Outshynd Posted May 28, 2006 Share Posted May 28, 2006 See attached. Takes a window handle (returned by WinGetHandle) of the process into which the dll will be injected and a string path to the dll that will be injected. Example: $ret = _InjectDll(WinGetHandle("Calculator"), "c:\testdll.dll") $err = @error If $err < 0 Then MsgBox(16, $ret, $err) Else MsgBox(64, $ret, "YUP!") EndIf_InjectDll.au3 Link to comment Share on other sites More sharing options...
mr.underperson Posted May 28, 2006 Share Posted May 28, 2006 What's it for? I mean, how would it be used? Any examples? -mu Link to comment Share on other sites More sharing options...
NegativeNrG Posted May 28, 2006 Share Posted May 28, 2006 Awesome, Outshynd, This would definetly be useful for lot's of people. @underperson This is to Inject a dll file into another process. This is most useful for "hackers". [size=20]My File Upload[/size]Register at my site and upload. Link to comment Share on other sites More sharing options...
mr.underperson Posted May 28, 2006 Share Posted May 28, 2006 I'm glad you used quotes! But that still doesn't answer the question. -mu Link to comment Share on other sites More sharing options...
Daniel W. Posted May 28, 2006 Share Posted May 28, 2006 Hi, kk here an example. Counterstrike ( i think you now ) hacks use a loader from mygot.com to inject their dlls into the hl.exe process. But Antivir and some other programms detect this as a trojaner and delete it. With this you can do it easy and it wont be deleted --------------------------------------------------------------------------------------------------------------------------------Scripts : _Encrypt UDF_UniquePCCode UDF MS like calculatorInstall programm *UPDATED* --------------------------------------------------------------------------------------------------------------------------------[quote name='Helge' post='213117' date='Jul 26 2006, 10:22 AM']Have you ever tried surfing the internet with a milk-carton ?This is similar to what you're trying to do.[/quote] Link to comment Share on other sites More sharing options...
Busti Posted May 28, 2006 Share Posted May 28, 2006 (edited) ex : While Not StringLower(WinGetTitle( "" )) = "counter-strike" Sleep(1) WEnd $hWnd = WinGetHandle( stringLower(WinGetTitle( "" )) ) _InjectDll($hWnd, @ScriptDir&"\DaRkNesse.dll" ) $err = @error If $err < 0 Then MsgBox(16, $ret, $err) Else MsgBox(64, $ret, "WorkEd") EndIf Edited May 28, 2006 by Busti My UDF's : Startet on : 06.06.2006_CaseSearchOrReplaceStr();~> Searches OR Replaces a String,;~> With or Without Casesensivity Link to comment Share on other sites More sharing options...
mr.underperson Posted May 28, 2006 Share Posted May 28, 2006 Thanks guys, but I understand the concept, I was more looking for examples of how one might legitimately use this kind of functionality in the real world (and that doesn't include games!). In other words; an actual example that *does something*. I presume, once injected, you can hook in and take over the process, make it do stuff it wasn't intended to do, stuff that's in your dll, somehow. It sounds interesting, albeit a bit nafarious. -mu Link to comment Share on other sites More sharing options...
Busti Posted May 28, 2006 Share Posted May 28, 2006 hey Outshynd, can you make a funktionm to create a new thread, for faster working with autoit ? My UDF's : Startet on : 06.06.2006_CaseSearchOrReplaceStr();~> Searches OR Replaces a String,;~> With or Without Casesensivity Link to comment Share on other sites More sharing options...
Outshynd Posted May 28, 2006 Author Share Posted May 28, 2006 Thanks guys, but I understand the concept, I was more looking for examples of how one might legitimately use this kind of functionality in the real world (and that doesn't include games!). In other words; an actual example that *does something*.I presume, once injected, you can hook in and take over the process, make it do stuff it wasn't intended to do, stuff that's in your dll, somehow. It sounds interesting, albeit a bit nafarious.-muInjected dlls written in C/++ can add functionality to programs/games, depending on what you want to do. For instance, if you don't like Notepad's "Find" function (CTRL+F) because it doesn't continue on to the top of the text if you start finding in the middle of a file, you could inject a dll that overwrites its Find function with your own. Obviously, that's not very efficient, but you get the idea.I mainly wrote this for game 'hacking,' though hacking is a big misnomer these days. It can be used for almost anything, though. Link to comment Share on other sites More sharing options...
w0uter Posted May 29, 2006 Share Posted May 29, 2006 hi Outshynd i thought you died a suggestion: instead of injecting it in a window handle why not support other things like a pid. My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll Link to comment Share on other sites More sharing options...
