N00b hax: OpenProcess access denied

[Tekkn0logik]

So basically I've written a Combat Arms hack DLL. I'm having trouble injecting it. If I use the injector I wrote, I get "error 5" which is Access Denied after calling OpenProcess. Yes, I have enabled the SeDebug privilege for my process. If I use FInject, CA closes right after I start it (hackshield detected it maybe)?

Anyway here is my code although it probably doesn't matter since the problem is in injection:

Code:

#include <windows.h>

void PushToConsole(const char* szCommand)
{
	MessageBox(NULL, "PTC", "", MB_ICONINFORMATION);
	HMODULE hMod = GetModuleHandleA("CShell.dll");
	if(hMod != NULL) {
		DWORD *LTClient = (DWORD *)(0x377E7810);
		void* CONoff = (void *) *(DWORD *)(*LTClient + 0x208);
		asm("pushl %0" :: "r"(szCommand));
		asm("call *%0" :: "r"(CONoff));
		asm("addl $4, %esp");
	}
}

DWORD WINAPI HaxThreadProc(LPVOID lpParam)
{
	while(1) {
		if(GetAsyncKeyState(VK_F12) & 1)
			PushToConsole("ShowFps 1");
		Sleep(100);
	}
	return 0;
}

BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH) {
		MessageBox(NULL, "DLL injected and running", "Success", MB_ICONINFORMATION);
		CreateThread(NULL, 0, HaxThreadProc, NULL, 0, NULL);
	}
	return TRUE;
}

Any ideas?

Tekk

Offtopic: This community really needs to reinstate its IRC channel.

[freedompeace]

Your hack isn't even being started. This is a problem with your injector. IS the program being run administrator permissions? (WinXP = Right click context menu > Run As; WinVista/Win7 = Right click context menu > Run As Administrator)

[Tekkn0logik]

Your hack isn't even being started. This is a problem with your injector. IS the program being run administrator permissions? (WinXP = Right click context menu > Run As; WinVista/Win7 = Right click context menu > Run As Administrator)

Yes. It'll let me open any other process just fine (calc.exe for example) but not Engine.exe.

Edit: Code from my injector to enable SeDebug

Code:

void SetSeDebug()
{
	HANDLE hToken;
	LUID seDebugValue;
	TOKEN_PRIVILEGES tPriv;
	
	ZeroMemory(&tPriv, sizeof(tPriv));
	if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
		MessageBox(NULL, "OpenProcessToken failed.\nDLL injection may not work.\n", "Error", MB_ICONEXCLAMATION);
		return;
	}
	
	if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &seDebugValue)) {
		MessageBox(NULL, "LookupPrivilegeValue failed.\nDLL injection may not work.\n", "Error", MB_ICONEXCLAMATION);
		CloseHandle(hToken);
		return;
	}
	
	tPriv.PrivilegeCount = 1;
	tPriv.Privileges[0].Luid = seDebugValue;
	tPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	
	if(!AdjustTokenPrivileges(hToken, FALSE, &tPriv, sizeof(tPriv), NULL, NULL) || GetLastError() != 0)
		MessageBox(NULL, "AdjustTokenPrivileges failed.\nDLL injection may not work.\n\nTry running this program as an administrator.", "Error", MB_ICONEXCLAMATION);
	CloseHandle(hToken);
}

And the code to inject the DLL:

Code:

int DllInject(HWND hDialog, DWORD procID, LPCSTR dllName)
{
	int response;
	char msg[1024];
	HANDLE proc;
	LPVOID remoteStr, loadLibrary;
	
	sprintf(msg, "You have chosen to inject %s into process %d. Do you want to continue?", dllName, procID);
	response = MessageBox(hDialog, msg, "Message", MB_YESNO | MB_ICONQUESTION);
	if(response != IDYES)
		return 1;
	if(procID == 0)
		return 2;
	
	proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, procID);
	if(proc == 0) {
		sprintf(msg, "Failed to open the process: %d", GetLastError());
		MessageBox(hDialog, msg, "Error", MB_ICONEXCLAMATION);
		return 3;
	}
	
	loadLibrary = (LPVOID) GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	remoteStr = (LPVOID) VirtualAllocEx(proc, NULL, strlen(dllName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(proc, (LPVOID) remoteStr, dllName, strlen(dllName), NULL);
	CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE) loadLibrary, (LPVOID) remoteStr, 0, NULL);
	
	CloseHandle(proc);
	MessageBox(hDialog, "DLL successfully injected into process.", "Message", MB_ICONINFORMATION);
	return 0;
}

[Kallisti]

[php]enjekt.dat.dll() = troof;[/php]

[Tekkn0logik]

[php]enjekt.dat.dll() = troof;[/php]

wat is this i don't even...

[mmbob]

Hackshield hooks NtOpenProcess so that you can't inject into it after a certain point in its initialization. The message box is probably creating enough of a delay to prevent you from opening CA's process. Try opening the process before the message box, then close the handle if you choose no.

[Tekkn0logik]

Hackshield hooks NtOpenProcess so that you can't inject into it after a certain point in its initialization. The message box is probably creating enough of a delay to prevent you from opening CA's process. Try opening the process before the message box, then close the handle if you choose no.

Yeah, I realized I went about this in a completely wrong way. I had a list of running processes of which you could select one, then choose the DLL and inject. By the time I can choose a process from my list it's already past the loading and NtOpenProcess has been hooked. So, I'll implement 'wait for process' functionality.

Thanks, and I'll keep this thread updated.

[Void]

you set the access rights so that you can create a thread remotly, wpm requires writing access.

[Tekkn0logik]

Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.

[swatfx]

Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.

look kids, a coder that can code

[whit]

Problem solved. I just had to wait for the process to start and then inject before hackshield did its stuff.

Thats Common Sense Dude...

[Krypton1x]

Thats Common Sense Dude...

Not for everyone...

[Tekkn0logik]

Thats Common Sense Dude...

For someone who hasn't done any hacking before, not so much.

Anyway here's the finished thing, heh


Thanks again everyone. Everything's now working fine. My intent with this is to make a bunch of well-written code snippets to eventually share.