Results 1 to 13 of 13
  1. #1
    Tekkn0logik's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    37
    Reputation
    12
    Thanks
    50
    My Mood
    Amused

    N00b hax: OpenProcess access denied

    So basically I've written a Combat Arms hack DLL. I'm having trouble injecting it. If I use the injector I wrote, I get "error 5" which is Access Denied after calling OpenProcess. Yes, I have enabled the SeDebug privilege for my process. If I use FInject, CA closes right after I start it (hackshield detected it maybe)?

    Anyway here is my code although it probably doesn't matter since the problem is in injection:
    Code:
    #include <windows.h>
    
    void PushToConsole(const char* szCommand)
    {
    	MessageBox(NULL, "PTC", "", MB_ICONINFORMATION);
    	HMODULE hMod = GetModuleHandleA("CShell.dll");
    	if(hMod != NULL) {
    		DWORD *LTClient = (DWORD *)(0x377E7810);
    		void* CONoff = (void *) *(DWORD *)(*LTClient + 0x208);
    		asm("pushl %0" :: "r"(szCommand));
    		asm("call *%0" :: "r"(CONoff));
    		asm("addl $4, %esp");
    	}
    }
    
    DWORD WINAPI HaxThreadProc(LPVOID lpParam)
    {
    	while(1) {
    		if(GetAsyncKeyState(VK_F12) & 1)
    			PushToConsole("ShowFps 1");
    		Sleep(100);
    	}
    	return 0;
    }
    
    BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
    {
    	if(dwReason == DLL_PROCESS_ATTACH) {
    		MessageBox(NULL, "DLL injected and running", "Success", MB_ICONINFORMATION);
    		CreateThread(NULL, 0, HaxThreadProc, NULL, 0, NULL);
    	}
    	return TRUE;
    }
    Any ideas?

    Tekk

    Offtopic: This community really needs to reinstate its IRC channel.
    Last edited by Tekkn0logik; 09-04-2010 at 02:56 PM.

  2. #2
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,784
    My Mood
    Sad
    Your hack isn't even being started. This is a problem with your injector. IS the program being run administrator permissions? (WinXP = Right click context menu > Run As; WinVista/Win7 = Right click context menu > Run As Administrator)

  3. #3
    Tekkn0logik's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    37
    Reputation
    12
    Thanks
    50
    My Mood
    Amused
    Quote Originally Posted by freedompeace View Post
    Your hack isn't even being started. This is a problem with your injector. IS the program being run administrator permissions? (WinXP = Right click context menu > Run As; WinVista/Win7 = Right click context menu > Run As Administrator)
    Yes. It'll let me open any other process just fine (calc.exe for example) but not Engine.exe.

    Edit: Code from my injector to enable SeDebug
    Code:
    void SetSeDebug()
    {
    	HANDLE hToken;
    	LUID seDebugValue;
    	TOKEN_PRIVILEGES tPriv;
    	
    	ZeroMemory(&tPriv, sizeof(tPriv));
    	if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
    		MessageBox(NULL, "OpenProcessToken failed.\nDLL injection may not work.\n", "Error", MB_ICONEXCLAMATION);
    		return;
    	}
    	
    	if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &seDebugValue)) {
    		MessageBox(NULL, "LookupPrivilegeValue failed.\nDLL injection may not work.\n", "Error", MB_ICONEXCLAMATION);
    		CloseHandle(hToken);
    		return;
    	}
    	
    	tPriv.PrivilegeCount = 1;
    	tPriv.Privileges[0].Luid = seDebugValue;
    	tPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    	
    	if(!AdjustTokenPrivileges(hToken, FALSE, &tPriv, sizeof(tPriv), NULL, NULL) || GetLastError() != 0)
    		MessageBox(NULL, "AdjustTokenPrivileges failed.\nDLL injection may not work.\n\nTry running this program as an administrator.", "Error", MB_ICONEXCLAMATION);
    	CloseHandle(hToken);
    }
    And the code to inject the DLL:
    Code:
    int DllInject(HWND hDialog, DWORD procID, LPCSTR dllName)
    {
    	int response;
    	char msg[1024];
    	HANDLE proc;
    	LPVOID remoteStr, loadLibrary;
    	
    	sprintf(msg, "You have chosen to inject %s into process %d. Do you want to continue?", dllName, procID);
    	response = MessageBox(hDialog, msg, "Message", MB_YESNO | MB_ICONQUESTION);
    	if(response != IDYES)
    		return 1;
    	if(procID == 0)
    		return 2;
    	
    	proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, procID);
    	if(proc == 0) {
    		sprintf(msg, "Failed to open the process: %d", GetLastError());
    		MessageBox(hDialog, msg, "Error", MB_ICONEXCLAMATION);
    		return 3;
    	}
    	
    	loadLibrary = (LPVOID) GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
    	remoteStr = (LPVOID) VirtualAllocEx(proc, NULL, strlen(dllName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    	WriteProcessMemory(proc, (LPVOID) remoteStr, dllName, strlen(dllName), NULL);
    	CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE) loadLibrary, (LPVOID) remoteStr, 0, NULL);
    	
    	CloseHandle(proc);
    	MessageBox(hDialog, "DLL successfully injected into process.", "Message", MB_ICONINFORMATION);
    	return 0;
    }
    Last edited by Tekkn0logik; 09-04-2010 at 03:04 PM.

