for openSecureProcess   <~; ;~>       <~; ;~>  Darawk for Inject() function in C++   <~; ;~>       <~; ;###################################################### ;################################## ;~> Directories ;################################## #AutoIt3Wrapper_UseX64=n ;################################## ;~> Includes ;################################## #include <Memory.au3> ;################################## ;~> General Variables ;################################## Global  $DLL_Array_List[20][2]         $DLL_Array_List[0][0]  = 0 Global  $searchparameters ;################################## ;~> General Windows variables ;################################## Global $Create_Thread_Access      = BitOR($PROCESS_CREATE_THREAD, $PROCESS_QUERY_INFORMATION, $PROCESS_VM_OPERATION, $PROCESS_VM_WRITE, $PROCESS_VM_READ) Global $MAX_PATH         = 0x00000104 Global $SE_KERNEL_OBJECT       = 6 Global $DACL_SECURITY_INFORMATION    = 0x00000004 Global $ERROR_SUCCESS      = 0 Global $WRITE_DAC       = 0x00040000 Global $UNPROTECTED_DACL_SECURITY_INFORMATION  = 0x20000000 Global $READ_CONTROL        = 0x00020000 ;~ ;################################## ;~ $Split_string = StringSplit($oldline, @LF) ;~ For $element In $Split_string ;~   $pos = StringInStr($element, ".dll") ;~   If $pos > 0 Then ;~       $startpos = StringInStr($element, " ", 0, -1, $pos) ;~       $trimmed_string = StringStripCR(StringTrimLeft($element, $startpos)) ;~       If $DLL_Array_List[0][0] < 20 Then ;~           $DLL_Array_List[0][0] += 1 ;~           $DLL_Array_List[$DLL_Array_List[0][0]][0] = @ScriptDir & "" & $trimmed_string ;~           $DLL_Array_List[$DLL_Array_List[0][0]][1] = $trimmed_string ;~       EndIf ;~   EndIf ;~ Next ;################################## ;~> Maintenace ;################################## AdlibRegister("_CheckInput") OnAutoItExitRegister("_onExit") ;################################## ;~> _OnExit() ;~> Called on exit, cleans up resources ;################################## Func _OnExit()     AdlibUnRegister("_UpdateList")     AdlibUnRegister("_CheckInput")     Exit $ERROR_SUCCESS EndFunc   ;==>_OnExit ;################################## ;~> Inject() ;~> Injects a DLL into a process ;################################## Func Inject($Pid, Const $DLL_NAME)     Local $Proc     Local $hLib     Local $RemoteString     Local $LoadLibAddy     Local $iWritten     Local $DLL_BUFFER     Local $thread     ;##################################     If Not ProcessExists($Pid) Then Return     ;##################################     $Proc = _WinAPI_OpenProcess($CREATE_THREAD_ACCESS, False, $Pid, True)     If Not $Proc Then         $Proc = openSecureProcess($Pid, $PROCESS_ALL_ACCESS)         If Not $Proc Then Return False     EndIf     ;##################################     $LoadLibAddy = GetProcAddress(_WinAPI_GetModuleHandle("kernel32.dll"), "LoadLibraryA")     If Not $LoadLibAddy Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Allocate space in the process for our DLL     ;##################################     $RemoteString = _MemVirtualAllocEx($Proc, 0, StringLen($DLL_NAME), BitOR($MEM_RESERVE, $MEM_COMMIT), $PAGE_READWRITE)     If Not $RemoteString Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Create a buffer which holds the string name     ;##################################     $DLL_BUFFER = DllStructCreate("char[" & BinaryLen($DLL_NAME) & "]")     DllStructSetData($DLL_BUFFER, 1, $DLL_NAME)     $iWritten = BinaryLen($DLL_NAME)     ;Write the string name of our DLL in the memory allocated     If Not _WinAPI_WriteProcessMemory($Proc, $RemoteString, DllStructGetPtr($DLL_BUFFER), BinaryLen($DLL_NAME), $iWritten) Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ; Create a thread which should inject our dll,     ; and pass the pointer which holds the DLL path     ; as an argument to the LoadLibraryA function     ;##################################     $thread = CreateRemoteThread($Proc, 0, 0, $LoadLibAddy, $RemoteString, 0, 0)     If Not $thread Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Clean up     ;##################################     _WinAPI_WaitForSingleObject($thread, 0xFFFFFFFF)     _MemVirtualFreeEx($Proc,$RemoteString, 0, $MEM_RELEASE)     _WinAPI_CloseHandle($thread)     _WinAPI_CloseHandle($Proc)     _WinAPI_FreeLibrary("kernel32.dll")     Return True EndFunc   ;==>Inject ;################################## ;~> CreateRemoteThread() ;~> Creates a thread in another process' ;~> virtual memory space ;################################## Func CreateRemoteThread($hProcess, $lpThreadAttributes, $dwStackSize, $lpStartAddress, $lpParameter, $dwCreationFlags, $lpThreadId)     Local $call = DllCall("Kernel32.dll", "ptr", "CreateRemoteThread", _             "ptr", $hProcess, _             "ptr", $lpThreadAttributes, _             "uint", $dwStackSize, _             "ptr", $lpStartAddress, _             "ptr", $lpParameter, _             "dword", $dwCreationFlags, _             "ptr", $lpThreadId)     Return $call[0] EndFunc   ;==>CreateRemoteThread ;################################## ;~> GetProcAddress() ;~> Gets a function address in a loaded DLL ;################################## Func GetProcAddress($hModule, $lpProcName)     Local $call = DllCall("Kernel32.dll", "ptr", "GetProcAddress", _             "handle", $hModule, _             "str", $lpProcName)     Return $call[0] EndFunc   ;==>GetProcAddress ;################################## ;/** openSecureProcess() ;* Opens a process. Overwrite the DACL of target process ;* as a fallback if the process has dropped rights. Doesn't ;* require the user to be logged in with system or admin ;* rights. ;* ;* Edited by Shaggi: ;* Tries with debug privilege first, then overwrites dacl, ;* and resets it back to original state. ;* ;* @author asp ;* @param wndclass Name of windowclass. ;* @param rights The process access rights you want. ;* @return 0 on failure. Otherwise handle to process. ;*/ ;~ Credits to Rain for converting it to AutoIt. ;################################## Func openSecureProcess($Pid, $Rights)     If NOT ProcessExists($pid) Then Return False     ; Try to open the process with the requested rights.     $process = _WinAPI_OpenProcess($Rights, False, $Pid, True);     If $process Then         Return $process     EndIf     ;Okay, didnt work, even with debug privilege.     ;Going to mirror our SID to target process,     ;open a handle, and reset SID     Local $process     Local $dacl = DllStructCreate("ptr")     Local $secdesc = DllStructCreate("ptr")     Local $dacl_target = DllStructCreate("ptr")     Local $secdesc_target = DllStructCreate("ptr")     ; Get the DACL of this process since we know we have     ; all rights in it. This really can't fail.     If(getSecurityInfo(_WinAPI_GetCurrentProcess(), _             $SE_KERNEL_OBJECT, _             $DACL_SECURITY_INFORMATION, _             0, _             0, _             DllStructGetPtr($dacl, 1), _             0, _             DllStructGetPtr($secdesc, 1)) <> $ERROR_SUCCESS) Then         Return False     EndIf     ; Open it with WRITE_DAC || READ_CONTROL access,     ; so that we can read and write to the DACL.     $process = _WinAPI_OpenProcess(BitOR($WRITE_DAC, $READ_CONTROL), 0, $Pid)     If NOT $process Then         _WinAPI_LocalFree($secdesc)         Return False     EndIf     ; Get the DACL of target process and store it,     ; so we can reset it later     If(getSecurityInfo($process, _             $SE_KERNEL_OBJECT, _             $DACL_SECURITY_INFORMATION, _             0, _             0, _             DllStructGetPtr($dacl_target, 1), _             0, _             DllStructGetPtr($secdesc_target, 1)) <> $ERROR_SUCCESS) Then         Return False     EndIf     ;Overwrite the Dacl with our own     If(setSecurityInfo($process, _             $SE_KERNEL_OBJECT, _             BitOR($DACL_SECURITY_INFORMATION, $UNPROTECTED_DACL_SECURITY_INFORMATION), _             0, _             0, _             DllStructGetData($dacl, 1), _             0) <> $ERROR_SUCCESS) Then         _WinAPI_LocalFree($secdesc)         Return False     EndIf     ; The DACL is overwritten with our own DACL. We     ; should be able to open it with the requested     ; privileges now.     _WinAPI_LocalFree($secdesc)     _WinAPI_CloseHandle($process)     $hProc = _WinAPI_OpenProcess($Rights, False, $Pid, True)     If NOT $hProc Then         Return False     EndIf     ;Assuming we got the process. Proceeding to revert the patch, and return the enabled process handle     If(setSecurityInfo($hProc, _             $SE_KERNEL_OBJECT, _             BitOR($DACL_SECURITY_INFORMATION, $UNPROTECTED_DACL_SECURITY_INFORMATION), _             0, _             0, _             DllStructGetData($dacl_target, 1), _             0) <> $ERROR_SUCCESS) Then         _WinAPI_LocalFree($secdesc_target)         Return False     EndIf     _WinAPI_LocalFree($secdesc_target)     Return $hProc EndFunc   ;==>openSecureProcess ;################################## ;~> getSecurityInfo() ;~> Gets security information about a process ;################################## Func getSecurityInfo($handle, $ObjectType, $SecurityInfo, $ppsidOwner, $ppsidGroup, $ppDacl, $ppSacl, $ppSecurityDescriptor)     Local $call = DllCall("Advapi32.dll", "long", "GetSecurityInfo", _             "ptr", $handle, _             "int", $ObjectType, _             "dword", $SecurityInfo, _             "ptr", $ppsidOwner, _             "ptr", $ppsidGroup, _             "ptr", $ppDacl, _             "ptr", $ppSacl, _             "ptr", $ppSecurityDescriptor)     Return $call[0] EndFunc   ;==>getSecurityInfo ;################################## ;~> setSecurityInfo() ;~> Sets security information about a process ;;################################## Func setSecurityInfo($handle, $ObjectType, $SecurityInfo, $psidOwner, $psidGroup, $pDacl, $pSacl)     Local $call = DllCall("Advapi32.dll", "long", "SetSecurityInfo", _             "ptr", $handle, _             "int", $ObjectType, _             "dword", $SecurityInfo, _             "ptr", $psidOwner, _             "ptr", $psidGroup, _             "ptr", $pDacl, _             "ptr", $pSacl)     Return $call[0] EndFunc   ;==>setSecurityInfo ;################################## ;~> GetFullPathName() ;~> Retrieves the full path of a filename ;################################## Func GetFullPathName($lpFileName, $nBufferLength, $lpBuffer, $lpFilePart)     Local $call = DllCall("Kernel32.dll", "ptr", "GetFullPathNameA", _             "str", $lpFileName, _             "dword", $nBufferLength, _             "str", $lpBuffer, _             "str", $lpFilePart)     Return $call[0] EndFunc   ;==>GetFullPathName


