inject into PID

[demandnothing]

i have been attempting to use this script i came across to inject a dll into a process id.. the problem i am having is that it doesn't give me any errors, yet the injection fails.. is there something i am doing wrong or do i need to edit something to fit my needs??

expandcollapse popup

Global $i_Access
Global $i_Inherit

Func _InjectDllByHwnd($hWnd, $dllpath)
    ;make sure the user passed valid parameters
    If $hWnd <= 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf

    Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread

    ;get the pid from the window provided
    $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0)
    If IsArray($pid) Then
        $pid = $pid[2]
        _InjectDllByPid($pid, $dllpath)
    Else
        SetError(-3)
        Return False
    EndIf

EndFunc

Func _InjectDllByPid($pid, $dllpath)
    ;make sure the user passed valid parameters
    If $pid = 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf

    Local $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread

    ;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")

    ;open the process for writing
    $pHandle = _MemOpen($pid, $i_Access = 0x1F0FFF, $i_Inherit = 0)
    Local $av_Return[2] = [DllOpen('kernel32.dll') ]
    Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $pid)
    If @error Then
        DllClose($av_Return[0])
        SetError(-4)
        Return False
    Else
        $av_Return[1] = $ai_Handle[0]
        Return $av_Return[1]
    EndIf


    $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
    If IsArray($pLibRemote) Then
        If $pLibRemote[0] > 0 Then
            ;debug
            ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
            $pLibRemote = $pLibRemote[0]
        Else
            SetError(-5)
            Return False
        EndIf
    Else
        SetError(-6)
        Return False
    EndIf

    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next

    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf

    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf

    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf

    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)

    DllClose($kernel32)

    Return True
EndFunc

the _MemOpen is a UDF i also came across while searching the threads.. its script is

Func LibLoad( $lpLibFileName )
$hKrnl = DllOpen("kernel32.dll")
$LibHandle = DllCall($hKrnl, "int", "LoadLibraryA", "str", $lpLibFileName)
DllClose($hKrnl)
Return $LibHandle[0]
EndFunc
Func LibFree($DllHandle)
$hKrnl = DllOpen("kernel32.dll")
$LibFreed = DllCall($hKrnl, "int", "FreeLibrary", "int", $DllHandle)
return $LibFreed[0]
EndFunc
Func GetProcAddress( $hModule, $lpProcName)
$hKrnl = DllOpen("Kernel32.dll")
$ProcessAddy = DllCall($hKrnl,"int","GetProcAddress","int",$hModule,"str",$lpProcName)
DllClose($hKrnl)
Return $ProcessAddy[0]
EndFunc
Func InvokeVirtAllocEx($FuncPtr,$hProcess,$lpAddress,$dwSize,$flAllocationType,$flProtect)
$DllInvoke = DllOpen("Invoke.dll")
$Result = DllCall($DllInvoke,"int","InvokeFunc","int",$FuncPtr,"int",$hProcess, "int",$lpAddress, "int",$dwSize, "int",$flAllocationType, "int",$flProtect)
DllClose($DllInvoke)
Return $Result[0]
EndFunc
Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0)
    Local $av_Return[2] = [DllOpen('kernel32.dll') ]
    Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid)
    If @error Then
        DllClose($av_Return[0])
        SetError(1)
        Return 0
    EndIf
    $av_Return[1] = $ai_Handle[0]
    Return $av_Return[1]
EndFunc ;==>_MemOpen

The script i am using them is simple.. i gave the GUI 5 buttons for defining the files to inject but only one button to actually to inject as i plan on adding one inject button for each file button, but i want to make sure that they will work first.

expandcollapse popup

#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <PIDhwnd.au3>
#include <InjectPID.au3>
#Region ### START Koda GUI section ### Form=c:\documents and settings\owner\desktop\aimbot\version+\inject.kxf
$Form1 = GUICreate("W.P.S. Injector", 482, 179, 239, 194)
GUISetBkColor(0x000000)
$Label1 = GUICtrlCreateLabel("WarPathSin", 24, 0, 436, 124)
GUICtrlSetFont(-1, 96, 800, 0, "Script")
GUICtrlSetColor(-1, 0xFF0000)
$Button1 = GUICtrlCreateButton(".DLL File 1", 8, 152, 75, 25, $WS_GROUP)
$Button2 = GUICtrlCreateButton(".DLL File 2", 104, 152, 75, 25, $WS_GROUP)
$Button3 = GUICtrlCreateButton(".DLL File 3", 208, 152, 75, 25, $WS_GROUP)
$Button4 = GUICtrlCreateButton(".DLL File 4", 304, 152, 75, 25, $WS_GROUP)
$Button5 = GUICtrlCreateButton(".DLL File 5", 400, 152, 75, 25, $WS_GROUP)
$Button6 = GUICtrlCreateButton("Wait For Process", 168, 120, 115, 25, $WS_GROUP)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

Global $ON = False


While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            Exit
        Case $Button1
            $DllPath1 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)")
        Case $Button2
            $DllPath2 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)")
        Case $Button3
            $DllPath3 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)")
        Case $Button4
            $DllPath4 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)")
        Case $Button5
            $DllPath5 = FileOpenDialog("", @DesktopDir, "Dynamic Link Lybrary (*.DLL)")
        Case $Button6
            ProcessWait("Notepad.exe", 100)
            While 1
                $hWnd = WinGetProcess("Notepad.exe")
                $sHWnd = String($hWnd)
                    _InjectDllByPid($sHWnd, $DllPath1)
                    If @error Then
                        MsgBox(-1, "", @error)
                        Exit
                    Else
                        Exit
                    EndIf
            WEnd
    EndSwitch
WEnd

Edited September 27, 2009 by demandnothing

[jvanegmond]

Check out the code on this: http://www.autoitscript.com/forum/index.php?showtopic=26831

Look what it does internally:

;get the pid from the window provided
    $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0)
    If IsArray($pid) Then
        $pid = $pid[2]
    Else
        SetError(-3)
        Return False
    EndIf

Good luck. : )

[demandnothing]

thats exactly what i have.. questions would be can i take out the $hwnd entirely to put the $pid instead, or would i need to put a dll call to find the hwnd?

EDIT: i am really stuck on this.. thats the code i've had and have been trying to rearrange to fit my needs, but i just cant get it to return properly

Edited September 22, 2009 by demandnothing

[demandnothing]

passed 24 hour bump time.. can anybody help me figure out how to rearrange this to make it work?

[spudw2k]

passed 24 hour bump time.. can anybody help me figure out how to rearrange this to make it work?

have you actually tried using $hwnd? What if you obtain the $hwnd from the $pid, would that work?

http://www.autoitscript.com/forum/index.php?showtopic=102785&view=findpost&p=728942

Edited September 24, 2009 by spudw2k

[demandnothing]

have you actually tried using $hwnd? What if you obtain the $hwnd from the $pid, would that work?

http://www.autoitscript.com/forum/index.php?showtopic=102785&view=findpost&p=728942

thanks a lot man.. i just dont know if it returned properly.. 0x003900F8 << is that a correct response?

i think it gave me the PID instead of the hwnd, but ur suggestion sounds like it would work.

Edited September 25, 2009 by demandnothing

[demandnothing]

BUMP~~ Edited First Post.. Please Read