DebateFort - Where Warriors Come To Debate
RAGECRY - Funny, Amusing, Interesting, Trending & Viral Videos and Images
GameOrc - Free Flash Games Online
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 16 to 30 of 45
  1. #16
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    Quote Originally Posted by Jason View Post
    Oh yeah here's a D3D Vtable hook if you're interested in seeing how it's done:

    http://www.mpgh.net/forum/31-c-c-pro...ml#post5682845
    Thanks!

    ---------- Post added at 02:06 AM ---------- Previous post was at 01:57 AM ----------

    I think i will add that hooking method tomorrow. How do you know the offsets of stuff in the VTable? Was this reverse engineered by someone and/or is it dependent on the source code layout?

    So I am pretty much going to copy your example and put your name in the code/docs somewhere, if you don't mind.

  2. #17
    Wave to yesterday
    Former Staff
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Somewhere where the Sunlight hurts my eyes.
    Posts
    5,652
    Reputation
    865
    Thanks
    4,836
    My Mood
    Mellow
    Quote Originally Posted by megamandos View Post
    Thanks!

    ---------- Post added at 02:06 AM ---------- Previous post was at 01:57 AM ----------

    I think i will add that hooking method tomorrow. How do you know the offsets of stuff in the VTable? Was this reverse engineered by someone and/or is it dependent on the source code layout?

    So I am pretty much going to copy your example and put your name in the code/docs somewhere, if you don't mind.
    I can't actually remember where I got the indices from :/
    As for the citation, that's fine just remember that I wasn't the one to originally write the method. I wrote the GetVirtualTable method myself, but the Pattern and offsets were found by someone else.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    So tear the pieces from the bone,
    Like you've torn us apart.
    We build bridges, just for burning


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  3. #18
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    Thanks, noted.

    ---------- Post added at 03:28 AM ---------- Previous post was at 02:26 AM ----------

    So, do you want me to put a last name or some other handle? Because "Jason" is very vague.

  4. #19
    MPGH Addict
    Former Staff
    Hell_Demon's Avatar
    Join Date
    Mar 2008
    Gender
    male
    Location
    I love causing havoc
    Posts
    3,591
    Reputation
    236
    Thanks
    3,786
    My Mood
    Cheeky
    You can get the indices from d3d9.h, just count the amount of functions before the one you want to hook.
    Ah we-a blaze the fyah, make it bun dem!

  5. The Following User Says Thank You to Hell_Demon For This Useful Post:

    megamandos (04-02-2012)

  6. #20
    Expert Member
    MPGH Member
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    729
    Reputation
    132
    Thanks
    716
    My Mood
    Twisted
    Copy the sections of a dll file into a piece of memory of save keeping, then unload the dll from memory. Then put everything back: hidden dll's

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  7. The Following User Says Thank You to .::SCHiM::. For This Useful Post:

    megamandos (04-02-2012)

  8. #21
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    If you unload the DLL doesn't it remove the entry from Ldr data? I suppose in the case of an injected DLL this is fine though... I will look at this

    ---------- Post added at 05:28 PM ---------- Previous post was at 05:28 PM ----------

    On second through I could just remove the entry from Ldr data manually to achieve the same effect.

  9. #22
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    Quote Originally Posted by .::SCHiM::. View Post
    Copy the sections of a dll file into a piece of memory of save keeping, then unload the dll from memory. Then put everything back: hidden dll's
    Even better, I loaded the DLL, and then removed it from the PEB->LdrData. So other things trying to find DLLs loaded into the target process wont see the one we injected. I implemented this as part of Injex and tests were all positive

    http://www.mpgh.net/forum/31-c-c-pro...ml#post5891321

  10. #23
    Wave to yesterday
    Former Staff
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Somewhere where the Sunlight hurts my eyes.
    Posts
    5,652
    Reputation
    865
    Thanks
    4,836
    My Mood
    Mellow
    Quote Originally Posted by megamandos View Post
    Even better, I loaded the DLL, and then removed it from the PEB->LdrData. So other things trying to find DLLs loaded into the target process wont see the one we injected. I implemented this as part of Injex and tests were all positive

    http://www.mpgh.net/forum/31-c-c-pro...ml#post5891321
    It's called CloakDll, Darawk did it some time ago. I'd link the post to you but it's on another forum. Just google "Darawk CloakDll"

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    So tear the pieces from the bone,
    Like you've torn us apart.
    We build bridges, just for burning


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  11. #24
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    Figured someone else posted it.... anyways, this unlinks from OUTSIDE the target process. So, while the idea isn't unique, the method is somewhat less common.

  12. #25
    Wave to yesterday
    Former Staff
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Somewhere where the Sunlight hurts my eyes.
    Posts
    5,652
    Reputation
    865
    Thanks
    4,836
    My Mood
    Mellow
    Quote Originally Posted by megamandos View Post
    Figured someone else posted it.... anyways, this unlinks from OUTSIDE the target process. So, while the idea isn't unique, the method is somewhat less common.
    Hehe I wrote one a while ago, wonder if I can dig it up. I think I did it in C# though.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    So tear the pieces from the bone,
    Like you've torn us apart.
    We build bridges, just for burning


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  13. #26
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    Damn it lol... :/

  14. #27
    Wave to yesterday
    Former Staff
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Somewhere where the Sunlight hurts my eyes.
    Posts
    5,652
    Reputation
    865
    Thanks
    4,836
    My Mood
    Mellow
    Well, mine wasn't designed to cloak a remote dll, just to get a module's load count from the PEB data. I think it was for an injector I was writing or something.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    So tear the pieces from the bone,
    Like you've torn us apart.
    We build bridges, just for burning


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  15. #28
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    Lawl stop writing injectors for .NET hahaha

    ---------- Post added at 12:39 AM ---------- Previous post was at 12:37 AM ----------

    Oh and im going to put his code in Injex too... why not, as long as I credit the guy?

