SHARE
TWEET

Untitled

a guest Jan 24th, 2020 67 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2.     DWORD WINAPI loadDllIntoMemory(PVOID p)
  3.     {
  4.         PMANUAL_INJECT ManualInject;
  5.  
  6.         HMODULE hModule;
  7.         DWORD i, Function, count, delta;
  8.  
  9.         PDWORD ptr;
  10.         PWORD list;
  11.  
  12.         PIMAGE_BASE_RELOCATION pIBR;
  13.         PIMAGE_IMPORT_DESCRIPTOR pIID;
  14.         PIMAGE_IMPORT_BY_NAME pIBN;
  15.         PIMAGE_THUNK_DATA FirstThunk, OrigFirstThunk;
  16.  
  17.         PDLL_MAIN EntryPoint;
  18.  
  19.         ManualInject = (PMANUAL_INJECT)p;
  20.  
  21.         pIBR = ManualInject->BaseRelocation;
  22.         delta = (DWORD)((LPBYTE)ManualInject->ImageBase - ManualInject->NtHeaders->OptionalHeader.ImageBase); // Calculate the delta
  23.  
  24.         // Relocate the image
  25.         while (pIBR->VirtualAddress)
  26.         {
  27.             if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))
  28.             {
  29.                 count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  30.                 list = (PWORD)(pIBR + 1);
  31.  
  32.                 for (i = 0; i < count; i++)
  33.                 {
  34.                     if (list[i])
  35.                     {
  36.                         ptr = (PDWORD)((LPBYTE)ManualInject->ImageBase + (pIBR->VirtualAddress + (list[i] & 0xFFF)));
  37.                         *ptr += delta;
  38.                     }
  39.                 }
  40.             }
  41.  
  42.             pIBR = (PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR + pIBR->SizeOfBlock);
  43.         }
  44.  
  45.         pIID = ManualInject->ImportDirectory;
  46.  
  47.         // Resolve DLL imports
  48.         while (pIID->Characteristics)
  49.         {
  50.             OrigFirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->OriginalFirstThunk);
  51.             FirstThunk = (PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase + pIID->FirstThunk);
  52.  
  53.             hModule = ManualInject->fnLoadLibraryA((LPCSTR)ManualInject->ImageBase + pIID->Name);
  54.  
  55.             if (!hModule)
  56.             {
  57.                 return FALSE;
  58.             }
  59.  
  60.             while (OrigFirstThunk->u1.AddressOfData)
  61.             {
  62.                 if (OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  63.                 {
  64.                     // Import by ordinal
  65.  
  66.                     Function = (DWORD)ManualInject->fnGetProcAddress(hModule, (LPCSTR)(OrigFirstThunk->u1.Ordinal & 0xFFFF));
  67.  
  68.                     if (!Function)
  69.                     {
  70.                         return FALSE;
  71.                     }
  72.  
  73.                     FirstThunk->u1.Function = Function;
  74.                 }
  75.  
  76.                 else
  77.                 {
  78.                     // Import by name
  79.  
  80.                     pIBN = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)ManualInject->ImageBase + OrigFirstThunk->u1.AddressOfData);
  81.                     Function = (DWORD)ManualInject->fnGetProcAddress(hModule, (LPCSTR)pIBN->Name);
  82.  
  83.                     if (!Function)
  84.                     {
  85.                         return FALSE;
  86.                     }
  87.  
  88.                     FirstThunk->u1.Function = Function;
  89.                 }
  90.  
  91.                 OrigFirstThunk++;
  92.                 FirstThunk++;
  93.             }
  94.  
  95.             pIID++;
  96.         }
  97.  
  98.         if (!executeTls(ManualInject))
  99.             MessageBoxA(0, _xor_("TLS execution failed!").c_str(), 0, MB_ICONERROR | MB_OK);
  100.  