#12 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 26 February 2012 - 02:18 AM

Bump

#13 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 23 March 2012 - 01:36 AM

Still needing help on this, I am about to start working on a update for the program :oops:

#14 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 14 April 2012 - 10:07 PM

Hey, I have the new function setup and preserve the $iECode. Then I pass it to the injector the same way I do it initially, but with the $iECode that I had preserved. I still do not see it un-injecting it. If you could help out I would appreciate it, I am almost finished with this project ;). Thanks!

AutoIt         
;###################################################### ;~>       <~; ;~>  AutoIt Version: 3.3.6.1      <~; ;~>  Author:        Shaggi    <~; ;~>       <~; ;~>  Script Function:     <~; ;~>  Inject custom DLLs into a selected Process <~; ;~>       <~; ;~>  Credits:       <~; ;~>  Rain and asp for openSecureProcess   <~; ;~>       <~; ;~>  Darawk for Inject() function in C++   <~; ;~>       <~; ;###################################################### ;################################## ;~> Directories ;################################## #AutoIt3Wrapper_UseX64=n ;################################## ;~> Includes ;################################## #include <Memory.au3> ;################################## ;~> General Variables ;################################## Global  $DLL_Array_List[20][2]         $DLL_Array_List[0][0]  = 0 Global  $searchparameters ;################################## ;~> General Windows variables ;################################## Global $Create_Thread_Access      = BitOR($PROCESS_CREATE_THREAD, $PROCESS_QUERY_INFORMATION, $PROCESS_VM_OPERATION, $PROCESS_VM_WRITE, $PROCESS_VM_READ) Global $MAX_PATH         = 0x00000104 Global $SE_KERNEL_OBJECT       = 6 Global $DACL_SECURITY_INFORMATION    = 0x00000004 Global $ERROR_SUCCESS      = 0 Global $WRITE_DAC       = 0x00040000 Global $UNPROTECTED_DACL_SECURITY_INFORMATION  = 0x20000000 Global $READ_CONTROL        = 0x00020000 ;~ ;################################## ;~ $Split_string = StringSplit($oldline, @LF) ;~ For $element In $Split_string ;~   $pos = StringInStr($element, ".dll") ;~   If $pos > 0 Then ;~       $startpos = StringInStr($element, " ", 0, -1, $pos) ;~       $trimmed_string = StringStripCR(StringTrimLeft($element, $startpos)) ;~       If $DLL_Array_List[0][0] < 20 Then ;~           $DLL_Array_List[0][0] += 1 ;~           $DLL_Array_List[$DLL_Array_List[0][0]][0] = @ScriptDir & "" & $trimmed_string ;~           $DLL_Array_List[$DLL_Array_List[0][0]][1] = $trimmed_string ;~       EndIf ;~   EndIf ;~ Next ;################################## ;~> Maintenace ;################################## AdlibRegister("_CheckInput") OnAutoItExitRegister("_onExit") ;################################## ;~> _OnExit() ;~> Called on exit, cleans up resources ;################################## Func _OnExit()     AdlibUnRegister("_UpdateList")     AdlibUnRegister("_CheckInput")     Exit $ERROR_SUCCESS EndFunc   ;==>_OnExit ;################################## ;~> Inject() ;~> Injects a DLL into a process ;################################## Func Inject($Pid, Const $DLL_NAME)     Local $Proc     Local $hLib     Local $RemoteString     Local $LoadLibAddy     Local $iWritten     Local $DLL_BUFFER     Local $thread     ;##################################     If Not ProcessExists($Pid) Then Return     ;##################################     $Proc = _WinAPI_OpenProcess($CREATE_THREAD_ACCESS, False, $Pid, True)     If Not $Proc Then         $Proc = openSecureProcess($Pid, $PROCESS_ALL_ACCESS)         If Not $Proc Then Return False     EndIf     ;##################################     $LoadLibAddy = GetProcAddress(_WinAPI_GetModuleHandle("kernel32.dll"), "LoadLibraryA")     If Not $LoadLibAddy Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Allocate space in the process for our DLL     ;##################################     $RemoteString = _MemVirtualAllocEx($Proc, 0, StringLen($DLL_NAME), BitOR($MEM_RESERVE, $MEM_COMMIT), $PAGE_READWRITE)     