API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 18th, 2018
75
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.02 KB | None | 0 0
raw download clone embed print report
  1. #include <Windows.h>
  2. #include <psapi.h>
  3. #include <string>
  4. #include <TlHelp32.h>
  5. #include <Dbghelp.h>
  6. #include <iostream>
  7. #include <fstream>
  8.  
  9. #define HEADER_SIZE 1024
  10.  
  11. HANDLE get_module_of_process(const std::string& module_name, const HANDLE process)
  12. {
  13. const HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(process));
  14.  
  15. if (snapshot != INVALID_HANDLE_VALUE) {
  16. MODULEENTRY32 entry = {0};
  17. entry.dwSize = sizeof(MODULEENTRY32);
  18.  
  19. for (BOOL status = Module32First(snapshot, &entry); status; status = Module32Next(snapshot, &entry)) {
  20. if (!strcmp(entry.szModule, module_name.c_str())) {
  21. CloseHandle(snapshot);
  22. return entry.hModule;
  23. }
  24. }
  25. }
  26.  
  27. CloseHandle(snapshot);
  28. throw std::runtime_error("Failed to find Module: " + module_name);
  29. }
  30.  
  31. HANDLE get_process_handle_by_name(const std::string& name)
  32. {
  33. const HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  34.  
  35. if(snapshot != INVALID_HANDLE_VALUE) {
  36. PROCESSENTRY32 entry {0};
  37. entry.dwSize = sizeof(PROCESSENTRY32);
  38.  
  39. for (BOOL status = Process32First(snapshot, &entry); status; status = Process32Next(snapshot, &entry)) {
  40. if (!strcmp(entry.szExeFile, name.c_str())) {
  41.  
  42. CloseHandle(snapshot);
  43.  
  44. const HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
  45.  
  46. if(handle != INVALID_HANDLE_VALUE)
  47. return handle;
  48.  
  49. throw std::runtime_error("Failed to open a handle to the Process");
  50. }
  51. }
  52. }
  53.  
  54. CloseHandle(snapshot);
  55. throw std::runtime_error("Failed to find the process");
  56. }
  57.  
  58. void load_library_remote(const std::string& process_name, const std::string& module_name)
  59. {
  60. char path[MAX_PATH];
  61.  
  62. const unsigned long size = GetFullPathNameA(module_name.c_str(), MAX_PATH, path, nullptr) + 1;
  63.  
  64. if(size - 1 <= 0)
  65. throw std::runtime_error("GetFullPathNameA failed with Error Code " + std::to_string(GetLastError()));
  66.  
  67. const HANDLE process = get_process_handle_by_name(process_name);
  68. const HANDLE process_module = get_module_of_process(process_name, process);
  69.  
  70. char header[HEADER_SIZE];
  71. ReadProcessMemory(process, reinterpret_cast<const void*>(process_module), header, HEADER_SIZE, nullptr);
  72.  
  73. IMAGE_DOS_HEADER* dos_header = reinterpret_cast<IMAGE_DOS_HEADER*>(header);
  74. IMAGE_NT_HEADERS* nt_headers = ImageNtHeader(header);
  75.  
  76. if (dos_header->e_magic != IMAGE_DOS_SIGNATURE)
  77. throw std::runtime_error("Process is not a valid DOS Image");
  78.  
  79. std::ifstream s(module_name, std::ios::binary | std::ios::ate);
  80.  
  81. char module_header[HEADER_SIZE];
  82.  
  83. if (s) {
  84. const std::streamoff file_size = s.tellg();
  85.  
  86. if (file_size > HEADER_SIZE) {
  87. s.seekg(0, std::ios::beg);
  88. s.read(module_header, HEADER_SIZE);
  89. s.close();
  90. }
  91. else {
  92. throw std::runtime_error("Module " + module_name + " has an invalid size.");
  93. }
  94. }
  95. else {
  96. throw std::runtime_error("Failed to open a file stream to the Module " + module_name + ".");
  97. }
  98.  
