int main(int argc, char **argv) { if (argc==3 && _stricmp(argv[1], "hook")==0){ int threadid = atoi(argv[2]); HMODULE hmodule = NULL; HHOOK hhook = NULL; if (!inject_dll(hmodule, hhook, threadid)){ printf("Injection failed.\n"); return 1; } printf("Press enter key to stop."); getchar(); eject_dll(hmodule, hhook); return 0; } else if ((argc==2||argc==3) && _stricmp(argv[1], "server")==0) { int port = 3900; if (argc==3) atoi(argv[2]); thrift_server_start(port); return 0; } printf("Usage:\n"); printf(" %s hook thread_id\n", argv[0]); printf(" %s server [port_number]\n", argv[0]); return 1; }
/* * Inject a DLL into another process via Reflective DLL Injection. */ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer ) { DWORD dwResult = ERROR_ACCESS_DENIED; DWORD dwPidArch = PROCESS_ARCH_UNKNOWN; DWORD dwDllArch = PROCESS_ARCH_UNKNOWN; LPVOID lpDllBuffer = NULL; DWORD dwDllLenght = 0; do { if( !pDllBuffer ) BREAK_WITH_ERROR( "[PS] ps_inject_dll. No Dll buffer specified", ERROR_INVALID_PARAMETER ); dwPidArch = ps_getarch( dwPid ); dprintf("before pid check, dwPidArch: %d", dwPidArch); //dwPidArch = PROCESS_ARCH_X86; if( dwPidArch == PROCESS_ARCH_X86 ) { lpDllBuffer = pDllBuffer->lpPE32DllBuffer; dwDllLenght = pDllBuffer->dwPE32DllLenght; dprintf("ps_inject PID arch is x86"); } else if( dwPidArch == PROCESS_ARCH_X64 ) { lpDllBuffer = pDllBuffer->lpPE64DllBuffer; dwDllLenght = pDllBuffer->dwPE64DllLenght; dprintf("ps_inject PID arch is x64"); } else { BREAK_WITH_ERROR( "[PS] ps_inject_dll. Unable to determine target pid arhitecture", ERROR_INVALID_DATA ); } dwDllArch = ps_getarch_dll( lpDllBuffer ); if( dwDllArch == PROCESS_ARCH_UNKNOWN ) BREAK_WITH_ERROR( "[PS] ps_inject_dll. Unable to determine DLL arhitecture", ERROR_BAD_FORMAT ); if( dwDllArch != dwPidArch ) BREAK_WITH_ERROR( "[PS] ps_inject_dll. pid/dll architecture mixup", ERROR_BAD_ENVIRONMENT ); dwResult = inject_dll( dwPid, lpDllBuffer, dwDllLenght ); } while( 0 ); return dwResult; }
static PyObject * Py_reflective_inject_dll(PyObject *self, PyObject *args) { DWORD dwPid; const char *lpDllBuffer; DWORD dwDllLenght; const char *cpCommandLine; PyObject* py_is64bit; int is64bits; if (!PyArg_ParseTuple(args, "Is#O", &dwPid, &lpDllBuffer, &dwDllLenght, &py_is64bit)) return NULL; is64bits = PyObject_IsTrue(py_is64bit); if(is64bits){ is64bits=PROCESS_ARCH_X64; }else{ is64bits=PROCESS_ARCH_X86; } if(inject_dll( dwPid, lpDllBuffer, dwDllLenght, NULL, is64bits) != ERROR_SUCCESS) return NULL; return PyBool_FromLong(1); }
// TODO cleanup messy code BOOL _CreateMap(VOID) { STARTUPINFOW si = { 0 }; PROCESS_INFORMATION pi = { 0 }; BOOL bRet = FALSE; WCHAR cwd[MAX_PATH] = { 0 }; WCHAR rmgtmp[MAX_PATH] = { 0 }; char rmg_dll[MAX_PATH] = { 0 }; WCHAR h3maped_dir[MAX_PATH] = { 0 }; WCHAR h3maped_exe[MAX_PATH] = { 0 }; WCHAR gzip_utils_dest[MAX_PATH] = { 0 }; HKEY key = NULL; char value[MAX_PATH] = { 0 }; DWORD value_length = sizeof(value)-1; DWORD type = REG_SZ; GetCurrentDirectoryW(sizeof(cwd)-1, cwd); _snwprintf(rmgtmp, sizeof(rmgtmp) / sizeof(WCHAR)-1, L"%s\\data\\maps\\rmgtmp", cwd); DeleteFileW(rmgtmp); if (RegOpenKeyA(HKEY_CURRENT_USER, "Software\\h3minternals\\", &key) != ERROR_SUCCESS) { return FALSE; } value_length = sizeof(value); memset(value, 0, sizeof(value)); if (ERROR_SUCCESS != RegQueryValueExA(key, "orig_maped_path", NULL, &type, (LPBYTE)value, &value_length)) { char fail[64]; sprintf(fail, "fail %d", GetLastError()); OutputDebugStringA(fail); } _snwprintf(h3maped_dir, sizeof(h3maped_dir) / sizeof(WCHAR) - 1, L"%S", value); _snwprintf(h3maped_exe, sizeof(h3maped_exe) / sizeof(WCHAR)-1, L"%s\\h3maped.exe", h3maped_dir); _snwprintf(gzip_utils_dest, sizeof(gzip_utils_dest) / sizeof(WCHAR)-1, L"%s\\gzip_utils.dll", h3maped_dir); if (FALSE == CopyFileW(L"gzip_utils.dll", gzip_utils_dest, FALSE)) { MessageBoxA(0, "Failed to copy gzip_utils.dll to map editor path. Please copy this file manually.", "Error", MB_ICONERROR); } OutputDebugStringW(L"anymap: orig_maped_path"); OutputDebugStringW(h3maped_exe); value_length = sizeof(rmg_dll); memset(rmg_dll, 0, sizeof(rmg_dll)); if (ERROR_SUCCESS != RegQueryValueExA(key, "maped_rmg_path", NULL, &type, (LPBYTE)rmg_dll, &value_length)) { char fail[64]; sprintf(fail, "fail %d", GetLastError()); OutputDebugStringA(fail); } OutputDebugStringA("anymap: maped_rmg_path"); OutputDebugStringA(rmg_dll); RegCloseKey(key); si.cb = sizeof(si); si.lpReserved = cwd; if (FALSE == (bRet = CreateProcessW(NULL, h3maped_exe, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ))) { CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return FALSE; } inject_dll(pi.hProcess, rmg_dll, 0); ResumeThread(pi.hThread); { for (;;) { MSG msg; if (0 != PeekMessageA(&msg, NULL, 0, 0, PM_REMOVE)) { TranslateMessage(&msg); DispatchMessage(&msg); } if (WAIT_OBJECT_0 == WaitForSingleObject(pi.hThread, 50)) { break; } } } SetForegroundWindowInternal(FindWindowA("SDL_app", TITLE)); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return TRUE; }