 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Luig
Cheater
![]() Reputation: 0
Joined: 24 Sep 2010
Posts: 26
|
 Posted: Fri Sep 24, 2010 10:22 pm Post subject: Can't inject .dll from code. [Delphi] |
 |
|
I have tried several functions I found on the web and I have not been able to successfully inject a .dll into the target process.
Function 1:
| Code: | procedure InjectDll(PID: dword; DLL: pChar);
var
BytesWritten, hProcess, hThread, TID: Cardinal;
Parameters: pointer;
pThreadStartRoutine: Pointer;
begin
hProcess := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Parameters := VirtualAllocEx( hProcess, nil, Length(DLL)+1, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProcess,Parameters,Pointer(DLL),Length(DLL)+1,BytesWritten);
pThreadStartRoutine := GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA');
hThread := CreateRemoteThread(hProcess, nil, 0, pThreadStartRoutine, Parameters, 0, TID);
CloseHandle(hProcess);
end; |
Function 2:
| Code: | Function InjectDll2(ProcessID: DWORD; LibraryName: String): Integer;
Type
PLibRemote = ^TLibRemote;
TLibRemote = packed record
ProcessID: DWORD;
LibraryName: Array [0..MAX_LIBRARYNAME] of Char;
LibraryHandle: HMODULE;
end;
var hKernel: HMODULE;
hProcess: THandle;
hThread: THandle;
dwNull: Cardinal;
lpRemote: PLibRemote;
lpLibRemote: PChar;
const
MAX_LIBRARYNAME = MAX_PATH;
MAX_FUNCTIONNAME = 255;
MIN_INSTRSIZE = 5;
Begin
// Set default result of (-1), which means the injection failed
result:=(-1);
// Check library name and version of OS we are running on
if (Length(LibraryName) > 0) and ((GetVersion and $80000000) = 0)then
begin
Result := 2;
// Attempt to open the process
hProcess:=OpenProcess(PROCESS_ALL_ACCESS, False, ProcessID);
// Check process handle
if (hProcess <> 0) then
begin
// Resource protection
try
Result:= 3;
// Get module handle for kernel32
hKernel:=GetModuleHandle('kernel32.dll');
// Check handle
if (hKernel <> 0) then
begin
Result := 4;
// Allocate memory in other process
lpLibRemote:=VirtualAllocEx(hProcess, nil, Succ(Length(LibraryName)), MEM_COMMIT, PAGE_READWRITE);
// Check memory pointer
if Assigned(lpLibRemote) then
begin
// Resource protection
try
Result := 5;
// Write the library name to the memory in other process
WriteProcessMemory(hProcess, lpLibRemote, PChar(LibraryName), Length(LibraryName), dwNull);
// Create the remote thread
hThread:=CreateRemoteThread(hProcess, nil, 0, GetProcAddress(hKernel, 'LoadLibraryA'), lpLibRemote, 0, dwNull);
// Check the thread handle
if (hThread <> 0) then
begin
// Resource protection
try
// Allocate a new remote injection record
lpRemote:=AllocMem(SizeOf(TLibRemote));
// Set process id
lpRemote^.ProcessID:=ProcessID;
// Copy library name
StrPLCopy(lpRemote^.LibraryName, LibraryName, MAX_LIBRARYNAME);
// Wait for the thread to complete
WaitForSingleObject(hThread, INFINITE);
// Fill in the library handle
GetExitCodeThread(hThread, DWORD(lpRemote^.LibraryHandle));
// Add to list
result:=1;
finally
// Close the thread handle
CloseHandle(hThread);
end;
end;
finally
// Free allocated memory
VirtualFree(lpLibRemote, 0, MEM_RELEASE);
end;
end;
end;
finally
// Close the process handle
CloseHandle(hProcess);
end;
end;
end;
End; |
Function 3:
| Code: | function InjectDllToTarget2(dllName : string; TargetProcessID : DWORD ): boolean;
var
LibName : pointer;
hProcess , ThreadHandle : Thandle;
BytesWritten , TheadID : DWORD;
begin
result := false;
hProcess := OpenProcess( PROCESS_ALL_ACCESS, FALSE, TargetProcessID );
if (hProcess = 0) then exit;