  99. IMAGE_DOS_HEADER* module_dos_header = reinterpret_cast<IMAGE_DOS_HEADER*>(header);
  100. IMAGE_NT_HEADERS* module_nt_header = ImageNtHeader(header);
  101.  
  102. if (module_dos_header->e_magic != IMAGE_DOS_SIGNATURE)
  103. throw std::runtime_error("The module " + module_name + " is no valid DOS Image");
  104.  
  105. if (module_nt_header->FileHeader.Machine != nt_headers->FileHeader.Machine)
  106. throw std::runtime_error("The Architectures of the Module and the Process don't match.");
  107.  
  108. FARPROC load_library_ex = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryExA");
  109.  
  110. if (load_library_ex) {
  111.  
  112. uint8_t byte_code[] = {
  113. 0x6A, 0x00, // push 0
  114. 0x6A, 0x00, // push 0
  115. 0x68, 0xBE, 0xBA, 0xFE, 0xCA, // push 0xCAFEBABE
  116. 0xB8, 0xBE, 0xBA, 0xFE, 0xCA, // mov eax, 0xCAFEBABE
  117. 0xFF, 0xD0, // call eax
  118. 0xC3 // ret
  119. };
  120.  
  121. // patch the function address
  122. *reinterpret_cast<unsigned long*>(reinterpret_cast<unsigned long>(byte_code) + 10) =
  123. reinterpret_cast<unsigned long>(load_library_ex);
  124.  
  125. void* remote_memory_path = VirtualAllocEx(process, nullptr, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
  126.  
  127. if (remote_memory_path) {
  128.  
  129. // write the path to the process memory and let the stub pass it to LoadLibraryEx as Parameter
  130. if (WriteProcessMemory(process, remote_memory_path, path, size, nullptr)) {
  131.  
  132. // replace the path address in the stub
  133. *reinterpret_cast<unsigned long*>(reinterpret_cast<unsigned long>(byte_code) + 5) =
  134. reinterpret_cast<unsigned long>(remote_memory_path);
  135.  
  136. void* remote_memory_byte_code = VirtualAllocEx(process, nullptr, sizeof byte_code, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  137.  
  138. if (remote_memory_byte_code) {
  139.  
  140. // Write the Bytecode and call it
  141. if (WriteProcessMemory(process, remote_memory_byte_code, byte_code, sizeof byte_code, nullptr)) {
  142. const HANDLE h = CreateRemoteThread(process, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(remote_memory_byte_code), nullptr, 0, nullptr);
  143.  
  144. if (h == INVALID_HANDLE_VALUE) {
  145. throw std::runtime_error("Failed to create a Thread on the Stub. Error Code: " + std::to_string(GetLastError()));
  146. }
  147.  
  148. WaitForSingleObject(h, INFINITE);
  149. }
  150.  
  151. // 0 because MEM_RELEASE requires dwSize to be 0
  152. if (!VirtualFreeEx(process, remote_memory_byte_code, 0, MEM_RELEASE))
  153. throw std::runtime_error("Error while freeing the Memory of the Byte Code. Error Code: " + std::to_string(GetLastError()));
  154. }
  155. else {
  156. throw std::runtime_error("Failed to allocate Memory for the Byte Code. Error Code: " + std::to_string(GetLastError()));
  157. }
  158. }
  159. else {
  160. throw std::runtime_error("Failed to write the Path to the Remote Process Memory. Error Code: " + std::to_string(GetLastError()));
  161. }
  162.  
  163. // 0 because MEM_RELEASE requires dwSize to be 0
  164. if (!VirtualFreeEx(process, remote_memory_path, 0, MEM_RELEASE))
  165. throw std::runtime_error("Error while freeing the Memory of the Path. Error Code: " + std::to_string(GetLastError()));
  166. }
  167. }
  168. }
  169.  
  170. int main()
  171. {
  172. try {
  173. load_library_remote("csgo.exe", "r3csgo.dll");
  174. }
  175. catch (std::runtime_error& e) {
  176. MessageBoxA(nullptr, e.what(), "Error", MB_OK);
  177. ExitProcess(EXIT_FAILURE);
  178. }
  179.  
  180. return EXIT_SUCCESS;
  181. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!