Sign in to follow this  
Followers 0
Outshynd

_InjectDll UDF

46 posts in this topic

See attached. Takes a window handle (returned by WinGetHandle) of the process into which the dll will be injected and a string path to the dll that will be injected.

Example:

$ret = _InjectDll(WinGetHandle("Calculator"), "c:\testdll.dll")
$err = @error
If $err < 0 Then
    MsgBox(16, $ret, $err)
Else
    MsgBox(64, $ret, "YUP!")
EndIf

_InjectDll.au3

Share this post


Link to post
Share on other sites



What's it for?

I mean, how would it be used? Any examples?

-mu

Share this post


Link to post
Share on other sites

Awesome, Outshynd, This would definetly be useful for lot's of people.

@underperson

This is to Inject a dll file into another process.

This is most useful for "hackers".


[size=20]My File Upload[/size]Register at my site and upload.

Share this post


Link to post
Share on other sites

I'm glad you used quotes!

But that still doesn't answer the question.

-mu

Share this post


Link to post
Share on other sites

Hi,

kk here an example.

Counterstrike ( i think you now ) hacks use a loader from mygot.com to inject their dlls into the hl.exe process. But Antivir and some other programms detect this as a trojaner and delete it. With this you can do it easy and it wont be deleted :)


--------------------------------------------------------------------------------------------------------------------------------Scripts : _Encrypt UDF_UniquePCCode UDF MS like calculatorInstall programm *UPDATED* --------------------------------------------------------------------------------------------------------------------------------[quote name='Helge' post='213117' date='Jul 26 2006, 10:22 AM']Have you ever tried surfing the internet with a milk-carton ?This is similar to what you're trying to do.[/quote]

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

ex :

While Not StringLower(WinGetTitle( "" )) =  "counter-strike"
    Sleep(1)
WEnd
$hWnd = WinGetHandle( stringLower(WinGetTitle( "" )) )
_InjectDll($hWnd, @ScriptDir&"\DaRkNesse.dll" )
$err = @error
If $err < 0 Then
    MsgBox(16, $ret, $err)
Else
    MsgBox(64, $ret, "WorkEd")
EndIf
Edited by Busti

My UDF's : Startet on : 06.06.2006_CaseSearchOrReplaceStr();~> Searches OR Replaces a String,;~> With or Without Casesensivity

Share this post


Link to post
Share on other sites

Thanks guys, but I understand the concept, I was more looking for examples of how one might legitimately use this kind of functionality in the real world (and that doesn't include games!). In other words; an actual example that *does something*.

I presume, once injected, you can hook in and take over the process, make it do stuff it wasn't intended to do, stuff that's in your dll, somehow. It sounds interesting, albeit a bit nafarious.

-mu

Share this post


Link to post
Share on other sites

hey Outshynd,

can you make a funktionm to create a new thread, for faster working with autoit ?


My UDF's : Startet on : 06.06.2006_CaseSearchOrReplaceStr();~> Searches OR Replaces a String,;~> With or Without Casesensivity

Share this post


Link to post
Share on other sites

Thanks guys, but I understand the concept, I was more looking for examples of how one might legitimately use this kind of functionality in the real world (and that doesn't include games!). In other words; an actual example that *does something*.

I presume, once injected, you can hook in and take over the process, make it do stuff it wasn't intended to do, stuff that's in your dll, somehow. It sounds interesting, albeit a bit nafarious.

-mu

Injected dlls written in C/++ can add functionality to programs/games, depending on what you want to do. For instance, if you don't like Notepad's "Find" function (CTRL+F) because it doesn't continue on to the top of the text if you start finding in the middle of a file, you could inject a dll that overwrites its Find function with your own. Obviously, that's not very efficient, but you get the idea.

I mainly wrote this for game 'hacking,' though hacking is a big misnomer these days. It can be used for almost anything, though.

Share this post


Link to post
Share on other sites

Yeah, I thought about that a little later than I should've. When I get up tomorrow I'll add a function that returns a PID from a hWnd and then clip off the top part of the Inject function so that it takes a PID; that way, people can do it any way they want.

