Your hack isn't even being started. This is a problem with your injector. IS the program being run administrator permissions? (WinXP = Right click context menu > Run As; WinVista/Win7 = Right click context menu > Run As Administrator)
So basically I've written a Combat Arms hack DLL. I'm having trouble injecting it. If I use the injector I wrote, I get "error 5" which is Access Denied after calling OpenProcess. Yes, I have enabled the SeDebug privilege for my process. If I use FInject, CA closes right after I start it (hackshield detected it maybe)?
Anyway here is my code although it probably doesn't matter since the problem is in injection:
Any ideas?Code:#include <windows.h> void PushToConsole(const char* szCommand) { MessageBox(NULL, "PTC", "", MB_ICONINFORMATION); HMODULE hMod = GetModuleHandleA("CShell.dll"); if(hMod != NULL) { DWORD *LTClient = (DWORD *)(0x377E7810); void* CONoff = (void *) *(DWORD *)(*LTClient + 0x208); asm("pushl %0" :: "r"(szCommand)); asm("call *%0" :: "r"(CONoff)); asm("addl $4, %esp"); } } DWORD WINAPI HaxThreadProc(LPVOID lpParam) { while(1) { if(GetAsyncKeyState(VK_F12) & 1) PushToConsole("ShowFps 1"); Sleep(100); } return 0; } BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if(dwReason == DLL_PROCESS_ATTACH) { MessageBox(NULL, "DLL injected and running", "Success", MB_ICONINFORMATION); CreateThread(NULL, 0, HaxThreadProc, NULL, 0, NULL); } return TRUE; }
Tekk
Offtopic: This community really needs to reinstate its IRC channel.
Last edited by Tekkn0logik; 09-04-2010 at 01:56 PM.
Your hack isn't even being started. This is a problem with your injector. IS the program being run administrator permissions? (WinXP = Right click context menu > Run As; WinVista/Win7 = Right click context menu > Run As Administrator)
Yes. It'll let me open any other process just fine (calc.exe for example) but not Engine.exe.
Edit: Code from my injector to enable SeDebug
And the code to inject the DLL:Code:void SetSeDebug() { HANDLE hToken; LUID seDebugValue; TOKEN_PRIVILEGES tPriv; ZeroMemory(&tPriv, sizeof(tPriv)); if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { MessageBox(NULL, "OpenProcessToken failed.\nDLL injection may not work.\n", "Error", MB_ICONEXCLAMATION); return; } if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &seDebugValue)) { MessageBox(NULL, "LookupPrivilegeValue failed.\nDLL injection may not work.\n", "Error", MB_ICONEXCLAMATION); CloseHandle(hToken); return; } tPriv.PrivilegeCount = 1; tPriv.Privileges[0].Luid = seDebugValue; tPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken, FALSE, &tPriv, sizeof(tPriv), NULL, NULL) || GetLastError() != 0) MessageBox(NULL, "AdjustTokenPrivileges failed.\nDLL injection may not work.\n\nTry running this program as an administrator.", "Error", MB_ICONEXCLAMATION); CloseHandle(hToken); }
Code:int DllInject(HWND hDialog, DWORD procID, LPCSTR dllName) { int response; char msg[1024]; HANDLE proc; LPVOID remoteStr, loadLibrary; sprintf(msg, "You have chosen to inject %s into process %d. Do you want to continue?", dllName, procID); response = MessageBox(hDialog, msg, "Message", MB_YESNO | MB_ICONQUESTION); if(response != IDYES) return 1; if(procID == 0) return 2; proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, procID); if(proc == 0) { sprintf(msg, "Failed to open the process: %d", GetLastError()); MessageBox(hDialog, msg, "Error", MB_ICONEXCLAMATION); return 3; } loadLibrary = (LPVOID) GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); remoteStr = (LPVOID) VirtualAllocEx(proc, NULL, strlen(dllName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(proc, (LPVOID) remoteStr, dllName, strlen(dllName), NULL); CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE) loadLibrary, (LPVOID) remoteStr, 0, NULL); CloseHandle(proc); MessageBox(hDialog, "DLL successfully injected into process.", "Message", MB_ICONINFORMATION); return 0; }
Last edited by Tekkn0logik; 09-04-2010 at 02:04 PM.
[php]enjekt.dat.dll() = troof;[/php]
未来が見えなくて怖いから
未来が見えてしまって悲しいから
目を閉じて優しい思い出に浸ってしまう
Hackshield hooks NtOpenProcess so that you can't inject into it after a certain point in its initialization. The message box is probably creating enough of a delay to prevent you from opening CA's process. Try opening the process before the message box, then close the handle if you choose no.
J (09-04-2010)
Yeah, I realized I went about this in a completely wrong way. I had a list of running processes of which you could select one, then choose the DLL and inject. By the time I can choose a process from my list it's already past the loading and NtOpenProcess has been hooked. So, I'll implement 'wait for process' functionality.
Thanks, and I'll keep this thread updated.
you set the access rights so that you can create a thread remotly, wpm requires writing access.
Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.
Last edited by Tekkn0logik; 09-04-2010 at 04:49 PM.