DaviFN Cheater Reputation: 0
Joined: 23 Oct 2016 Posts: 32
|
Posted: Sat Oct 29, 2016 7:09 pm Post subject: Inject DLL into process via lua script |
|
|
Hello everyone!
I need a lua script that injects a DLL into a process. However, I can't use injectDLL(), because this doesn't work for the process I'm injecting a dll.
I need to use functions related to kernel, I guess.
I think the way to is kidn of this C++ way:
Code: | #include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT);
using namespace std;
struct PARAMETERS{
DWORD MessageBoxInj;
char text[50];
char caption[25];
int buttons;
// HWND handle;
};
DWORD getPid(string procName);
int privileges();
DWORD myFunc(PARAMETERS * myparam); //(if you use Dev-C++ put static before DWORD)
DWORD Useless(); ////(if you use Dev-C++ put static before DWORD)
int main()
{
privileges();
DWORD pid = getPid("notepad.exe");
if (pid==0) return 1; //error
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (p==NULL) return 1; //error
char * mytext = "Hello by CodeCave!";
char * mycaption = "Injection result";
PARAMETERS data; //let's fill in a PARAMETERS struct
HMODULE user32 = LoadLibrary("User32.dll");
data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA");
strcpy(data.text, mytext);
strcpy(data.caption, mycaption);
data.buttons = MB_OKCANCEL | MB_ICONQUESTION;
DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size
//--------now we are ready to inject
LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL);
LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);
HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
if (thread!=0){
//injection completed, not we can wait it to end and free the memory
WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished
VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
CloseHandle(thread);
CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process
cout<<"Injection completed!"<<endl;
}else{
cout<<"Error!"<<endl;
}
system("PAUSE");
return EXIT_SUCCESS;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
static DWORD myFunc(PARAMETERS * myparam){
MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj;
int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons);
switch(result){
case IDOK:
//your code
break;
case IDCANCEL:
//your code
break;
}
return 0;
}
static DWORD Useless(){
return 0;
}
//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of
//name order from Z to A, so when we try to calculate the size of my func with
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc;
//the result is negative and so when we try the injection the target app crashes.
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler) |
Can someone "translate" this C++ code to lua script for me?
Not entirely, just the parts needed to succesfully inject the DLL with lua. I mean, the memory allocation parts, the WriteProcessMemory etc.
I'm just looking for a lua script capable of injecting a dll into a process because I can't use injectDLL(), and it's not possible to modify the memory of the process normally, only using Kernel Mode (CheatEngine>Settings>Extra), so I need a lua script to inject the dll using this kernel thing somehow. Thanks. |
|