If Not $RemoteString Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ;Create a buffer which holds the string name     ;##################################     $DLL_BUFFER = DllStructCreate("char[" & BinaryLen($DLL_NAME) & "]")     DllStructSetData($DLL_BUFFER, 1, $DLL_NAME)     $iWritten = BinaryLen($DLL_NAME)     ;Write the string name of our DLL in the memory allocated     If Not _WinAPI_WriteProcessMemory($Proc, $RemoteString, DllStructGetPtr($DLL_BUFFER), BinaryLen($DLL_NAME), $iWritten) Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf     ;##################################     ; Create a thread which should inject our dll,     ; and pass the pointer which holds the DLL path     ; as an argument to the LoadLibraryA function     ;##################################     $thread = CreateRemoteThread($Proc, 0, 0, $LoadLibAddy, $RemoteString, 0, 0)     If Not $thread Then         _WinAPI_CloseHandle($Proc)         Return False     EndIf ;##################################     ;Clean up     ;##################################     _WinAPI_WaitForSingleObject($thread, 0xFFFFFFFF)     Global $iECode = _GetExitCodeThread($Thread) ; handle returned by loadlibrary     _MemVirtualFreeEx($Proc,$RemoteString, 0, $MEM_RELEASE)     _WinAPI_CloseHandle($thread)     _WinAPI_CloseHandle($Proc)     _WinAPI_FreeLibrary("kernel32.dll")     Return $iECode EndFunc   ;==>Inject ;################################## ;~> CreateRemoteThread() ;~> Creates a thread in another process' ;~> virtual memory space ;################################## Func CreateRemoteThread($hProcess, $lpThreadAttributes, $dwStackSize, $lpStartAddress, $lpParameter, $dwCreationFlags, $lpThreadId)     Local $call = DllCall("Kernel32.dll", "ptr", "CreateRemoteThread", _             "ptr", $hProcess, _             "ptr", $lpThreadAttributes, _             "uint", $dwStackSize, _             "ptr", $lpStartAddress, _             "ptr", $lpParameter, _             "dword", $dwCreationFlags, _             "ptr", $lpThreadId)     Return $call[0] EndFunc   ;==>CreateRemoteThread ;################################## ;~> GetProcAddress() ;~> Gets a function address in a loaded DLL ;################################## Func GetProcAddress($hModule, $lpProcName)     Local $call = DllCall("Kernel32.dll", "ptr", "GetProcAddress", _             "handle", $hModule, _             "str", $lpProcName)     Return $call[0] EndFunc   ;==>GetProcAddress ;################################## ;/** openSecureProcess() ;* Opens a process. Overwrite the DACL of target process ;* as a fallback if the process has dropped rights. Doesn't ;* require the user to be logged in with system or admin ;* rights. ;* ;* Edited by Shaggi: ;* Tries with debug privilege first, then overwrites dacl, ;* and resets it back to original state. ;* ;* @author asp ;* @param wndclass Name of windowclass. ;* @param rights The process access rights you want. ;* @return 0 on failure. Otherwise handle to process. ;*/ ;~ Credits to Rain for converting it to AutoIt. ;################################## Func openSecureProcess($Pid, $Rights)     If NOT ProcessExists($pid) Then Return False     ; Try to open the process with the requested rights.     $process = _WinAPI_OpenProcess($Rights, False, $Pid, True);     If $process Then         Return $process     EndIf     ;Okay, didnt work, even with debug privilege.     ;Going to mirror our SID to target process,     ;open a handle, and reset SID     Local $process     Local $dacl = DllStructCreate("ptr")     Local $secdesc = DllStructCreate("ptr")     Local $dacl_target = DllStructCreate("ptr")     Local $secdesc_target = DllStructCreate("ptr")     ; Get the DACL of this process since we know we have     ; all rights in it. This really can't fail.     If(getSecurityInfo(_WinAPI_GetCurrentProcess(), _             $SE_KERNEL_OBJECT, _             $DACL_SECURITY_INFORMATION, _             0, _             0, _             DllStructGetPtr($dacl, 1), _             0, _             DllStructGetPtr($secdesc, 1)) <> $ERROR_SUCCESS) Then         Return False     EndIf     ; Open it with WRITE_DAC || READ_CONTROL access,     ; so that we can read and write to the DACL.     $process = _WinAPI_OpenProcess(BitOR($WRITE_DAC, $READ_CONTROL), 0, $Pid)     If NOT $process Then         _WinAPI_LocalFree($secdesc)         Return False     EndIf     ; Get the DACL of target process and store it,     ; so we can reset it later     If(getSecurityInfo($process, _             $SE_KERNEL_OBJECT, _             $DACL_SECURITY_INFORMATION, _             0, _             0, _             DllStructGetPtr($dacl_target, 1), _             0, _             DllStructGetPtr($secdesc_target, 1)) <> $ERROR_SUCCESS) Then         Return False     EndIf     ;Overwrite the Dacl with our own     If(setSecurityInfo($process, _             $SE_KERNEL_OBJECT, _             BitOR($DACL_SECURITY_INFORMATION, $UNPROTECTED_DACL_SECURITY_INFORMATION), _             0, _             0, _             DllStructGetData($dacl, 1), _             0) <> $ERROR_SUCCESS) Then         _WinAPI_LocalFree($secdesc)         Return False     EndIf     ; The DACL is overwritten with our own DACL. We     ; should be able to open it with the requested     ; privileges now.     _WinAPI_LocalFree($secdesc)     _WinAPI_CloseHandle($process)     $hProc = _WinAPI_OpenProcess($Rights, False, $Pid, True)     If NOT $hProc Then         Return False     EndIf     ;Assuming we got the process. Proceeding to revert the patch, and return the enabled process handle     If(setSecurityInfo($hProc, _             $SE_KERNEL_OBJECT, _             BitOR($DACL_SECURITY_INFORMATION, $UNPROTECTED_DACL_SECURITY_INFORMATION), _             0, _             0, _             DllStructGetData($dacl_target, 1), _             0) <> $ERROR_SUCCESS) Then         _WinAPI_LocalFree($secdesc_target)         Return False     EndIf     _WinAPI_LocalFree($secdesc_target)     Return $hProc EndFunc   ;==>openSecureProcess ;################################## ;~> getSecurityInfo() ;~> Gets security information about a process ;################################## Func getSecurityInfo($handle, $ObjectType, $SecurityInfo, $ppsidOwner, $ppsidGroup, $ppDacl, $ppSacl, $ppSecurityDescriptor)     Local $call = DllCall("Advapi32.dll", "long", "GetSecurityInfo", _             "ptr", $handle, _             "int", $ObjectType, _             "dword", $SecurityInfo, _             "ptr", $ppsidOwner, _             "ptr", $ppsidGroup, _             "ptr", $ppDacl, _             "ptr", $ppSacl, _             "ptr", $ppSecurityDescriptor)     Return $call[0] EndFunc   ;==>getSecurityInfo ;################################## ;~> setSecurityInfo() ;~> Sets security information about a process ;;################################## Func setSecurityInfo($handle, $ObjectType, $SecurityInfo, $psidOwner, $psidGroup, $pDacl, $pSacl)     Local $call = DllCall("Advapi32.dll", "long", "SetSecurityInfo", _             "ptr", $handle, _             "int", $ObjectType, _             "dword", $SecurityInfo, _             "ptr", $psidOwner, _             "ptr", $psidGroup, _             "ptr", $pDacl, _             "ptr", $pSacl)     Return $call[0] EndFunc   ;==>setSecurityInfo ;################################## ;~> GetFullPathName() ;~> Retrieves the full path of a filename ;################################## Func GetFullPathName($lpFileName, $nBufferLength, $lpBuffer, $lpFilePart)     Local $call = DllCall("Kernel32.dll", "ptr", "GetFullPathNameA", _             "str", $lpFileName, _             "dword", $nBufferLength, _             "str", $lpBuffer, _             "str", $lpFilePart)     Return $call[0] EndFunc   ;==>GetFullPathName ;################################## ;RemoveDll ;################################## ; /***************************************** ; *  Gets exit code of an thread ; *****************************************/ Func _GetExitCodeThread($thread) Local $Dummy = DllStructCreate("uint") Local $Call = DllCall("Kernel32.dll", "BOOL", "GetExitCodeThread", "handle", $thread, "ptr", DllStructGetPtr($Dummy)) Return Dec(Hex(DllStructGetData($Dummy, 1))) ; hack hack hack EndFunc   ;==>_GetExitCodeThread