  4. #4
    Kallisti's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Location
    深い碧の果てに
    Posts
    4,040
    Reputation
    52
    Thanks
    376
    My Mood
    In Love
    [php]enjekt.dat.dll() = troof;[/php]

    未来が見えなくて怖いから
    未来が見えてしまって悲しいから
    目を閉じて優しい思い出に浸ってしまう




  5. #5
    Tekkn0logik's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    37
    Reputation
    12
    Thanks
    50
    My Mood
    Amused
    Quote Originally Posted by Kallisti View Post
    [php]enjekt.dat.dll() = troof;[/php]
    wat is this i don't even...

  6. #6
    mmbob's Avatar
    Join Date
    Dec 2009
    Gender
    male
    Location
    ja
    Posts
    655
    Reputation
    70
    Thanks
    1,156
    My Mood
    Bitchy
    Hackshield hooks NtOpenProcess so that you can't inject into it after a certain point in its initialization. The message box is probably creating enough of a delay to prevent you from opening CA's process. Try opening the process before the message box, then close the handle if you choose no.

  7. The Following User Says Thank You to mmbob For This Useful Post:

    J (09-04-2010)

  8. #7
    Tekkn0logik's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    37
    Reputation
    12
    Thanks
    50
    My Mood
    Amused
    Quote Originally Posted by mmbob View Post
    Hackshield hooks NtOpenProcess so that you can't inject into it after a certain point in its initialization. The message box is probably creating enough of a delay to prevent you from opening CA's process. Try opening the process before the message box, then close the handle if you choose no.
    Yeah, I realized I went about this in a completely wrong way. I had a list of running processes of which you could select one, then choose the DLL and inject. By the time I can choose a process from my list it's already past the loading and NtOpenProcess has been hooked. So, I'll implement 'wait for process' functionality.

    Thanks, and I'll keep this thread updated.

  9. #8
    Void's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Inline.
    Posts
    3,193
    Reputation
    205
    Thanks
    1,438
    My Mood
    Mellow
    you set the access rights so that you can create a thread remotly, wpm requires writing access.

  10. #9
    Tekkn0logik's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    37
    Reputation
    12
    Thanks
    50
    My Mood
    Amused
    Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.

  11. #10
    swatfx's Avatar
    Join Date
    Apr 2009
    Gender
    male
    Posts
    661
    Reputation
    20
    Thanks
    108
    My Mood
    Mellow
    Quote Originally Posted by Tekkn0logik View Post
    Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.
    look kids, a coder that can code

  12. #11
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,170
    Reputation
    490
    Thanks
    2,252
    Quote Originally Posted by Tekkn0logik View Post
    Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.
    Thats Common Sense Dude...

  13. #12
    Krypton1x's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Tacoma
    Posts
    13,307
    Reputation
    1184
    Thanks
    1,196
    My Mood
    Brooding
    Quote Originally Posted by whit View Post


    Thats Common Sense Dude...
    Not for everyone...

  14. #13
    Tekkn0logik's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    37
    Reputation
    12
    Thanks
    50
    My Mood
    Amused
    Quote Originally Posted by whit View Post


    Thats Common Sense Dude...
    For someone who hasn't done any hacking before, not so much.

    Anyway here's the finished thing, heh


    Thanks again everyone. Everything's now working fine. My intent with this is to make a bunch of well-written code snippets to eventually share.
    Last edited by Tekkn0logik; 09-04-2010 at 05:49 PM.

Similar Threads

  1. [Help] Access to the path 'C:\' is denied.
    By ainslie in forum Visual Basic Programming
    Replies: 7
    Last Post: 08-27-2011, 04:41 AM
  2. [Problem] Access Denied C Drive
    By molina174 in forum Hardware & Software Support
    Replies: 23
    Last Post: 10-06-2010, 07:53 AM
  3. [Help] Access is denied.
    By SensitiveOne in forum Combat Arms Help
    Replies: 2
    Last Post: 08-27-2009, 10:58 AM
  4. I need Hax for KnightOnline Bad!
    By Haxer in forum General Game Hacking
    Replies: 11
    Last Post: 02-04-2006, 06:33 AM
  5. I'M need hax to WARROCK
    By xzizexzize in forum WarRock - International Hacks
    Replies: 5
    Last Post: 12-28-2005, 12:07 AM