Share this post


Link to post
Share on other sites

Thanks, it looks like useful stuff, but I'm still clueless as to how one might go about implementing the actual replacement code, hooking in and what-not. I've just started playing with C and dll's, and I can think of quite a few applications I'd like to hook into.

Does anyone have any actual working examples? I'd love to play with this, but I'd prefer not to mess around googling for hours first, if possible.

cheers!

-mu

Share this post


Link to post
Share on other sites

An example would be a German group of hackers injecting their client-side Everquest II.exe with a custom media player - That way, they can change songs without alt-tabbing out of the game.


Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite

Share this post


Link to post
Share on other sites

Had some major problems with the virtualAllocEx Function and then The openProcess func did wanna work so i resorted to useing w0oters func's and a mix of my dll invoke feature. a point of advice if u use this dll dont use a dllopen Handle with it cause's strange errors use a libload / libfree pair works much better ;]

so as for these changes i made to get it working on 2003 server sp1 should works for u 2

Func LibLoad( $lpLibFileName )
$hKrnl = DllOpen("kernel32.dll")
$LibHandle = DllCall($hKrnl, "int", "LoadLibraryA", "str", $lpLibFileName)
DllClose($hKrnl)
Return $LibHandle[0]
EndFunc
Func LibFree($DllHandle)
$hKrnl = DllOpen("kernel32.dll")
$LibFreed = DllCall($hKrnl, "int", "FreeLibrary", "int", $DllHandle)
return $LibFreed[0]
EndFunc 
Func GetProcAddress( $hModule, $lpProcName)
$hKrnl = DllOpen("Kernel32.dll")
$ProcessAddy = DllCall($hKrnl,"int","GetProcAddress","int",$hModule,"str",$lpProcName)
DllClose($hKrnl)
Return $ProcessAddy[0]
EndFunc
Func InvokeVirtAllocEx($FuncPtr,$hProcess,$lpAddress,$dwSize,$flAllocationType,$flProtect)
$DllInvoke = DllOpen("Invoke.dll")
$Result = DllCall($DllInvoke,"int","InvokeFunc","int",$FuncPtr,"int",$hProcess, "int",$lpAddress, "int",$dwSize, "int",$flAllocationType, "int",$flProtect)
DllClose($DllInvoke)
Return $Result[0]
EndFunc
Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0)
    Local $av_Return[2] = [DllOpen('kernel32.dll') ]
    Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid)
    If @error Then
        DllClose($av_Return[0])
        SetError(1)
        Return 0
    EndIf
    $av_Return[1] = $ai_Handle[0]
    Return $av_Return[1]
EndFunc ;==>_MemOpen

#include-once
#include <invOllyOut.au3>
Func _InjectDll($hWnd, $dllpath)
;make sure the user passed valid parameters
    If $hWnd <= 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf
    
    Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread
    
;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")
    
;get the pid from the window provided
    $pid = WinGetProcess( $hWnd )
    If $pid = 0 Then
        SetError(-3)
        Return False
    EndIf
    
;open the process for writing
    $pHandle = _MemOpen($pid)
    If $pHandle <= 0 Then
        SetError(-4)
        Return False
    EndIf
    
    $hKrnl = LibLoad("Kernel32.dll")
    $ProcAddressPtr = GetProcAddress($hKrnl, "VirtualAllocEx")
    $pLibRemote = InvokeVirtAllocEx($ProcAddressPtr, $pHandle, 0, 1024, 0x1000, 0x40)
    If $pLibRemote <= 0 Then
            SetError(-5)
            Return False
    EndIf
    
    
    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next
    
    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf
    
    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf
    
    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf
    
    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)
    
    DllClose($kernel32)
    
    Return True
EndFunc

U need MY DLL inordder for this version to work :[if his version does not work for u]:

TY SO MUCH outshynd for hooking up create remote thread :)


http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32]

Share this post


Link to post
Share on other sites

Now THAT is an example!

-mu

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

this won't work 4 me :D

FileDelete("debug.txt")
$rstring = @ScriptFullPath
While StringInStr($rstring,"\")
    $rstring = StringTrimLeft($rstring,1)
    Sleep(1)
WEnd
$test = ""
$i = 0
While 1
    $i += 1
    $test = StringRight(StringTrimRight($rstring,$i),1)
    If StringInStr($test,".") Then ExitLoop
    Sleep(1)
WEnd    
$newname = StringLeft($rstring,(StringLen($rstring)-($i+1)))&".dll"
While 1
    Sleep(1)
    If WinGetTitle("") == "Counter-Strike" Then
        ExitLoop
    EndIf
WEnd
$hndl = WinGetTitle( "" )
$hWnd = WinGetHandle( $hndl )
$ret = _InjectDll($hWnd, @ScriptDir&"\"&$newname )
$err = @error
If $err < 0 Then
    MsgBox(16, $ret, $err & @CRLF & "-Hat nicht funktioniert!")
    FileWrite("debug.txt", _
              "//Used .DLL  :" & $newname & @CRLF & _
              "//WindowHandle   :" & $hndl & @CRLF & _
              "//HWnd       :" & $hWnd & @CRLF & _
              "//Dll NOT Injectet !" )
Else
    FileWrite("debug.txt", _
              "//Used .DLL  :" & $newname & @CRLF & _
              "//WindowHandle   :" & $hndl & @CRLF & _
              "//HWnd       :" & $hWnd & @CRLF & _
              "//Dll NOT Injectet !" )
EndIf

Func _InjectDll($hWnd, $dllpath)
    ;make sure the user passed valid parameters
    If $hWnd <= 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf
    
    Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread
    
    ;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")
    
    ;get the pid from the window provided
    $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0)
    If IsArray($pid) Then
        $pid = $pid[2]
    Else
        SetError(-3)
        Return False
    EndIf
    
    ;open the process for writing
    $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid)
    If IsArray($pHandle) And $pHandle[0] > 0 Then
        $pHandle = $pHandle[0]
    Else
        SetError(-4)
        Return False
    EndIf
    
    $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
    If IsArray($pLibRemote) Then
        If $pLibRemote[0] > 0 Then
            ;debug
            ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
            $pLibRemote = $pLibRemote[0]
        Else
            SetError(-5)
            Return False
        EndIf
    Else
        SetError(-6)
        Return False
    EndIf
    
    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next
    
    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf
    
    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf
    
    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf
    
    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)
    
    DllClose($kernel32)
    
    Return True
EndFunc
oÝ÷ ÛÍúáØ­Ü(®G"
"hµë-Á¨­jëh×6
//Used .DLL     :inject.dll
//WindowHandle  :Counter-Strike
//HWnd      :0x001604FC
//ErrorCode :0
//Dll Injectet !

it injectet, but wont work :D

Edited by Busti

My UDF's : Startet on : 06.06.2006_CaseSearchOrReplaceStr();~> Searches OR Replaces a String,;~> With or Without Casesensivity

Share this post


Link to post
Share on other sites

this just turned my h4xx0r senses on x . x, i want to write a dll for diablo ii, and some type of antidetection, but i have no idea wjere to start learning, can i get a link to learning dll crap?

Share this post


Link to post
Share on other sites

if you want to write a dll to protect you against warden you need to learn much because warden is ... lets say . .. godlike ^^


--------------------------------------------------------------------------------------------------------------------------------Scripts : _Encrypt UDF_UniquePCCode UDF MS like calculatorInstall programm *UPDATED* --------------------------------------------------------------------------------------------------------------------------------[quote name='Helge' post='213117' date='Jul 26 2006, 10:22 AM']Have you ever tried surfing the internet with a milk-carton ?This is similar to what you're trying to do.[/quote]

Share this post


Link to post
Share on other sites

i kno, but warden runs on teh clients comp, and it isnt running the whole time, so when it isnt running, inject teh dll, enable teh map, then uninject it wit map fully viewable, this is a theory tho

Share this post


Link to post
Share on other sites

I know but its very difficult to write a maphack and to get the moment it isnt running


--------------------------------------------------------------------------------------------------------------------------------Scripts : _Encrypt UDF_UniquePCCode UDF MS like calculatorInstall programm *UPDATED* --------------------------------------------------------------------------------------------------------------------------------[quote name='Helge' post='213117' date='Jul 26 2006, 10:22 AM']Have you ever tried surfing the internet with a milk-carton ?This is similar to what you're trying to do.[/quote]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0