// alocate and write the dll name to the remote process
LibName := VirtualAllocEx(hProcess , 0, length(dllName) + 5 , MEM_COMMIT , PAGE_READWRITE) ;
if ( LibName <> nil) then
begin
WriteProcessMemory(hProcess , LibName, pchar(dllName) , length(dllName) , BytesWritten );
end ;
ThreadHandle := CreateRemoteThread( hProcess , nil , 0, GetProcAddress(LoadLibrary('kernel32.dll'), 'LoadLibraryA') , LibName ,0 , TheadID );
result := ThreadHandle <> 0;
WaitForSingleObject( ThreadHandle , INFINITE); //wait for the thread to execute
// free the memory we allocated for the dll name
VirtualFreeEx( hProcess , LibName , 0 , MEM_RELEASE);
CloseHandle(hProcess);
end; |
Function 4: (Really a whole unit)
| Code: | unit DllInjection;
interface
uses
SysUtils,
windows,
shellapi;
Type
TInjectDllData = record
pLoadLibrary : pointer; //pointer to the loadLibrary function
pGetProcAddress : pointer; //pointer to the GetProcAddress function
pGetModuleHandle : pointer; //pointer to the GetModulhandle function
lib_name : pointer; //pointer to the name of the dll we will load
end;
TProcessEntry32 = record
dwSize : DWORD;
cntUsage : DWORD;
th32ProcessID : DWORD;
th32DefaultHeapID : DWORD;
th32ModuleID : DWORD;
cntThreads : DWORD;
th32ParentProcessID : DWORD;
pcPriClassBase : integer;
dwFlags : DWORD;
szExeFile : array [0..MAX_PATH-1] of char;
end;
function InjectDllToTarget(dllName : string; TargetProcessID : DWORD ; code : pointer; CodeSize : integer ): boolean;
procedure InjectedProc( parameter : Pointer ) ; stdcall;
function CreateToolhelp32Snapshot (dwFlags,th32ProcessID: cardinal) : cardinal;
function Process32First(hSnapshot: cardinal; var lppe: TProcessEntry32) : bool;
function Process32Next(hSnapshot: cardinal; var lppe: TProcessEntry32) : bool;
function FindProcess( Name : string) : dword;
procedure GetDebugPrivs;
procedure killbyPID( PID : DWORD);
Var
pCreateToolhelp32Snapshot : function (dwFlags,th32ProcessID: cardinal) : cardinal; stdcall = nil;
pProcess32First : function (hSnapshot: cardinal; var lppe: TProcessEntry32) : bool; stdcall = nil;
pProcess32Next : function (hSnapshot: cardinal; var lppe: TProcessEntry32) : bool; stdcall = nil;
const
TH32CS_SnapProcess = 2;
SE_DEBUG_NAME = 'SeDebugPrivilege' ;
implementation
procedure InjectedProc( parameter : Pointer ) ; stdcall;
var InjectDllData : TInjectDllData;
begin
InjectDllData := TInjectDllData(parameter^);
asm
push InjectDllData.lib_name
call InjectDllData.pLoadLibrary
{
you could easily call a function inside the library we just loaded
}
end;
end;
function InjectDllToTarget(dllName : string; TargetProcessID : DWORD ; code : pointer; CodeSize : integer ): boolean;
var
InitDataAddr , WriteAddr : pointer;
hProcess , ThreadHandle : Thandle;
BytesWritten , TheadID : DWORD;
InitData : TInjectDllData;
begin
result := false;
// it would probably be a good idea to set these
// from the IAT rather than assuming kernel32.dll
// is loaded in the same place in the remote process
InitData.pLoadLibrary := GetProcAddress(LoadLibrary('kernel32.dll'), 'LoadLibraryA');
InitData.pGetProcAddress := GetProcAddress(LoadLibrary('kernel32.dll'), 'GetProcAddress');
InitData.pGetModuleHandle := GetProcAddress(LoadLibrary('kernel32.dll'), 'GetModuleHandleA');
hProcess := OpenProcess( PROCESS_ALL_ACCESS, FALSE, TargetProcessID );
if (hProcess = 0) then exit;
// write the initdata strucutre to the remote prcess
InitDataAddr := VirtualAllocEx(hProcess , 0, sizeof(InitData) , MEM_COMMIT , PAGE_READWRITE) ;
if ( InitDataAddr <> nil) then