Outshynd Posted May 29, 2006 Author Share Posted May 29, 2006 Yeah, I thought about that a little later than I should've. When I get up tomorrow I'll add a function that returns a PID from a hWnd and then clip off the top part of the Inject function so that it takes a PID; that way, people can do it any way they want. Link to comment Share on other sites More sharing options...
mr.underperson Posted May 29, 2006 Share Posted May 29, 2006 Thanks, it looks like useful stuff, but I'm still clueless as to how one might go about implementing the actual replacement code, hooking in and what-not. I've just started playing with C and dll's, and I can think of quite a few applications I'd like to hook into. Does anyone have any actual working examples? I'd love to play with this, but I'd prefer not to mess around googling for hours first, if possible. cheers! -mu Link to comment Share on other sites More sharing options...
JoshDB Posted May 29, 2006 Share Posted May 29, 2006 An example would be a German group of hackers injecting their client-side Everquest II.exe with a custom media player - That way, they can change songs without alt-tabbing out of the game. Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite Link to comment Share on other sites More sharing options...
WSCPorts Posted May 30, 2006 Share Posted May 30, 2006 Had some major problems with the virtualAllocEx Function and then The openProcess func did wanna work so i resorted to useing w0oters func's and a mix of my dll invoke feature. a point of advice if u use this dll dont use a dllopen Handle with it cause's strange errors use a libload / libfree pair works much better ;] so as for these changes i made to get it working on 2003 server sp1 should works for u 2 Func LibLoad( $lpLibFileName ) $hKrnl = DllOpen("kernel32.dll") $LibHandle = DllCall($hKrnl, "int", "LoadLibraryA", "str", $lpLibFileName) DllClose($hKrnl) Return $LibHandle[0] EndFunc Func LibFree($DllHandle) $hKrnl = DllOpen("kernel32.dll") $LibFreed = DllCall($hKrnl, "int", "FreeLibrary", "int", $DllHandle) return $LibFreed[0] EndFunc Func GetProcAddress( $hModule, $lpProcName) $hKrnl = DllOpen("Kernel32.dll") $ProcessAddy = DllCall($hKrnl,"int","GetProcAddress","int",$hModule,"str",$lpProcName) DllClose($hKrnl) Return $ProcessAddy[0] EndFunc Func InvokeVirtAllocEx($FuncPtr,$hProcess,$lpAddress,$dwSize,$flAllocationType,$flProtect) $DllInvoke = DllOpen("Invoke.dll") $Result = DllCall($DllInvoke,"int","InvokeFunc","int",$FuncPtr,"int",$hProcess, "int",$lpAddress, "int",$dwSize, "int",$flAllocationType, "int",$flProtect) DllClose($DllInvoke) Return $Result[0] EndFunc Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid) If @error Then DllClose($av_Return[0]) SetError(1) Return 0 EndIf $av_Return[1] = $ai_Handle[0] Return $av_Return[1] EndFunc ;==>_MemOpen expandcollapse popup#include-once #include <invOllyOut.au3> Func _InjectDll($hWnd, $dllpath) ;make sure the user passed valid parameters If $hWnd <= 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") ;get the pid from the window provided $pid = WinGetProcess( $hWnd ) If $pid = 0 Then SetError(-3) Return False EndIf ;open the process for writing $pHandle = _MemOpen($pid) If $pHandle <= 0 Then SetError(-4) Return False EndIf $hKrnl = LibLoad("Kernel32.dll") $ProcAddressPtr = GetProcAddress($hKrnl, "VirtualAllocEx") $pLibRemote = InvokeVirtAllocEx($ProcAddressPtr, $pHandle, 0, 1024, 0x1000, 0x40) If $pLibRemote <= 0 Then SetError(-5) Return False EndIf For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then If $modHandle[0] > 0 Then $modHandle = $modHandle[0] Else SetError(-9) Return False EndIf Else SetError(-10) Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then If $LoadLibraryA[0] > 0 Then $LoadLibraryA = $LoadLibraryA[0] Else SetError(-11) Return False EndIf Else SetError (-12) Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then ConsoleWrite($hThread[0] & @CR) If $hThread[0] > 0 Then $hThread = $hThread[0] Else SetError(-13) Return False EndIf Else SetError(-14) Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc U need MY DLL inordder for this version to work :[if his version does not work for u]: TY SO MUCH outshynd for hooking up create remote thread http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32] Link to comment Share on other sites More sharing options...
mr.underperson Posted May 30, 2006 Share Posted May 30, 2006 Now THAT is an example! -mu Link to comment Share on other sites More sharing options...
