Results 1 to 4 of 4
  1. #1
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh

    [SRC] InjectDllViaAPC - Delphi

    Here is what I was using instead "CreateRemoteThread" in my DHM Loader, A lot more stealthy and a lot less chance of getting detected compared to your normal "Injectors".


    Function:
    Code:
    function InjectDllViaAPC(hProcess:DWORD; hThread:DWORD; szDllPath:string):Boolean;
    var
      dwPathSize: DWORD;
      pMemory:    Pointer;
      dwWritten:  DWORD;
    begin
      Result := FALSE;
      dwPathSize := Length(szDllPath) + 1;
      pMemory := VirtualAllocEx(hProcess, nil, dwPathSize, MEM_COMMIT, PAGE_READWRITE);
      if (Assigned(pMemory)) then
      begin
        WriteProcessMemory(hProcess, pMemory, @szDllPath[1], dwPathSize, dwWritten);
        if (dwPathSize = dwWritten) then
        begin
          if (QueueUserAPC(GetProcAddress(LoadLibraryA('kernel32.dll'), 'LoadLibraryA'), hThread, DWORD(pMemory))) then
            Result := TRUE;
        end;
      end;
    end;
    Usage:
    Code:
    procedure TForm1.btn1Click(Sender: TObject);
    var
     strExecute: string;
     ProcInfo:   TProcessInformation;
      StartInfo:  TStartupInfo;
    begin
     strExecute:= 'Engine.exe -windowtitle \CombatArms\ -rez Engine.REZ -rez Game -authip 208.85.111.14 -authport 10001 -pcroom 0 -UserId';
     ZeroMemory(@startInfo, SizeOf(TStartupInfo));
      StartInfo.cb := SizeOf(TStartupInfo);
      if (CreateProcessA(nil, PChar(strExecute), nil, nil, FALSE, 0, nil, nil, StartInfo, ProcInfo)) then
        InjectDllViaAPC(ProcInfo.hProcess, ProcInfo.hThread, 'DMH.dll');
    end;
    Enjoy the stealth method of injecting your dll
    Last edited by Departure; 12-21-2011 at 06:25 AM.

  2. The Following 3 Users Say Thank You to Departure For This Useful Post:

    ac1d_buRn (12-21-2011),[MPGH]flameswor10 (12-21-2011),Saltine (12-21-2011)

  3. #2
    flameswor10's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Posts
    12,528
    Reputation
    981
    Thanks
    10,404
    My Mood
    In Love
    Nice manual mapping
    No I do not make game hacks anymore, please stop asking.


    Been MPGH Minion: 6 July 2011 - 1 August 2012

  4. #3
    UnderAmour's Avatar
    Join Date
    Dec 2011
    Gender
    male
    Posts
    466
    Reputation
    40
    Thanks
    31
    My Mood
    Aggressive
    When i learn to do this, ill use this code

  5. #4
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,293
    My Mood
    Mellow
    Only problem with the APC is that it only works on alertable threads, and it's not very straightforward to wait for - and capture - the functions return value. I mean, this is fine for an injector as most processes' base threads are alertable, and cleaning up the dll path in the remote memory isn't so much of a memory leak issue.

    Reference: QueueUserAPC function

    Quote Originally Posted by msdn
    Note: Queuing APCs to threads outside the caller's process is not recommended for a number of reasons. DLL rebasing can cause the addresses of functions used by the APC to be incorrect when the functions are executed outside the caller's process. Similarly, if a 64-bit process queues an APC to a 32-bit process or vice versa, addresses will be incorrect and the application will crash. Other factors can prevent successful function execution, even if the address is known.
    Just some food for thought, but this is a nice alternative for CRT for very simple injectors that don't need or want to be able to unload the loaded module with ease, nice find.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I donít think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

Similar Threads

  1. Delphi need help quick
    By .-=m1k3y=-. in forum WarRock - International Hacks
    Replies: 7
    Last Post: 07-11-2007, 01:11 AM
  2. which verson of delphi?
    By Jeckels in forum WarRock - International Hacks
    Replies: 10
    Last Post: 07-02-2007, 06:53 AM
  3. delphi 7...
    By NetNavi in forum WarRock - International Hacks
    Replies: 4
    Last Post: 07-02-2007, 05:14 AM
  4. Delphi 7 for replacing detected CE strings??
    By jokuvaan11 in forum WarRock - International Hacks
    Replies: 5
    Last Post: 07-02-2007, 04:34 AM
  5. Delphi Coder
    By prchakal in forum Programming
    Replies: 36
    Last Post: 05-14-2006, 12:40 PM