begin
WriteProcessMemory(hProcess , InitDataAddr , (@InitData) , sizeof(InitData) , BytesWritten );
end ;
// alocate and write the dll name to the remote process
InitData.lib_name := VirtualAllocEx(hProcess , 0, length(dllName) + 5 , MEM_COMMIT , PAGE_READWRITE) ;
if ( InitData.lib_name <> nil) then
begin
WriteProcessMemory(hProcess , InitData.lib_name , pchar(dllName) , length(dllName) , BytesWritten );
end ;
// write our proc that loads the dll into the remote process
// then execute it
WriteAddr := VirtualAllocEx(hProcess , 0, CodeSize , MEM_COMMIT , PAGE_READWRITE) ;
if (WriteAddr <> nil) then
begin
WriteProcessMemory(hProcess , WriteAddr , code , CodeSize , BytesWritten );
if BytesWritten = CodeSize then
begin
ThreadHandle := CreateRemoteThread( hProcess , nil , 0, WriteAddr , InitDataAddr ,0 , TheadID );
WaitForSingleObject( ThreadHandle , INFINITE); //wait for the thread to execute
VirtualFreeEx( hProcess , WriteAddr , 0 , MEM_RELEASE); // free the memory we allocated
result := true;
end;
end;
// free the memory we allocated for the dll name
VirtualFreeEx( hProcess , InitDataAddr , 0 , MEM_RELEASE);
VirtualFreeEx( hProcess , InitData.lib_name , 0 , MEM_RELEASE);
CloseHandle(hProcess);
end;
procedure GetDebugPrivs;
var
hToken: THandle;
tkp: TTokenPrivileges;
retval: dword;
begin
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then
begin
LookupPrivilegeValue(nil, SE_DEBUG_NAME , tkp.Privileges[0].Luid);
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, tkp, 0, nil, retval);
end;
end;
function FindProcess( Name : string) : dword;
var
FSnapshotHandle : THandle;
FProcessEntry32 : TProcessEntry32;
ContinueLoop:BOOL;
hp : Thandle;
begin
FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
ContinueLoop := Process32First(FSnapshotHandle,FProcessEntry32);
while ContinueLoop do
begin
if Name = FProcessEntry32.szExeFile then
begin
result := FProcessEntry32.th32ProcessID ;
CloseHandle(FSnapshotHandle);
exit;
end;
ContinueLoop := Process32Next(FSnapshotHandle,FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end;
function TestToolhelpFunctions : boolean;
var c1 : cardinal;
begin
c1:=GetModuleHandle('kernel32');
@pCreateToolhelp32Snapshot:=GetProcAddress(c1,'CreateToolhelp32Snapshot');
@pProcess32First :=GetProcAddress(c1,'Process32First' );
@pProcess32Next :=GetProcAddress(c1,'Process32Next' );
result := (@pCreateToolhelp32Snapshot<>nil) and (@pProcess32First<>nil) and (@pProcess32Next<>nil);
end;
function CreateToolhelp32Snapshot (dwFlags,th32ProcessID: cardinal) : cardinal;
begin
result := 0;
if @pCreateToolhelp32Snapshot = nil then if not TestToolhelpFunctions then exit;
result := pCreateToolhelp32Snapshot( dwFlags , th32ProcessID );
end;
function Process32First(hSnapshot: cardinal; var lppe: TProcessEntry32) : bool;
begin
result := false;
if @pProcess32First = nil then if not TestToolhelpFunctions then exit;
result := pProcess32First(hSnapshot,lppe);
end;
function Process32Next(hSnapshot: cardinal; var lppe: TProcessEntry32) : bool;
begin
result := false;
if @pProcess32Next = nil then if not TestToolhelpFunctions then exit;
result := pProcess32Next(hSnapshot,lppe);
end;
procedure killbyPID( PID : DWORD);
var hp : THANDLE;
begin
hp := OpenProcess( PROCESS_TERMINATE , false, PID) ;
TerminateProcess(hp,0);
end;
end. |
None of these have worked. If someone could give me a function or procedure that I could use or tell me whats wrong with the ones above. They all point that they succeed but I the .dll never gets injected.