Busti Posted June 14, 2006 Share Posted June 14, 2006 (edited) this won't work 4 me expandcollapse popupFileDelete("debug.txt") $rstring = @ScriptFullPath While StringInStr($rstring,"\") $rstring = StringTrimLeft($rstring,1) Sleep(1) WEnd $test = "" $i = 0 While 1 $i += 1 $test = StringRight(StringTrimRight($rstring,$i),1) If StringInStr($test,".") Then ExitLoop Sleep(1) WEnd $newname = StringLeft($rstring,(StringLen($rstring)-($i+1)))&".dll" While 1 Sleep(1) If WinGetTitle("") == "Counter-Strike" Then ExitLoop EndIf WEnd $hndl = WinGetTitle( "" ) $hWnd = WinGetHandle( $hndl ) $ret = _InjectDll($hWnd, @ScriptDir&"\"&$newname ) $err = @error If $err < 0 Then MsgBox(16, $ret, $err & @CRLF & "-Hat nicht funktioniert!") FileWrite("debug.txt", _ "//Used .DLL :" & $newname & @CRLF & _ "//WindowHandle :" & $hndl & @CRLF & _ "//HWnd :" & $hWnd & @CRLF & _ "//Dll NOT Injectet !" ) Else FileWrite("debug.txt", _ "//Used .DLL :" & $newname & @CRLF & _ "//WindowHandle :" & $hndl & @CRLF & _ "//HWnd :" & $hWnd & @CRLF & _ "//Dll NOT Injectet !" ) EndIf Func _InjectDll($hWnd, $dllpath) ;make sure the user passed valid parameters If $hWnd <= 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") ;get the pid from the window provided $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hWnd, "int_ptr", 0) If IsArray($pid) Then $pid = $pid[2] Else SetError(-3) Return False EndIf ;open the process for writing $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid) If IsArray($pHandle) And $pHandle[0] > 0 Then $pHandle = $pHandle[0] Else SetError(-4) Return False EndIf $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4) If IsArray($pLibRemote) Then If $pLibRemote[0] > 0 Then ;debug ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR) $pLibRemote = $pLibRemote[0] Else SetError(-5) Return False EndIf Else SetError(-6) Return False EndIf For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then If $modHandle[0] > 0 Then $modHandle = $modHandle[0] Else SetError(-9) Return False EndIf Else SetError(-10) Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then If $LoadLibraryA[0] > 0 Then $LoadLibraryA = $LoadLibraryA[0] Else SetError(-11) Return False EndIf Else SetError (-12) Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then ConsoleWrite($hThread[0] & @CR) If $hThread[0] > 0 Then $hThread = $hThread[0] Else SetError(-13) Return False EndIf Else SetError(-14) Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc oÝ÷ ÛÍúáØÜ(®G" "hµë-Á¨jëh×6 //Used .DLL :inject.dll //WindowHandle :Counter-Strike //HWnd :0x001604FC //ErrorCode :0 //Dll Injectet ! it injectet, but wont work Edited June 14, 2006 by Busti My UDF's : Startet on : 06.06.2006_CaseSearchOrReplaceStr();~> Searches OR Replaces a String,;~> With or Without Casesensivity Link to comment Share on other sites More sharing options...
Bounda Posted June 14, 2006 Share Posted June 14, 2006 this just turned my h4xx0r senses on x . x, i want to write a dll for diablo ii, and some type of antidetection, but i have no idea wjere to start learning, can i get a link to learning dll crap? CS:S Aimbot - List From INI Funcs Link to comment Share on other sites More sharing options...
Daniel W. Posted June 14, 2006 Share Posted June 14, 2006 if you want to write a dll to protect you against warden you need to learn much because warden is ... lets say . .. godlike ^^ --------------------------------------------------------------------------------------------------------------------------------Scripts : _Encrypt UDF_UniquePCCode UDF MS like calculatorInstall programm *UPDATED* --------------------------------------------------------------------------------------------------------------------------------[quote name='Helge' post='213117' date='Jul 26 2006, 10:22 AM']Have you ever tried surfing the internet with a milk-carton ?This is similar to what you're trying to do.[/quote] Link to comment Share on other sites More sharing options...
Bounda Posted June 14, 2006 Share Posted June 14, 2006 i kno, but warden runs on teh clients comp, and it isnt running the whole time, so when it isnt running, inject teh dll, enable teh map, then uninject it wit map fully viewable, this is a theory tho CS:S Aimbot - List From INI Funcs Link to comment Share on other sites More sharing options...
Daniel W. Posted June 14, 2006 Share Posted June 14, 2006 I know but its very difficult to write a maphack and to get the moment it isnt running --------------------------------------------------------------------------------------------------------------------------------Scripts : _Encrypt UDF_UniquePCCode UDF MS like calculatorInstall programm *UPDATED* --------------------------------------------------------------------------------------------------------------------------------[quote name='Helge' post='213117' date='Jul 26 2006, 10:22 AM']Have you ever tried surfing the internet with a milk-carton ?This is similar to what you're trying to do.[/quote] Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now