/** (c) 2012 Michał (Foxbond) Chraniuk */
#include <iostream>
#include <string>
#include <windows.h>
#include <tlhelp32.h>
using namespace std;
DWORD GetProcID(string ProcName);
DWORD WINAPI GetCurrentProcessId(void);
BOOL ProcessExists(string process);
int inject();
int main()
{
WinExec("Tibia.exe", SW_SHOW);
inject();
system("pause");
}
void ErrorExit(LPTSTR lpszFunction)
{
// Retrieve the system error message for the last-error code
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL );
// Display the error messages and exit the process
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR));
cout << lpszFunction << "failed with error " << (int)dw << ":" << (char*)lpMsgBuf;
MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
ExitProcess(dw);
}
int inject()
{
char* DLLName="dll.dll";
char* ProcessName="Tibia.exe";
DWORD procID = 0;
int nBufferLength = 100;
CHAR awBuffer[100];
GetCurrentDirectory(nBufferLength, awBuffer) ;
strcat(awBuffer,"\\");
strcat(awBuffer,DLLName);
string dll = awBuffer;
//LoadLibrary("Kernel32");
//ErrorExit("LoadLibrary");
HMODULE hLocKernel32 = GetModuleHandle("Kernel32.dll");
ErrorExit("GetModuleHandle");
FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA");
ErrorExit("getProcAddress");
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
ErrorExit("LookupPrivilegeValue");
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL);
}
ErrorExit("OpenProcessToken");
HANDLE hProc = INVALID_HANDLE_VALUE ;
while (!ProcessExists(ProcessName)){} //czekanie na proces
procID = GetProcID(ProcessName);
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
ErrorExit("OpenProcess");
dll += '\0';
LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE);
DWORD numBytesWritten;
WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten);
ErrorExit("WriteProcessMemory");
HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);
ErrorExit("CreateRemoteThread");
bool res = false;
if (hRemoteThread){
res = (bool)WaitForSingleObject(hRemoteThread, 10000) != WAIT_TIMEOUT;
VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE);
ErrorExit("VirtualFreeEx");
CloseHandle(hProc);
}
}
DWORD GetProcID(string ProcName)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe32.dwSize = sizeof(PROCESSENTRY32);
do{
//cout << pe32.szExeFile <<"\n";
if(pe32.szExeFile == ProcName){
DWORD ProcId = pe32.th32ProcessID;
CloseHandle(hProcessSnap);
return ProcId;
}
} while(Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return 0;
}
BOOL ProcessExists(string process)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe32.dwSize = sizeof(PROCESSENTRY32);
do{
if(pe32.szExeFile == process){
CloseHandle(hProcessSnap);
return true;
}
} while(Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return false;
}
> Back