    ---------- Post added at 12:51 AM ---------- Previous post was at 12:39 AM ----------

    On second thought, his stuff is really incompat with injex, i will have to change it a LOT. But he will still get reference, cause I didn't write the one where it unlinks from within the target process.

  16. #29
    Wave to yesterday
    Former Staff
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Somewhere where the Sunlight hurts my eyes.
    Posts
    5,652
    Reputation
    865
    Thanks
    4,836
    My Mood
    Mellow
    Haha I wrote a few WinAPI functions for external use at some point in C#. Fun Fun Fun.

    Code:
            public static uint GetProcAddressEx(int hProc, uint hModule, string lpProcName)
            {
                uint procAddress = 0;
                byte[] pDosHd = ReadRemoteMemory(hProc, hModule, 0x40);
                if (pDosHd != null && BitConverter.ToUInt16(pDosHd, 0) == 0x5A4D)
                {
                    uint e_lfanew = BitConverter.ToUInt32(pDosHd, 0x3C);
                    if (e_lfanew > 0)
                    {
                        byte[] pNtHd = ReadRemoteMemory(hProc, hModule + e_lfanew, 0x108);
                        if (pNtHd != null && BitConverter.ToUInt32(pNtHd, 0) == 0x4550)
                        {
                            uint expDirPtr = BitConverter.ToUInt32(pNtHd, 0x78);
                            if ( expDirPtr != 0)
                            {
                                byte[] pExpDir = ReadRemoteMemory(hProc, hModule + expDirPtr, 0x28);
                                uint pEat = BitConverter.ToUInt32(pExpDir, 0x1C);
                                uint pOrd = BitConverter.ToUInt32(pExpDir, 0x24);
                                uint ordbase = BitConverter.ToUInt32(pExpDir, 0x10);
    
                                int index = SearchExports(hProc, hModule, pExpDir, lpProcName);
                                if (pEat > 0 && pOrd > 0 && index > -1)
                                {
                                    byte[] bOrd = ReadRemoteMemory(hProc, (uint)(hModule + pOrd + (index << 1)), 0x2);
                                    int ord = (int)(bOrd == null ? -1 : BitConverter.ToUInt16(bOrd, 0));
    
                                    if (ord != -1)
                                    {
                                        byte[] addr = ReadRemoteMemory(hProc, (uint)(hModule + pEat + ((ord - (ordbase - 1)) << 2)), 0x4);
                                        if (addr != null)
                                            procAddress = hModule + BitConverter.ToUInt32(addr, 0);
                                    }
                                }
                            }
                        }
                    }
                }
                return procAddress;
            }
    
            private static int SearchExports(int hProcess, uint hModule, byte[] exports, string name)
            {
                uint cntExports = BitConverter.ToUInt32(exports, 0x18);
                uint ptrNameTable = BitConverter.ToUInt32(exports, 0x20);
                int rva = -1;
    
                if (cntExports > 0 && ptrNameTable > 0)
                {
                    byte[] rawPtrs = ReadRemoteMemory(hProcess, hModule + ptrNameTable, cntExports << 2);
                    if (rawPtrs != null && rawPtrs.Length >= 4)
                    {
                        uint[] namePtrs = new uint[cntExports];
                        for (int i = 0; i < namePtrs.Length; i++)
                            namePtrs[i] = BitConverter.ToUInt32(rawPtrs, i << 2);
    
                        int start = 0, end = namePtrs.Length - 1, middle = 0;
                        string curvalue = string.Empty;
    
                        while (start <= end && rva == -1)
                        {
                            middle = start + ((end - start) / 2);
                            curvalue = StringFromPTR(hProcess, hModule + namePtrs[middle]);
                            if (curvalue.Equals(name))
                                rva = middle;
                            else if (curvalue.CompareTo(name) < 0)
                                start = middle - 1;
                            else
                                end = middle + 1;
                        }  
                    }               
                }
                return rva;  
            }
    BEJELLY!

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    So tear the pieces from the bone,
    Like you've torn us apart.
    We build bridges, just for burning


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  17. #30
    Threadstarter
    Newbie
    MPGH Member
    megamandos's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Posts
    52
    Reputation
    20
    Thanks
    8
    My Mood
    Happy
    hehe I wrote GetProcAddress in C lol. Its just in case GetProcAddress is hooked in the target process.

Page 2 of 3 FirstFirst 1 2 3 LastLast

Similar Threads

  1. Can I get some help please?
    By rashidul1994 in forum Combat Arms Hacks & Cheats
    Replies: 3
    Last Post: 05-28-2009, 06:27 PM
  2. Can we get some more c++ and css
    By sethclant48 in forum Programming Tutorial Requests
    Replies: 1
    Last Post: 02-26-2009, 06:51 AM
  3. can i get some speed hacks?
    By im2go0d4u in forum Combat Arms Europe Hacks
    Replies: 1
    Last Post: 02-20-2009, 05:27 AM
  4. (REQUEST)can i get some non-bs hacks please
    By kingofCA5544 in forum Combat Arms Hacks & Cheats
    Replies: 20
    Last Post: 09-13-2008, 09:24 PM
  5. can i get some help!!
    By najo22 in forum WarRock - International Hacks
    Replies: 2
    Last Post: 11-20-2007, 01:43 PM