Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // ModuleDumper
- // Inject into SteamService.exe or Steam.exe (depends on permissions)
- // Steam version 3.17.73.86
- // this shit is straight fucked up
- // straight up shit this is mate
- #include "stdafx.h"
- #include "SteamService.h"
- DWORD dwDumpedHashes[14] = {
- 0x04D37270, 0xAB5BABB4,
- 0x2B74FA80, 0xBC5AD655,
- 0x04FD4065, 0xD765CC47,
- 0xB9C6D0C9, 0x5478D4A2,
- 0x697BE547, 0xD1B9323E,
- 0x309303AA, 0x22FF30F5,
- 0x74C3D180, 0x08ACF517
- };
- BOOL AlreadyHaveModule(DWORD dwModuleHash) {
- for (DWORD i = 0; i < 14; i++) {
- if (dwModuleHash == dwDumpedHashes[i])
- return TRUE;
- }
- return FALSE;
- }
- DWORD GetModuleHash(CModule *pModule) {
- PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pModule->m_pbBuffer;
- PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(pModule->m_pbBuffer + pDosHeader->e_lfanew);
- if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
- LogFile("pNtHeaders signature is wrong!");
- return 0;
- }
- // first section is usually .text
- PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(pNtHeaders);
- PBYTE pbSection = pModule->m_pbBuffer + pSection->PointerToRawData;
- if (IsBadReadPtr(pbSection, pSection->SizeOfRawData)) {
- LogFile("bad pbSection raw data!");
- return 0;
- }
- return CalculateCRC32(pbSection, pSection->SizeOfRawData);
- }
- VOID DumpModule(CModule *pModule, DWORD dwModuleHash) {
- CHAR szBuffer[MAX_PATH];
- sprintf_s(szBuffer, "C:\\Users\\imGol2den\\Desktop\\vac3 %08X.dll", dwModuleHash);
- DumpFile(szBuffer, pModule->m_pbBuffer, pModule->m_cbBuffer);
- LogFile("vac3 module 0x%08X dumped!", dwModuleHash);
- }
- VOID __fastcall LoadModuleHookInternal(CModule *pModule) {
- // hash the .text section
- DWORD dwModuleHash = GetModuleHash(pModule);
- // take a dump if we dont have this module yet
- // make sure its not already loaded and we dont have the module yet
- if (pModule->m_pbBuffer && !AlreadyHaveModule(dwModuleHash)) {
- DumpModule(pModule, dwModuleHash);
- }
- // notify that the module is scanning
- LogFile("vac3 module 0x%08X is scanning!", dwModuleHash);
- }
- // currently this crashes after a little
- DWORD dwLoadModuleReturn = NULL;
- bool __declspec(naked) LoadModuleHook(CModule *pModule, BYTE bFlags) {
- __asm {
- // save ebp and move esp
- push ebp
- mov ebp, esp
- // save registers
- pushad
- // call our internal hook
- // its a __fastcall
- mov ecx, [ebp + 0x08]
- call LoadModuleHookInternal
- // restore registers
- popad
- pop ebp
- // original instructions
- push ebp
- mov ebp, esp
- push esi
- mov esi, [ebp + 0x08]
- // return to original function
- jmp[dwLoadModuleReturn]
- }
- }
- VOID ModuleDumperThread(LPVOID lpReserved) {
- LogFile("module dumper loaded!");
- DWORD dwSteamService = (DWORD)GetModuleHandle("steamservice.dll");
- LogFile("SteamService.dll 0x%X", dwSteamService);
- if (dwSteamService) {
- PBYTE pbLoadModule = (PBYTE)(dwSteamService + LOADMODULE_OFFSET);
- if (*pbLoadModule == 0x55 /* push ebp */) {
- WriteJMP(pbLoadModule, (PBYTE)LoadModuleHook);
- dwLoadModuleReturn = (DWORD)pbLoadModule + 0x07;
- LogFile("hooked LoadModule!");
- }
- }
- }
- BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
- switch (ul_reason_for_call) {
- case DLL_PROCESS_ATTACH:
- DisableThreadLibraryCalls(hModule);
- CreateThread(NULL, 0x1000, (LPTHREAD_START_ROUTINE)ModuleDumperThread, lpReserved, NULL, NULL);
- break;
- case DLL_THREAD_ATTACH:
- case DLL_THREAD_DETACH:
- case DLL_PROCESS_DETACH:
- break;
- }
- return TRUE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement