demandnothing Posted September 22, 2009 Posted September 22, 2009 (edited) i have been attempting to use this script i came across to inject a dll into a process id.. the problem i am having is that it doesn't give me any errors, yet the injection fails.. is there something i am doing wrong or do i need to edit something to fit my needs?? expandcollapse popupGlobal $i_Access Global $i_Inherit Func _InjectDllByHwnd($hWnd, $dllpath) ;make sure the user passed valid parameters If $hWnd <= 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;get the pid from the window provided $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0) If IsArray($pid) Then $pid = $pid[2] _InjectDllByPid($pid, $dllpath) Else SetError(-3) Return False EndIf EndFunc Func _InjectDllByPid($pid, $dllpath) ;make sure the user passed valid parameters If $pid = 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") ;open the process for writing $pHandle = _MemOpen($pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $pid) If @error Then DllClose($av_Return[0]) SetError(-4) Return False Else $av_Return[1] = $ai_Handle[0] Return $av_Return[1] EndIf $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4) If IsArray($pLibRemote) Then If $pLibRemote[0] > 0 Then ;debug ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR) $pLibRemote = $pLibRemote[0] Else SetError(-5) Return False EndIf Else SetError(-6) Return False EndIf For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then If $modHandle[0] > 0 Then $modHandle = $modHandle[0] Else SetError(-9) Return False EndIf Else SetError(-10) Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then If $LoadLibraryA[0] > 0 Then $LoadLibraryA = $LoadLibraryA[0] Else SetError(-11) Return False EndIf Else SetError (-12) Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then ConsoleWrite($hThread[0] & @CR) If $hThread[0] > 0 Then $hThread = $hThread[0] Else SetError(-13) Return False EndIf Else SetError(-14) Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc the _MemOpen is a UDF i also came across while searching the threads.. its script is Func LibLoad( $lpLibFileName ) $hKrnl = DllOpen("kernel32.dll") $LibHandle = DllCall($hKrnl, "int", "LoadLibraryA", "str", $lpLibFileName) DllClose($hKrnl) Return $LibHandle[0] EndFunc Func LibFree($DllHandle) $hKrnl = DllOpen("kernel32.dll") $LibFreed = DllCall($hKrnl, "int", "FreeLibrary", "int", $DllHandle) return $LibFreed[0] EndFunc Func GetProcAddress( $hModule, $lpProcName) $hKrnl = DllOpen("Kernel32.dll") $ProcessAddy = DllCall($hKrnl,"int","GetProcAddress","int",$hModule,"str",$lpProcName) DllClose($hKrnl) Return $ProcessAddy[0] EndFunc Func InvokeVirtAllocEx($FuncPtr,$hProcess,$lpAddress,$dwSize,$flAllocationType,$flProtect) $DllInvoke = DllOpen("Invoke.dll") $Result = DllCall($DllInvoke,"int","InvokeFunc","int",$FuncPtr,"int",$hProcess, "int",$lpAddress, "int",$dwSize, "int",$flAllocationType, "int",$flProtect) DllClose($DllInvoke) Return $Result[0] EndFunc Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid) If @error Then DllClose($av_Return[0]) SetError(1) Return 0 EndIf $av_Return[1] = $ai_Handle[0] Return $av_Return[1] EndFunc ;==>_MemOpen The script i am using them is simple.. i gave the GUI 5 buttons for defining the files to inject but only one button to actually to inject as i plan on adding one inject button for each file button, but i want to make sure that they will work first. expandcollapse popup#include <ButtonConstants.au3> #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include <PIDhwnd.au3> #include <InjectPID.au3> #Region ### START Koda GUI section ### Form=c:\documents and settings\owner\desktop\aimbot\version+\inject.kxf $Form1 = GUICreate("W.P.S. Injector", 482, 179, 239, 194) GUISetBkColor(0x000000) $Label1 = GUICtrlCreateLabel("WarPathSin", 24, 0, 436, 124) GUICtrlSetFont(-1, 96, 800, 0, "Script") GUICtrlSetColor(-1, 0xFF0000) $Button1 = GUICtrlCreateButton(".DLL File 1", 8, 152, 75, 25, $WS_GROUP) $Button2 = GUICtrlCreateButton(".DLL File 2", 104, 152, 75, 25, $WS_GROUP) $Button3 = GUICtrlCreateButton(".DLL File 3", 208, 152, 75, 25, $WS_GROUP) $Button4 = GUICtrlCreateButton(".DLL File 4", 304, 152, 75, 25, $WS_GROUP) $Button5 = GUICtrlCreateButton(".DLL File 5", 400, 152, 75, 25, $WS_GROUP) $Button6 = GUICtrlCreateButton("Wait For Process", 168, 120, 115, 25, $WS_GROUP) GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### Global $ON = False While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Button1 $DllPath1 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)") Case $Button2 $DllPath2 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)") Case $Button3 $DllPath3 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)") Case $Button4 $DllPath4 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)") Case $Button5 $DllPath5 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)") Case $Button6 ProcessWait("Notepad.exe", 100) While 1 $hWnd = WinGetProcess("Notepad.exe") $sHWnd = String($hWnd) _InjectDllByPid($sHWnd, $DllPath1) If @error Then MsgBox(-1, "", @error) Exit Else Exit EndIf WEnd EndSwitch WEnd Edited September 27, 2009 by demandnothing
jvanegmond Posted September 22, 2009 Posted September 22, 2009 Check out the code on this: http://www.autoitscript.com/forum/index.php?showtopic=26831 Look what it does internally: ;get the pid from the window provided $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0) If IsArray($pid) Then $pid = $pid[2] Else SetError(-3) Return False EndIf Good luck. : ) github.com/jvanegmond
demandnothing Posted September 22, 2009 Author Posted September 22, 2009 (edited) thats exactly what i have.. questions would be can i take out the $hwnd entirely to put the $pid instead, or would i need to put a dll call to find the hwnd? EDIT: i am really stuck on this.. thats the code i've had and have been trying to rearrange to fit my needs, but i just cant get it to return properly Edited September 22, 2009 by demandnothing
demandnothing Posted September 24, 2009 Author Posted September 24, 2009 passed 24 hour bump time.. can anybody help me figure out how to rearrange this to make it work?
spudw2k Posted September 24, 2009 Posted September 24, 2009 (edited) passed 24 hour bump time.. can anybody help me figure out how to rearrange this to make it work?have you actually tried using $hwnd? What if you obtain the $hwnd from the $pid, would that work?http://www.autoitscript.com/forum/index.php?showtopic=102785&view=findpost&p=728942 Edited September 24, 2009 by spudw2k Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF
demandnothing Posted September 25, 2009 Author Posted September 25, 2009 (edited) have you actually tried using $hwnd? What if you obtain the $hwnd from the $pid, would that work?http://www.autoitscript.com/forum/index.php?showtopic=102785&view=findpost&p=728942thanks a lot man.. i just dont know if it returned properly.. 0x003900F8 << is that a correct response?i think it gave me the PID instead of the hwnd, but ur suggestion sounds like it would work. Edited September 25, 2009 by demandnothing
demandnothing Posted September 27, 2009 Author Posted September 27, 2009 BUMP~~ Edited First Post.. Please Read
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now