The exact error would be nice.
dat non-indentation.
Try removing the user input shit and try hardcoding the window name and path to the dll.
I get an access denied error (Exception Code 'c0000005' or some shit), what am I doing wrong? I'm sort of just getting back into C/C++ stuff, and I could use a little help. :3Code:#include<stdio.h> #include<iostream> #include<windows.h> using namespace std; int main() { cout << "Enter the target's MainWindow name: "; char* WindowName; *WindowName = cin.get(); cout << endl; cout << "Enter dll name: "; char* DllName; *DllName = cin.get(); HWND WindowHandle = FindWindow(NULL, WindowName); DWORD* ProcId = new DWORD; GetWindowThreadProcessId(WindowHandle, ProcId); HANDLE ProcHandle = OpenProcess(PROCESS_CREATE_THREAD, FALSE, *ProcId); LPVOID LoadLibraryAddress = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibrary"); LPVOID RemoteStringAddress = (LPVOID)VirtualAllocEx(ProcHandle, NULL, strlen(DllName), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(ProcHandle, (LPVOID)RemoteStringAddress, DllName, strlen(DllName), NULL); CreateRemoteThread(ProcHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddress, (LPVOID)RemoteStringAddress, NULL, NULL); CloseHandle(ProcHandle); return 0; }
Last edited by t7ancients; 09-20-2012 at 07:11 AM.
The exact error would be nice.
dat non-indentation.
Try removing the user input shit and try hardcoding the window name and path to the dll.
Try to open the process with PROCESS_ALL_ACCESS... and indent your code for god's sake...
CoD Minion from 09/19/2012 to 01/10/2013
Sorry guys, I wrote it in notepad while I was in class. And insane, is it better to use PROCESS_ALL_ACCESS when you're just creating a thread? I forgot my flash drive at home, I'll get the exact error details tonight. I appreciate your help guys. I'll also try hardcoding the strings and see if that works.
*facepalm* you guys. This is your problem.Code:char* WindowName; *WindowName = cin.get();
You are dereferencing a dangling pointer. Also, that doesn't achieve what you think it does. std::cin::get will read one character from the input stream (the console window.)
std::cin::getline is what you're looking for:
https://www.cplusplus.com/reference/string/getline/
Your allocating a new DWORD in the heap, and then you aren't deallocating it using the delete keyword. Just allocate it on the stack by using a local variable and passing a pointer to GetWindowThreadProcessId by using the reference operator:Code:DWORD* ProcId = new DWORD; GetWindowThreadProcessId(WindowHandle, ProcId);
Also...Code:DWORD dwProcId = 0; GetWindowThreadProcessId(WindowHandle, &dwProcId);
LoadLibrary is a macro that directs is defined as either LoadLibraryA or LoadLibraryW depending on the compiler configuration (multi-byte or wide-character...) just use LoadLibraryA as the API name because your dllnam is encoded as multi-byte.Code:LPVOID LoadLibraryAddress = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibrary");
Finally, you can (if you want) treat the Thread Handle as a mutex object, and wait for it to go in to a signaled state then deallocate the memory you allocated just to clean up a bit.
Last edited by radnomguywfq3; 09-20-2012 at 08:36 PM.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?
That will produce a handle that will not have enough access to inject. Here is what you need (taken from each function's remarks on MSDN):Code:HANDLE ProcHandle = OpenProcess(PROCESS_CREATE_THREAD, FALSE, *ProcId);
VirtualAllocEx - PROCESS_VM_OPERATION
WriteProcessMemory - PROCESS_VM_WRITE and PROCESS_VM_OPERATION
CreateRemoteThread - PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ
So, it should look like this (with Jetamay's fix):
Code:HANDLE ProcHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION, PROCESS_VM_READ, FALSE, dwProcId);
Donate:
BTC: 1GEny3y5tsYfw8E8A45upK6PKVAEcUDNv9
Handy Tools/Hacks:
Extreme Injector v3.7.3
A powerful and advanced injector in a simple GUI.
Can scramble DLLs on injection making them harder to detect and even make detected hacks work again!
