Advertisement
Guest User

ммап инжектор

a guest
Jan 16th, 2018
218
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 6.87 KB | None | 0 0
  1. #include <iostream>
  2.  
  3. #include <Windows.h>
  4. #include <TlHelp32.h>
  5.  
  6. using namespace std;
  7.  
  8. typedef HMODULE(__stdcall* pLoadLibraryA)(LPCSTR);
  9. typedef FARPROC(__stdcall* pGetProcAddress)(HMODULE, LPCSTR);
  10.  
  11. typedef INT(__stdcall* dllmain)(HMODULE, DWORD, LPVOID);
  12.  
  13.  
  14. struct loaderdata
  15. {
  16.     LPVOID ImageBase;
  17.  
  18.     PIMAGE_NT_HEADERS NtHeaders;
  19.     PIMAGE_BASE_RELOCATION BaseReloc;
  20.     PIMAGE_IMPORT_DESCRIPTOR ImportDirectory;
  21.  
  22.     pLoadLibraryA fnLoadLibraryA;
  23.     pGetProcAddress fnGetProcAddress;
  24.  
  25. };
  26.  
  27. DWORD FindProcessId(string processName)
  28. {
  29.     PROCESSENTRY32 processInfo;
  30.     processInfo.dwSize = sizeof(processInfo);
  31.  
  32.     HANDLE processSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  33.     if (processSnapshot == INVALID_HANDLE_VALUE)
  34.         return 0;
  35.  
  36.     Process32First(processSnapshot, &processInfo);
  37.     if (!processName.compare(processInfo.szExeFile))
  38.     {
  39.         CloseHandle(processSnapshot);
  40.         return processInfo.th32ProcessID;
  41.     }
  42.  
  43.     while (Process32Next(processSnapshot, &processInfo))
  44.     {
  45.         if (!processName.compare(processInfo.szExeFile))
  46.         {
  47.             CloseHandle(processSnapshot);
  48.             return processInfo.th32ProcessID;
  49.         }
  50.     }
  51.  
  52.     CloseHandle(processSnapshot);
  53.     return 0;
  54. }
  55.  
  56. DWORD __stdcall LibraryLoader(LPVOID Memory)
  57. {
  58.  
  59.     loaderdata* LoaderParams = (loaderdata*)Memory;
  60.  
  61.     PIMAGE_BASE_RELOCATION pIBR = LoaderParams->BaseReloc;
  62.  
  63.     DWORD delta = (DWORD)((LPBYTE)LoaderParams->ImageBase - LoaderParams->NtHeaders->OptionalHeader.ImageBase); // Calculate the delta
  64.  
  65.     while (pIBR->VirtualAddress)
  66.     {
  67.         if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))
  68.         {
  69.             int count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  70.             PWORD list = (PWORD)(pIBR + 1);
  71.  
  72.             for (int i = 0; i < count; i++)
  73.             {
  74.                 if (list[i])
  75.                 {
  76.                     PDWORD ptr = (PDWORD)((LPBYTE)LoaderParams->ImageBase + (pIBR->VirtualAddress + (list[i] & 0xFFF)));
  77.                     *ptr += delta;
  78.                 }
  79.             }
  80.         }
  81.  
  82.         pIBR = (PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR + pIBR->SizeOfBlock);
  83.     }
  84.  
  85.     PIMAGE_IMPORT_DESCRIPTOR pIID = LoaderParams->ImportDirectory;
  86.  
  87.     // Resolve DLL imports
  88.     while (pIID->Characteristics)
  89.     {
  90.         PIMAGE_THUNK_DATA OrigFirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)LoaderParams->ImageBase + pIID->OriginalFirstThunk);
  91.         PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)LoaderParams->ImageBase + pIID->FirstThunk);
  92.  
  93.         HMODULE hModule = LoaderParams->fnLoadLibraryA((LPCSTR)LoaderParams->ImageBase + pIID->Name);
  94.  
  95.         if (!hModule)
  96.             return FALSE;
  97.  
  98.         while (OrigFirstThunk->u1.AddressOfData)
  99.         {
  100.             if (OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  101.             {
  102.                 // Import by ordinal
  103.                 DWORD Function = (DWORD)LoaderParams->fnGetProcAddress(hModule,
  104.                     (LPCSTR)(OrigFirstThunk->u1.Ordinal & 0xFFFF));
  105.  
  106.                 if (!Function)
  107.                     return FALSE;
  108.  
  109.                 FirstThunk->u1.Function = Function;
  110.             }
  111.             else
  112.             {
  113.                 // Import by name
  114.                 PIMAGE_IMPORT_BY_NAME pIBN = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)LoaderParams->ImageBase + OrigFirstThunk->u1.AddressOfData);
  115.                 DWORD Function = (DWORD)LoaderParams->fnGetProcAddress(hModule, (LPCSTR)pIBN->Name);
  116.                 if (!Function)
  117.                     return FALSE;
  118.  
