supMarco How do I cheat? Reputation: 1 Joined: 10 Mar 2019 Posts: 3
|
Posted: Sun Mar 10, 2019 2:33 am Post subject: Dll Injection (Pipe Server & Client) Tutorial |
|
|
First of all what's a pipe ? and why am I using a pipe server?
A pipe is a section of shared memory that processes use for communication. The process that creates a pipe is the pipe server.
A process that connects to a pipe is a pipe client. One process writes information to the pipe, then the other process reads the information from the pipe.
This overview describes how to create, manage, and use pipes. (docs. microsoft. com / en-us/windows/desktop/ipc/pipes)
I'm about to inject a DLL with a few functions (Including the one that starts a pipe server in the target process), then I'm going to use a pipe client in order to call the DLL's functions from the outside:
DLL (Server):
Code: | #include "stdafx.h"
#include <stdlib.h>
#define STRSIZE 256
bool Compare(const BYTE*, const BYTE*, const char*);
DWORD Pattern(DWORD, DWORD, BYTE *, const char *);
BOOL money_flag = FALSE;
DWORD moneyHook = NULL;
_declspec(dllexport) void PipeServerStart(); //This is the only function I need to export
void init();
void money();
_declspec(dllexport) void PipeServerStart()
{
HANDLE hPipe;
char cheatName[STRSIZE];
DWORD bytesRead;
hPipe = CreateNamedPipe(TEXT("\\\\.\\pipe\\Test"), PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT, 1, 1024 * 16, 1024 * 16, INFINITE, NULL);
if (hPipe != INVALID_HANDLE_VALUE)
{
if (ConnectNamedPipe(hPipe, NULL)) //Waits for a client to connect
{
while (ReadFile(hPipe, cheatName, STRSIZE - 1, &bytesRead, NULL)) //This will constantly read the client's "command" I will send
{
cheatName[bytesRead] = '\0';
//We will call a certain DLL function accortding to the "command"
if (!strcmp(cheatName, "money"))
{
money();
}
else if (!strcmp(cheatName, "init"))
{
init();
}
}
}
DisconnectNamedPipe(hPipe);
}
}
void init()
{
DWORD vpTemp;
moneyHook = Pattern((DWORD)GetModuleHandleA("DKII.EXE"), 0x7fffffffffff, (BYTE *)"\x74\x03\x89\x6F\x7E", "xxxxx"); //Fetches the Hook location in the target
VirtualProtect((LPVOID)moneyHook, 0x64, PAGE_EXECUTE_READWRITE, &vpTemp); //Makes the page that contains the code I want to modify writeable
}
void money()
{
__asm {
cmp byte ptr [money_flag],0
jne l_disable
mov eax, [moneyHook]
mov byte ptr [eax], 0xEB //Changes "je" (0x74) to "jmp" (0xEB)
mov byte ptr[money_flag], 1
jmp l_exit
l_disable:
mov eax, [moneyHook]
mov byte ptr[eax], 0x74 //Changes "jmp" (0xEB) back to "je" (0x74)
mov byte ptr[money_flag], 0
l_exit:
}
}
//AOB Scanning Functions
bool Compare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask) return 0;
return (*szMask) == NULL;
}
DWORD Pattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, const char * szMask)
{
for (DWORD i = 0; i < dwLen; i++)
if (Compare((BYTE*)(dwAddress + i), bMask, szMask)) return (DWORD)(dwAddress + i);
return 0 |
Client:
Code: | #define STRSIZE 256
#include <Windows.h>
#include <stdio.h>
int main(void)
{
HANDLE hPipe;
DWORD bytesWritten;
char buffer[STRSIZE];
hPipe = CreateFile(TEXT("\\\\.\\pipe\\Test"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); //Connects to the pipe server
if (hPipe != INVALID_HANDLE_VALUE)
{
while (1)
{
scanf("%s", buffer);
if (!strcmp(buffer, "exit"))
break;
WriteFile(hPipe, buffer, STRSIZE - 1, &bytesWritten, NULL); //Sends your "command" to the server
}
CloseHandle(hPipe);
}
return (0);
} |
Result:
youtu.be / 5lujwFZp-KU
|
|