Minion Since: 13th January 2011
Moderator Since: 6th May 2011
Global Moderator Since: 29th April 2012
Super User/Unknown Since: 23rd July 2013
'Game Hacking' Team Since: 30th July 2013
--My Art--
[Roxas - Pixel Art, WIP]
[Natsu - Drawn]
[Natsu - Coloured]
All drawings are coloured using Photoshop.
--Gifts--
[Kyle]
Thanks for the pointers(haha, punny) guys, it's working now. While we're on the subject, how does the WriteProcessMemory injection method work? Do you write shellcode to the target process or can you just write a function by it's address? Also, how do you get the size of a function in memory?
What WriteProcessMemory method? In the CreateRemoteThread method, it just writes the path of the DLL to inject into the target process. If you're referring to like, writing some sort of stub into the process well you write the assembly representation of your code into the target process and run it using CreateRemoteThread (or some other method like thread hijacking). Note sure if you can get the size of a function in memory really... Perhaps if you kept counting until you hit INT3 (0xCC) perhaps, that might indicate the end of the function but not sure that's really reliable.
Last edited by master131; 09-21-2012 at 06:49 PM.
Donate:
BTC: 1GEny3y5tsYfw8E8A45upK6PKVAEcUDNv9
Handy Tools/Hacks:
Extreme Injector v3.7.3
A powerful and advanced injector in a simple GUI.
Can scramble DLLs on injection making them harder to detect and even make detected hacks work again!
Minion Since: 13th January 2011
Moderator Since: 6th May 2011
Global Moderator Since: 29th April 2012
Super User/Unknown Since: 23rd July 2013
'Game Hacking' Team Since: 30th July 2013
--My Art--
[Roxas - Pixel Art, WIP]
[Natsu - Drawn]
[Natsu - Coloured]
All drawings are coloured using Photoshop.
--Gifts--
[Kyle]
hope i helped.Code:BOOL Inject(DWORD pid, LPCSTR dllpath) { HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (!hProc) { cout << "OpenProcess failed" << endl; return FALSE; } VOID* remoteStr = VirtualAllocEx(hProc, NULL, strlen(dllpath+1), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); if (!remoteStr) { CloseHandle(hProc); cout << "VirtualAllocEx failed" << endl; return FALSE; } if (!WriteProcessMemory(hProc, remoteStr, dllpath, strlen(dllpath), NULL)) { VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE); CloseHandle(hProc); cout << "WriteProcessMemory failed" << endl; return FALSE; } LPTHREAD_START_ROUTINE locLLA = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); if (!locLLA) { VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE); CloseHandle(hProc); cout << "GetProcAddress failed" << endl; return FALSE; } HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, locLLA, remoteStr, 0, NULL); if (!hThread) { VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE); CloseHandle(hProc); cout << "CreateRemoteThread failed" << endl; return FALSE; } WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE); CloseHandle(hProc); return TRUE; } int main() { char szWinName[100], szDllName[100]; cout << "Enter the target's MainWindow name: "; cin << szWinName; cout << endl cout << "Enter dll name: "; cin << szDllName; cout << endl; HWND hWnd = FindWindowA(NULL, szWinName); if (!hWnd) { cout << "couldnt find window" << endl; return 0; } DWORD dwID; GetWindowThreadProcessId(hWnd, &dwID); if (!dwID) { cout << "GetWindowThreadProcessId failed" << endl; return 0; } if (Inject(dwID, szDllName)) { cout << "injection succeeded" << endl; } return 0; }
---------- Post added at 11:03 AM ---------- Previous post was at 10:59 AM ----------
dynamicly getting function size? strange
try finding nearest INT3 block (about 5 of them) but dont count on that, i have seen nop blocks on some systems too.
and what does WriteProcessMemory injection means?
[img]https://i43.photobucke*****m/albums/e367/DeteSting/Steam-update.gif[/img]
The WPM shell-code injection is fucking stupid because it is basically a longated version of the method you just did (Unless you have a particular purpose for the shell-code?.)
Basically, you write something like this
You write that into process memory and create a thread at the origin (CreateRemoteThread).Code:push seriesOfDwordsOfSuchThatYouWriteTheDllNameInMultiByte push esp call LoadLibraryA
You can also use my PE Loader module in my signature. Dat shit is recon.
Last edited by radnomguywfq3; 09-22-2012 at 11:09 AM.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?