  101.         if (ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint)
  102.         {
  103.             EntryPoint = (PDLL_MAIN)((LPBYTE)ManualInject->ImageBase + ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint);
  104.             return EntryPoint((HMODULE)ManualInject->ImageBase, DLL_PROCESS_ATTACH, NULL); // Call the entry point
  105.         }
  106.     }
  107.     DWORD WINAPI loadDllEnd()
  108.     {
  109.         return (0);
  110.     }
  111.  
  112.     void Inject(unsigned char* s)
  113.     {
  114.         PVOID rData = reinterpret_cast<char*>(s);
  115.  
  116.         pIDH = (PIMAGE_DOS_HEADER)rData;
  117.         pINH = (PIMAGE_NT_HEADERS)((LPBYTE)rData + pIDH->e_lfanew);
  118.        
  119.         DWORD pid = GetProcessByName("csgo.exe");
  120.  
  121.         if (pid != 0)
  122.             cout << "[!] found game process..." << endl;
  123.  
  124.         hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
  125.  
  126.         image = VirtualAllocEx(hProcess, NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  127.         FARPROC Address = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
  128.         if (*(BYTE*)Address == 0xE9 /* jmp */ || *(BYTE*)Address == 0x90 /* nop */|| *(BYTE*)Address == 0xC3 /* ret */)
  129.         {
  130.             printf("WINAPI HOOKED KOKOTE %s \n", std::to_string(*(BYTE*)Address).c_str());
  131.         }
  132.         else {
  133.             (WriteProcessMemory)(hProcess, image, rData, pINH->OptionalHeader.SizeOfHeaders, NULL);
  134.         }
  135.         pISH = (PIMAGE_SECTION_HEADER)(pINH + (1));
  136.         for (i = (0); i < pINH->FileHeader.NumberOfSections; i++)
  137.         {
  138.             if (*(BYTE*)Address == 0xE9 || *(BYTE*)Address == 0x90 || *(BYTE*)Address == 0xC3)
  139.             {
  140.                 printf("WINAPI HOOKED KOKOTE\n");
  141.             }
  142.             else {
  143.                 (WriteProcessMemory)(hProcess, (PVOID)((LPBYTE)image + pISH[i].VirtualAddress),
  144.                     (PVOID)((LPBYTE)rData + pISH[i].PointerToRawData), pISH[i].SizeOfRawData, NULL);
  145.             }
  146.         }
  147.         mem = VirtualAllocEx(hProcess, NULL, (4096), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  148.         memset(&ManualInject, (0), sizeof(MANUAL_INJECT));
  149.        
  150.         ManualInject.ImageBase = image;
  151.         ManualInject.NtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)image + pIDH->e_lfanew);
  152.         ManualInject.BaseRelocation = (PIMAGE_BASE_RELOCATION)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
  153.         ManualInject.ImportDirectory = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)image + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  154.         ManualInject.fnLoadLibraryA = LoadLibraryA;
  155.         ManualInject.fnGetProcAddress = GetProcAddress;
  156.         if (*(BYTE*)Address == 0xE9 || *(BYTE*)Address == 0x90 || *(BYTE*)Address == 0xC3)
  157.         {
  158.             printf("WINAPI HOOKED KOKOTE\n");
  159.             printf("mam te v pici neinjectuju\n");
  160.             Sleep(3000);
  161.         }
  162.         else {
  163.             (WriteProcessMemory)(hProcess, mem, &ManualInject, sizeof(MANUAL_INJECT), NULL);
  164.             (WriteProcessMemory)(hProcess, (PVOID)((PMANUAL_INJECT)mem + (1)), loadDllIntoMemory, (DWORD)loadDllEnd - (DWORD)loadDllIntoMemory, NULL);
  165.         }
  166.         hThread = (CreateRemoteThread)(hProcess, NULL, (0), (LPTHREAD_START_ROUTINE)((PMANUAL_INJECT)mem + (1)), mem, (0), NULL);
  167.         (WaitForSingleObject)(hThread, INFINITE);
  168.         (GetExitCodeThread)(hThread, &ExitCode);
  169.  
  170.     }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top