#15 kalans

kalans

    Seeker

  • Active Members
  • 19 posts

Posted 02 January 2014 - 05:03 AM

Sorry for the necropost bump, I am looking to fix this. Any direction would be helpful. Thanks!



#16 Melba23

Melba23

    I'm old - what's your excuse?

  • Moderators
  • 19,821 posts

Posted 02 January 2014 - 05:39 PM

kalans,

Please read the Forum rules (there is also a link at bottom right of each page) - they have changed since this thread was last used and now state:
 

"Do not ask for help with AutoIt scripts, post links to, or start discussion topics on the following subjects:
[...]
Running or injecting any code (in any form) intended to alter the original functionality of another process.
"


So this subject is no longer legal and the thread will now be locked. :naughty:

M23
  • kalans likes this
StringSize - Automatically size controls to fit text                                                               ExtMsgBox - A user customisable replacement for MsgBox
Toast - Small GUIs which pop out of the Systray                                                                Marquee - Scrolling tickertape GUIs
Scrollbars - Automatically sized scrollbars with a single command                                   GUIFrame - Subdivide GUIs into many adjustable frames
GUIExtender - Extend and retract multiple sections within a GUI                                      NoFocusLines - Remove the dotted focus lines from buttons, sliders, radios and checkboxes
ChooseFileFolder - Single and multiple selections from specified path tree structure      Notify - Small notifications on the edge of the display
Date_Time_Convert - Easily convert date/time formats, including the language               GUIListViewEx - Insert, delete, move, drag, sort and edit ListView items




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users