Jump to content

Process Injection

x1nixmzeng
 Share

Recommended Posts

x1nixmzeng Seeker

x1nixmzeng

Posted
Posted

Hi all,

I'm new to autoit, I found a code to inject a dll inside a process.

But it's not working :P I get instruction blah at referenced memory blah, memory could not be read error.

Anyone knows why? It comes in 2 parts.

_InjectDll_v2.au3

#include-once

Func _InjectDll($a, $dllpath, $hWnd_or_pid=0)
;make sure the user passed valid parameters
    If $a <= 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf
    
    Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread
    
;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")
    
    If $hWnd_or_pid = 0 Then
    ;get the pid from the window provided
        $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0)
        If IsArray($pid) Then
            $pid = $pid[2]
        Else
            SetError(-3)
            Return False
        EndIf
    Else
        $pid = $a
    EndIf
    
;open the process for writing
    $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid)
    If IsArray($pHandle) And $pHandle[0] > 0 Then
        $pHandle = $pHandle[0]
    Else
        SetError(-4)
        Return False
    EndIf
    
    $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
    If IsArray($pLibRemote) Then
        If $pLibRemote[0] > 0 Then
        ;debug
            ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
            $pLibRemote = $pLibRemote[0]
        Else
            SetError(-5)
            Return False
        EndIf
    Else
        SetError(-6)
        Return False
    EndIf
    
    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next
    
    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
            ConsoleWrite($modHandle & @CRLF)
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf
    
    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
            ConsoleWrite($LoadLibraryA & @CRLF)
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf
    
    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf
    
    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)
    
    DllClose($kernel32)
    
    Return True
EndFunc

Dll Handler

#include "_InjectDll_v2.au3"
#include <GUIConstants.au3>
Opt("GUICloseOnEsc", 0)
Opt("GUIOnEventMode", 1)

HotKeySet("{END}", "ToggleSpeeder")

;MsgBox(64, "RET", _InjectDll(ProcessExists("DarkagesMI.exe"), @ScriptDir & "\speedhack.dll", 1))

Global $speedvalue = 200, $speedenabled = False
Global $speedhack = DllOpen("speedhack.dll")
Global $timer, $disconnectcheck

;disable the speeder
DllCall($speedhack, "none", "SetSpeedEnabled", "int", 0)


#region GUI
;THE GUI
Global $gui = GUICreate("SpeedHandler", 300, 120, -1, -1)
GUISetOnEvent($GUI_EVENT_CLOSE, "_Closing")

;THE SPEEDHANDLER SLIDER GROUP
Global $g_groupSpeedHandler = GUICtrlCreateGroup("SpeedHandler", 5, 0, 290, 50)

;THE SLIDER
Global $g_sliderSpeedHandler = GUICtrlCreateSlider(10, 15, 280, 15)
GUICtrlSetOnEvent(-1, "g_sliderSpeedHandler")
GUICtrlSetLimit(-1, 100, 0)
GUICtrlSetData(-1, 20)

;THE LABEL
Global $g_labelSpeedHandler = GUICtrlCreateLabel("Value: 2.00", 10, 30, 280, 15)

;THE INJECTION GROUP
Global $g_groupInjection = GUICtrlCreateGroup("Injection", 5, 50, 290, 66)

;THE INJECTION LABEL
Global $g_labelProcessList = GUICtrlCreateLabel("Process to inject:", 10, 65, 120, 15)

;THE PROCESS LIST COMBO BOX
Global $g_comboProcessList = GUICtrlCreateCombo("Choose a process...", 95, 60, 195, 15)
GUICtrlSetData(-1, _FormatProcessList())

;THE INJECT BUTTON
Global $g_btnInject = GUICtrlCreateButton("Inject", 10, 85, 135, 25)
GUICtrlSetOnEvent(-1, "g_btnInjectHandler")

;THE PROCESS LIST REFRESH BUTTON
Global $g_btnRefresh = GUICtrlCreateButton("Refresh Process List", 150, 85, 135, 25)
GUICtrlSetOnEvent(-1, "g_btnRefreshHandler")
#endregion

GUISetState(@SW_SHOW)

While 1
    Sleep(500)
WEnd

Func ToggleSpeeder()
    $speedenabled = Not $speedenabled
    DllCall($speedhack, "none", "SetSpeedEnabled", "int", $speedenabled)
    If $speedenabled Then
        $timer = TimerInit()
        $disconnectcheck = True
        AdlibEnable("SpeedTimer")
    Else
        $disconnectcheck = False
        AdlibDisable()
    EndIf
EndFunc

Func SpeedTimer()
    If $disconnectcheck And TimerDiff($timer) >= 3000 Then
        DllCall($speedhack, "none", "SetSpeedEnabled", "int", False)
        $timer = TimerInit()
        $disconnectcheck = False
    ElseIf Not $disconnectcheck And TimerDiff($timer) >= 1000 Then
        DllCall($speedhack, "none", "SetSpeedEnabled", "int", True)
        $timer = TimerInit()
        $disconnectcheck = True
    EndIf
EndFunc

Func _FormatProcessList()
    Local $list = ProcessList()
    Local $retstr = 0
    For $i = 1 To $list[0][0]
        $retstr = $retstr & $list[$i][0]
        If $i < $list[0][0] Then $retstr = $retstr & "|"
    Next
    Return $retstr
EndFunc 


Func OnAutoItExit()
    DllClose($speedhack)
EndFunc

Func _Closing()
    Exit
EndFunc

Func g_sliderSpeedHandler()
    $speedvalue = GUICtrlRead($g_sliderSpeedHandler)
    DllCall($speedhack, "none", "SetSpeedFactor", "uint", $speedvalue * 10)
    GUICtrlSetData($g_labelSpeedHandler, "Value: " & StringFormat("%.02f", $speedvalue/10))
EndFunc

Func g_btnInjectHandler()
    If StringRight(StringLower(GUICtrlRead($g_comboProcessList)), 4) = ".exe" Then
        _InjectDll(ProcessExists(GUICtrlRead($g_comboProcessList)), @ScriptDir & "\speedhack.dll", 1)
    EndIf
EndFunc

Func g_btnRefreshHandler()
    GUICtrlSetData($g_comboProcessList, "")
    GUICtrlSetData($g_comboProcessList, "Choose a process...")
    GUICtrlSetData($g_comboProcessList, _FormatProcessList())
EndFunc

Is there a way to debug this piece of code?

Thanks a lot!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...