コード例 #1
0
BOOL cInjector::RunRemoteProc(DWORD dwPid, wstring wDllName, string procName) {
    if (!FindInjectedModule(dwPid)) {
        return false;
    }

    HANDLE hThread;
    HANDLE hProc;
    HMODULE hMod;
    LPVOID procAddress;

    hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

    if (hProc)
    {
        std::string s;
        s.assign(wDllName.begin(), wDllName.end());

        PE::ulong procOffset = PE::GetFunctionOffset(s, procName);

        if (procOffset)
        {
            long MODULE_BASE = reinterpret_cast<long>(GetRemoteModuleAddress(dwPid, wDllName));

            hThread = CreateRemoteThread(hProc, NULL, NULL, reinterpret_cast<LPTHREAD_START_ROUTINE>((LPVOID)(MODULE_BASE + procOffset)), NULL, NULL, NULL);
            WaitForSingleObject(hThread, INFINITE);

            CloseHandle(hProc);
            CloseHandle(hThread);
            return true;
        }
        else {
            printf("GetProcAddress() failed with error code %d\n", GetLastError());
        }

        CloseHandle(hProc);
    }
    else {
        printf("OpenProcess() failed with error code %d\n", GetLastError());
    }

    return FALSE;
}
コード例 #2
0
BOOL cInjector::InjectDLL(DWORD dwPid, wstring wDllName)
{
	HANDLE hThread;
	HANDLE hProc;
	HMODULE hKernel32;
	LPVOID lpLoadLibraryW;
	LPVOID lpRemoteString;

	wstring wPath;
	wPath = BH::wPath;
	wPath += wDllName;

	hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

	if(hProc)
	{
		hKernel32 = LoadLibrary(L"Kernel32.DLL");

		if(hKernel32)
		{
			lpLoadLibraryW = GetProcAddress(hKernel32, "LoadLibraryW");

			if(lpLoadLibraryW)
			{
				lpRemoteString = (LPVOID)VirtualAllocEx(hProc, NULL, MAX_PATH, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

				if(lpRemoteString)
				{
					WriteProcessMemory(hProc, lpRemoteString, wPath.c_str(), wPath.size() * 2, NULL);

					hThread = CreateRemoteThread(hProc, NULL, NULL, reinterpret_cast<LPTHREAD_START_ROUTINE>(lpLoadLibraryW), lpRemoteString, NULL, NULL);

					WaitForSingleObject(hThread, INFINITE);

					VirtualFreeEx(hProc, lpRemoteString, 0, MEM_RELEASE);

					FreeLibrary(hKernel32);
					CloseHandle(hProc);
					CloseHandle(hThread);

					// If we're injecting into the wrong version of the D2 client, all the offsets
					// will be wrong and we'll silently fail on the first call into a D2 function
					// (generally D2GFX_GetHwnd in BH::Startup). BH::Startup still returns success
					// however, so check for failed injection by looking for "BH.dll" the game process.
					if (FindInjectedModule(dwPid)) {
						return true;
					}

					printf("WARNING: this maphack will only work with Diablo II client version 1.13C!\n");
					printf("You appear to have a different client version. To learn how to downgrade your\n");
					printf("client, see the Guides & Resources section of the slashdiablo subreddit.\n");
					return false;
				} else {
					printf("VirtualAllocEx() failed with error code %d\n", GetLastError());
				}
			} else {
				printf("GetProcAddress() failed with error code %d\n", GetLastError());
			}

			FreeLibrary(hKernel32);
		} else {
			printf("LoadLibrary() failed with error code %d\n", GetLastError());
		}

		CloseHandle(hProc);
	} else {
		printf("OpenProcess() failed with error code %d\n", GetLastError());
	}

	return FALSE;
}