DWORD WINAPI loadDllIntoMemory(PVOID p) { PMANUAL_INJECT ManualInject;

1.  
2. DWORD WINAPI loadDllIntoMemory(PVOID p)
3. {
4. PMANUAL_INJECT ManualInject;
5.  
6. HMODULE hModule;
7. DWORD i, Function, count, delta;
8.  
9. PDWORD ptr;
10. PWORD list;
11.  
12. PIMAGE_BASE_RELOCATION pIBR;
13. PIMAGE_IMPORT_DESCRIPTOR pIID;
14. PIMAGE_IMPORT_BY_NAME pIBN;
15. PIMAGE_THUNK_DATA FirstThunk, OrigFirstThunk;
16.  
17. PDLL_MAIN EntryPoint;
18.  
19. ManualInject = (PMANUAL_INJECT)p;
20.  
21. pIBR = ManualInject->BaseRelocation;
22. delta = (DWORD)((LPBYTE)ManualInject->ImageBase - ManualInject->NtHeaders->OptionalHeader.ImageBase); // Calculate the delta
23.  
24. // Relocate the image
25. while (pIBR->VirtualAddress)
26. {
27. if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))
28. {
29. count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
30. list = (PWORD)(pIBR + 1);
31.  
32. for (i = 0; i < count; i++)
33. {
34. if (list[i])
35. {
36. ptr = (PDWORD)((LPBYTE)ManualInject->ImageBase + (pIBR->VirtualAddress + (list[i] & 0xFFF)));
37. *ptr += delta;
38. }
39. }
40. }
41.  
42. pIBR = (PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR + pIBR->SizeOfBlock);
43. }
44.  
45. pIID = ManualInject->ImportDirectory;
46.  
47. // Resolve DLL imports
48. while (pIID->Characteristics)
49. {
50. OrigFirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->OriginalFirstThunk);
51. FirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->FirstThunk);
52.  
53. hModule = ManualInject->fnLoadLibraryA((LPCSTR)ManualInject->ImageBase + pIID->Name);
54.  
55. if (!hModule)
56. {
57. return FALSE;
58. }
59.  
60. while (OrigFirstThunk->u1.AddressOfData)
61. {
62. if (OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
63. {
64. // Import by ordinal
65.  
66. Function = (DWORD)ManualInject->fnGetProcAddress(hModule, (LPCSTR)(OrigFirstThunk->u1.Ordinal & 0xFFFF));
67.  
68. if (!Function)
69. {
70. return FALSE;
71. }
72.  
73. FirstThunk->u1.Function = Function;
74. }
75.  
76. else
77. {
78. // Import by name
79.  
80. pIBN = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)ManualInject->ImageBase + OrigFirstThunk->u1.AddressOfData);
81. Function = (DWORD)ManualInject->fnGetProcAddress(hModule, (LPCSTR)pIBN->Name);
82.  
83. if (!Function)
84. {
85. return FALSE;
86. }
87.  
88. FirstThunk->u1.Function = Function;
89. }
90.  
91. OrigFirstThunk++;
92. FirstThunk++;
93. }
94.  
95. pIID++;
96. }
97.  
98. if (!executeTls(ManualInject))
99. MessageBoxA(0, _xor_("TLS execution failed!").c_str(), 0, MB_ICONERROR | MB_OK);
100.  
101. if (ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint)
102. {
103. EntryPoint = (PDLL_MAIN)((LPBYTE)ManualInject->ImageBase + ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint);
104. return EntryPoint((HMODULE)ManualInject->ImageBase, DLL_PROCESS_ATTACH, NULL); // Call the entry point
105. }
106. }
107. DWORD WINAPI loadDllEnd()
108. {
109. return (0);
110. }
111.  
112. void Inject(unsigned char* s)
113. {
114. PVOID rData = reinterpret_cast<char*>(s);
115.  
116. pIDH = (PIMAGE_DOS_HEADER)rData;
117. pINH = (PIMAGE_NT_HEADERS)((LPBYTE)rData + pIDH->e_lfanew);
118.  
119. DWORD pid = GetProcessByName("csgo.exe");
120.  
121. if (pid != 0)
122. cout << "[!] found game process..." << endl;
123.  
124. hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
125.  
126. image = VirtualAllocEx(hProcess, NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
127. FARPROC Address = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
128. if (*(BYTE*)Address == 0xE9 /* jmp */ || *(BYTE*)Address == 0x90 /* nop */|| *(BYTE*)Address == 0xC3 /* ret */)
129. {
130. printf("WINAPI HOOKED KOKOTE %s \n", std::to_string(*(BYTE*)Address).c_str());
131. }
132. else {
133. (WriteProcessMemory)(hProcess, image, rData, pINH->OptionalHeader.SizeOfHeaders, NULL);
134. }
135. pISH = (PIMAGE_SECTION_HEADER)(pINH + (1));
136. for (i = (0); i < pINH->FileHeader.NumberOfSections; i++)
137. {
138. if (*(BYTE*)Address == 0xE9 || *(BYTE*)Address == 0x90 || *(BYTE*)Address == 0xC3)
139. {
140. printf("WINAPI HOOKED KOKOTE\n");
141. }
142. else {
143. (WriteProcessMemory)(hProcess, (PVOID)((LPBYTE)image + pISH[i].VirtualAddress),
144. (PVOID)((LPBYTE)rData + pISH[i].PointerToRawData), pISH[i].SizeOfRawData, NULL);
145. }
146. }
147. mem = VirtualAllocEx(hProcess, NULL, (4096), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
148. memset(&ManualInject, (0), sizeof(MANUAL_INJECT));
149.  
150. ManualInject.ImageBase = image;
151. ManualInject.NtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)image + pIDH->e_lfanew);
152. ManualInject.BaseRelocation = (PIMAGE_BASE_RELOCATION)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
153. ManualInject.ImportDirectory = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
154. ManualInject.fnLoadLibraryA = LoadLibraryA;
155. ManualInject.fnGetProcAddress = GetProcAddress;
156. if (*(BYTE*)Address == 0xE9 || *(BYTE*)Address == 0x90 || *(BYTE*)Address == 0xC3)
157. {
158. printf("WINAPI HOOKED KOKOTE\n");
159. printf("mam te v pici neinjectuju\n");
160. Sleep(3000);
161. }
162. else {
163. (WriteProcessMemory)(hProcess, mem, &ManualInject, sizeof(MANUAL_INJECT), NULL);
164. (WriteProcessMemory)(hProcess, (PVOID)((PMANUAL_INJECT)mem + (1)), loadDllIntoMemory, (DWORD)loadDllEnd - (DWORD)loadDllIntoMemory, NULL);
165. }
166. hThread = (CreateRemoteThread)(hProcess, NULL, (0), (LPTHREAD_START_ROUTINE)((PMANUAL_INJECT)mem + (1)), mem, (0), NULL);
167. (WaitForSingleObject)(hThread, INFINITE);
168. (GetExitCodeThread)(hThread, &ExitCode);
169.  
170. }