Code:
/************************************************************************************************************************\
\************ [C++ Code-Injection Template] ********* [Tenebricosus] ********* [Released on GameHacking.com] ************/
/************ [GetProcId () Function Coded By Wiccaan a.k.a. Atomos] ********* [Find me @ www.DoxCoding.com] ************\
\************************************************************************************************************************/
//!!Remember!!
//------------
//Jump and Call addresses are relative. They are represented as the number of bytes between them. To calculate the Call/Jump
// opcode, you need to subtract the caller from the callee. E.G. if 0x40000000 contains a jump to 0x50000000, the calculation
// will be 0x50000000 - 0x40000005. 0x40000000 is the Caller, 0x50000000 is the Callee, and the jump instruction is 5 opcodes long.
//
//In your CodeCave itself you don't have to worry about it, because the number of bytes between the Caller and Callee stays the same
// but when you jump to or from your CodeCave, the number of bytes between Caller and Callee is variable. Because we use VirtualAllocEx
// to get a memory region we can use for our CodeCave.
//
//------------
//When you use this code, without modifications, the last assambly line in your CodeCave should always be jmp 0xXXXXXXXX(X can be any
// digit, though I prefer using 0x00000000 or 0xFFFFFFFF. Easier to spot when your CodeCave doesn't work :P)
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
BYTE dbCode[] = {0x90, 0x90, 0xe9, 0x00, 0x00, 0x00, 0x00}; //Opcodes you want to write to the CodeCave
BYTE dbJump[5] = {0xe9, 0x00, 0x00, 0x00, 0x00}; //The Ju***ode we need to write in the Game to jump to our CodeCave
DWORD ddJumpAddr = 0x552086; //The GameCode address we want to jump from
DWORD ddJmpBack = 0x55208C; //The GameCode address we want to jump back to after running our CodeCave
DWORD ddSize = 7; //The Size of dbCode array(The number of opcodes your CodeCave exists of)
char * szProcName = "CoDMP.exe"; //The Processname of the GameProcess(You can find it in your Task Manager (Ctrl+Alt+Del))
DWORD GetProcId( char *szProcName );
void main()
{
using namespace std;
HANDLE hProcess;
DWORD ddTemp;
DWORD ddOldProt;
DWORD ddCodeCave = NULL;
hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE, FALSE, GetProcId(szProcName));
if(hProcess == NULL)
{
cout << "Error: Couldn't open the Game Process\n";
}
else
{
cout << "Success: Game Process Opened\n";
ddCodeCave = (DWORD)VirtualAllocEx(hProcess, NULL, ddSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(ddCodeCave == NULL)
{
cout << "Error: Failed to allocate CodeCave\n";
}
else
{
cout << "Success: CodeCave Allocated\n";
ddTemp = ddJmpBack;
ddTemp -= (ddCodeCave + ddSize);
memcpy(&dbCode[ddSize - 4], &ddTemp, 4);
if(WriteProcessMemory(hProcess, (LPVOID)ddCodeCave, dbCode, ddSize, NULL) == FALSE)
{
cout << "Error: Writing to the CodeCave Failed!\n";
cout << GetLastError();
}
else
{
cout << "Success: Code Written to CodeCave!\n";
cout << "CodeCave Located at: 0x" << hex << ddCodeCave << endl << endl;
ddTemp = ddCodeCave;
ddTemp -= (ddJumpAddr + 5);
memcpy(&dbJump[1], &ddTemp, 4);
if(VirtualProtectEx(hProcess, (LPVOID)ddJumpAddr, 5, PAGE_EXECUTE_READWRITE, &ddOldProt) == FALSE)
{
cout << "Error: VirtualProtectEx Falied!\n";
}
else
{
if(WriteProcessMemory(hProcess, (LPVOID)ddJumpAddr, &dbJump, 5, NULL) == FALSE)
{
cout << "Error: Couldn't write the Jump!\n";
}
else
{
cout << "Success: Jump written.\n CodeCave Active!\n";
}
VirtualProtectEx(hProcess, (LPVOID)ddJumpAddr, 5, ddOldProt, NULL);
}
}
}
}
cin.get();
return;
}
/* GetProcId: Credits go to Wiccaan, a.k.a. Atomos*/
DWORD GetProcId( char *szProcName )
{
PROCESSENTRY32 pe32;
HANDLE hSnapshot = NULL;
pe32.dwSize = sizeof( PROCESSENTRY32 );
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( Process32First( hSnapshot, &pe32 ) )
{
do{
if( strcmp( pe32.szExeFile, szProcName ) == 0 )
break;
}while( Process32Next( hSnapshot, &pe32 ) );
}
if( hSnapshot != INVALID_HANDLE_VALUE )
CloseHandle( hSnapshot );
return (strcmp( pe32.szExeFile, szProcName ) == 0) ? pe32.th32ProcessID : 0;
}