|
|
| Back to top |
|
 |
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sat Sep 25, 2010 4:44 am Post subject: |
|
|
Are you sure there is nothing wrong with the dll? Have you tried injecting the dll with a working dll injector?
What operating system are you using? (All 4 methods use OpenProcess with PROCESS_ALL_ACCESS which will not work on all operating systems)
|
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Sat Sep 25, 2010 5:32 am Post subject: |
|
|
| You need to have SeDebugPrivilege, in Delphi.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25821
Location: The netherlands
|
| Posted: Sat Sep 25, 2010 6:41 am Post subject: |
|
|
And not to mention that you could be running an anti virus that prevents dll injection
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Luig
Cheater
![]() Reputation: 0
Joined: 24 Sep 2010
Posts: 26
|
| Posted: Sat Sep 25, 2010 11:03 am Post subject: |
|
|
| I can inject the .dll just fine using ce and autoit but not from delphi which is ironic because ce was mainly coded in delphi. As for my OS I am running Vista 32 bit. I am sure I set debugprivs using a function found in the last unit I posted.
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sat Sep 25, 2010 11:17 am Post subject: |
|
|
| Luig wrote: | | As for my OS I am running Vista 32 bit. |
There is your error. Don't use Vista 
It should work if you change PROCESS_ALL_ACCESS to something more appropriate. If you search this forum you can find examples of how it can be done.
|
|
| Back to top |
|
|
Luig
Cheater
![]() Reputation: 0
Joined: 24 Sep 2010
Posts: 26
|
| Posted: Sat Sep 25, 2010 11:31 am Post subject: |
|
|
| But wouldnt I get an error when openning the process. In a function there are return values in several steps and it openprocess does return a valid handle. If this is the issue should I just use read write access?
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sat Sep 25, 2010 3:31 pm Post subject: |
|
|
| Code: | PROCESS_QUERY_INFORMATION
PROCESS_CREATE_THREAD
PROCESS_VM_OPERATION
PROCESS_VM_WRITE |
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25821
Location: The netherlands
|
| Posted: Sat Sep 25, 2010 10:21 pm Post subject: |
|
|
if ce works and you actually did properly set SeDebugPrivilege then PROCESS_ALL_ACCESS should work without a problem in vista
anyhow, make sure the dllname you give is the full path to the dll. Not a relative address
also, debug the function to see where it goes wrong.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Luig
Cheater
![]() Reputation: 0
Joined: 24 Sep 2010
Posts: 26
|
| Posted: Sun Sep 26, 2010 12:28 pm Post subject: |
|
|
| Code: | procedure GetDebugPrivs;
var
hToken: THandle;
tkp: TTokenPrivileges;
retval: dword;
Const
SE_DEBUG_NAME = 'SeDebugPrivilege' ;
begin
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then
begin
LookupPrivilegeValue(nil, SE_DEBUG_NAME , tkp.Privileges[0].Luid);
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, tkp, 0, nil, retval);
end;
end; |
That procedure should work right and I cant verify this because I'm not home.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