  119.                 FirstThunk->u1.Function = Function;
  120.             }
  121.             OrigFirstThunk++;
  122.             FirstThunk++;
  123.         }
  124.         pIID++;
  125.     }
  126.  
  127.     if (LoaderParams->NtHeaders->OptionalHeader.AddressOfEntryPoint)
  128.     {
  129.         dllmain EntryPoint = (dllmain)((LPBYTE)LoaderParams->ImageBase + LoaderParams->NtHeaders->OptionalHeader.AddressOfEntryPoint);
  130.  
  131.         return EntryPoint((HMODULE)LoaderParams->ImageBase, DLL_PROCESS_ATTACH, NULL); // Call the entry point
  132.     }
  133.     return TRUE;
  134. }
  135.  
  136.  
  137. DWORD __stdcall stub()
  138. {
  139.     return 0;
  140. }
  141.  
  142. #define DLL_NAME "cheat.dll"
  143. int main()
  144. {
  145.     // Target Dll
  146.     char myDLL[MAX_PATH];
  147.     GetFullPathName(DLL_NAME, MAX_PATH, myDLL, 0);
  148.     //LPCSTR Dll = "C\\......cheat.dll";
  149.  
  150.     DWORD ProcessId = FindProcessId("csgo.exe");
  151.  
  152.     loaderdata LoaderParams;
  153.  
  154.     HANDLE hFile = CreateFileA(myDLL, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
  155.         OPEN_EXISTING, 0, NULL); // Open the DLL
  156.  
  157.     DWORD FileSize = GetFileSize(hFile, NULL);
  158.     PVOID FileBuffer = VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
  159.  
  160.     // Read the DLL
  161.     ReadFile(hFile, FileBuffer, FileSize, NULL, NULL);
  162.  
  163.     // Target Dll's DOS Header
  164.     PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)FileBuffer;
  165.     // Target Dll's NT Headers
  166.     PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)FileBuffer + pDosHeader->e_lfanew);
  167.  
  168.     // Opening target process.
  169.     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
  170.     // Allocating memory for the DLL
  171.     PVOID ExecutableImage = VirtualAllocEx(hProcess, NULL, pNtHeaders->OptionalHeader.SizeOfImage,
  172.         MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  173.  
  174.     // Copy the headers to target process
  175.     WriteProcessMemory(hProcess, ExecutableImage, FileBuffer,
  176.         pNtHeaders->OptionalHeader.SizeOfHeaders, NULL);
  177.  
  178.     // Target Dll's Section Header
  179.     PIMAGE_SECTION_HEADER pSectHeader = (PIMAGE_SECTION_HEADER)(pNtHeaders + 1);
  180.     // Copying sections of the dll to the target process
  181.     for (int i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++)
  182.     {
  183.         WriteProcessMemory(hProcess, (PVOID)((LPBYTE)ExecutableImage + pSectHeader[i].VirtualAddress),
  184.             (PVOID)((LPBYTE)FileBuffer + pSectHeader[i].PointerToRawData), pSectHeader[i].SizeOfRawData, NULL);
  185.     }
  186.  
  187.     // Allocating memory for the loader code.
  188.     PVOID LoaderMemory = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT | MEM_RESERVE,
  189.         PAGE_EXECUTE_READWRITE); // Allocate memory for the loader code
  190.  
  191.     LoaderParams.ImageBase = ExecutableImage;
  192.     LoaderParams.NtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)ExecutableImage + pDosHeader->e_lfanew);
  193.  
  194.     LoaderParams.BaseReloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)ExecutableImage
  195.         + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
  196.     LoaderParams.ImportDirectory = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)ExecutableImage
  197.         + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  198.  
  199.     LoaderParams.fnLoadLibraryA = LoadLibraryA;
  200.     LoaderParams.fnGetProcAddress = GetProcAddress;
  201.  
  202.     // Write the loader information to target process
  203.     WriteProcessMemory(hProcess, LoaderMemory, &LoaderParams, sizeof(loaderdata),
  204.         NULL);
  205.     // Write the loader code to target process
  206.     WriteProcessMemory(hProcess, (PVOID)((loaderdata*)LoaderMemory + 1), LibraryLoader,
  207.         (DWORD)stub - (DWORD)LibraryLoader, NULL);
  208.     // Create a remote thread to execute the loader code
  209.     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((loaderdata*)LoaderMemory + 1),
  210.         LoaderMemory, 0, NULL);
  211.  
  212.     std::cout << "Address of Loader: " << std::hex << LoaderMemory << std::endl;
  213.     std::cout << "Address of Image: " << std::hex << ExecutableImage << std::endl;
  214.  
  215.     // Wait for the loader to finish executing
  216.     WaitForSingleObject(hThread, INFINITE);
  217.  
  218.     std::cin.get();
  219.     // free the allocated loader code
  220.     VirtualFreeEx(hProcess, LoaderMemory, 0, MEM_RELEASE);
  221.  
  222.     return 0;
  223. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement