• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 1 of 2 12 LastLast
    Results 1 to 10 of 15
    1. #1
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      VirtualCoder's Avatar
      Join Date
      Mar 2016
      Posts
      4
      Thanks (-->)
      0
      Thanks (<--)
      0

      Manual Map Injection

      John Kittz
      https://www.youtube.com/watch?v=qo_ezg2SOw4

      memlib.h

      #include <windows.h>

      typedef void* HCUSTOMMODULE;

      typedef HCUSTOMMODULE(*MemLoadLibraryFn)(LPCSTR, void *);
      typedef FARPROC(*MemGetProcAddressFn)(HANDLE, LPCSTR, void *);
      typedef void(*MemFreeLibraryFn)(HANDLE, void *);

      typedef BOOL(WINAPI *DllEntryProc)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
      typedef int (WINAPI *ExeEntryProc)(void);


      typedef struct {
      PIMAGE_NT_HEADERS headers;
      unsigned char *codeBase;
      HCUSTOMMODULE *modules;
      int numModules;
      BOOL initialized;
      BOOL isDLL;
      BOOL isRelocated;
      MemLoadLibraryFn loadLibrary;
      MemGetProcAddressFn getProcAddress;
      MemFreeLibraryFn freeLibrary;
      void *userdata;
      ExeEntryProc exeEntry;
      DWORD pageSize;
      } MEMORYMODULE, *PMEMORYMODULE;

      typedef struct {
      LPVOID address;
      LPVOID alignedAddress;
      DWORD size;
      DWORD characteristics;
      BOOL last;
      } SECTIONFINALIZEDATA, *PSECTIONFINALIZEDATA;

      class CWin32PE
      {
      protected:
      int CheckSize(size_t size, size_t expected);
      DWORD GetRealSectionSize(PMEMORYMODULE module, PIMAGE_SECTION_HEADER section);
      int CopySections(const unsigned char *data, size_t size, PIMAGE_NT_HEADERS old_headers, PMEMORYMODULE module);
      int FinalizeSection(PMEMORYMODULE module, PSECTIONFINALIZEDATA sectionData);
      int FinalizeSections(PMEMORYMODULE module);
      int ExecuteTLS(PMEMORYMODULE module);
      int PerformBaseRelocation(PMEMORYMODULE module, ptrdiff_t delta);
      int BuildImportTable(PMEMORYMODULE module);
      };

      class CLoad : protected CWin32PE
      {
      private:
      HANDLE MemLoadLibraryEx(const void *data, size_t size, MemLoadLibraryFn loadLibrary,
      MemGetProcAddressFn getProcAddress, MemFreeLibraryFn freeLibrary, void *userdata);
      public:
      HANDLE LoadFromMemory(const void* , size_t);
      HANDLE LoadFromResources(int IDD_RESOUCE);
      HANDLE LoadFromFile(LPCSTR filename);

      FARPROC GetProcAddressFromMemory(HANDLE hModule, LPCSTR ProcName);

      int CallEntryPointFromMemory(HANDLE hModule);
      void FreeLibraryFromMemory(HANDLE hModule);
      };



      // Crypter.cpp : Defines the entry point for the console application.
      //

      #include "stdafx.h"
      #include "MemLoadLibrary.h"

      typedef void(_cdecl* func)();


      unsigned char rawData[6656] = {
      0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
      0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      };


      int _tmain(int argc, _TCHAR* argv[])
      {
      CLoad lib;
      HANDLE hLibrary = 0;
      hLibrary = lib.LoadFromMemory(rawData, sizeof(rawData)); // loaded the dll from byte array.
      func fn = (func)lib.GetProcAddressFromMemory(hLibrary, "testfunc");
      fn();
      lib.FreeLibraryFromMemory(hLibrary);
      return 0;
      }


      memlib.cpp: https://pastebin.com/KP9BP066

    2. #2
      Hacker
      Learning to hack games!
       
      Pawning
       
      Fleep's Avatar
      Join Date
      May 2012
      Posts
      626
      Thanks (-->)
      208
      Thanks (<--)
      727

      DLL Injection ManualMapping method

      I believe this is better positioned here

      All below By:Sleinzel

      Yeah, it's undetectable...

      Maybe some theorie first, so everybody can understand it:

      There's a Windows Function called LoadLibrary, which allows you to inject Dynamic Linked Librarys (.dlls) into a target Process, so you can let a specific process run your own code without having access to the source code. Also you can hook, rewrite and call functions...

      Since LoadLibrary is a WindowsAPI Function every Process could hook this function. So basicly what Anti-Cheat Systems do here is:

      IF LoadLibrary is called they check into which process it is loaded, if it is loaded into the Process the Anticheat tries to prevent from beeing injected, it bans you.

      ManualMapping is a way to Inject Librarys without calling LoadLibary. Since the Anticheat doesn't exactly know which process/function is doing the injecting part, it cannot be hooked...

      ManualMapping was developed by a talented individual called Darawk to prevent Warden from detecting his DLL's in Diablo2

      Is it still detectable:

      YES the original method is detectable by taking a look @image_sections_table.

      But you can prevent your dll from beeing detected by not sending the PE-Header for example...

      Basically the Steps to inject your dll undetectable are:

      1. Allocate space for the module in the remote process
      2. fix imports
      3. fix relocs
      4. Map the sections into the remote process
      5. call entry point of your DLL


      Here is some code I threw together really quickly (still sending the PE-HEader and such stuff):

      It does Inject a basic library without any problems, but there's a problem with the imports/relocs... So you cannot inject a DirectX dll... I don't know what I'm doing wrong... I tested it using this dll included in this post (test_module.dll (it shows a messageBox saying Injected if the dll was injected successfully).

      My Code:
      https://pastebin.com/qM5sE7zY

      Spoiler: CODENZ

      Code:
      ////////////////////////////////////////////////////////////////////////////////////////////
      // MapRemoteModuleW
      ////////////////////////////////////////////////////////////////////////////////////////////
      BOOL
      MapRemoteModuleW(
      	DWORD dwProcessId,
      	LPCWSTR lpModulePath
      	)
      {
      	BOOL bRet = FALSE;
      	HANDLE hFile = 0;
      	DWORD fileSize = 0;
      	BYTE *dllBin = 0;
      	PIMAGE_NT_HEADERS nt_header = 0;
      	PIMAGE_DOS_HEADER dos_header = 0;
      	HANDLE hProcess = 0;
      	LPVOID lpModuleBase = 0;
      
      	PIMAGE_IMPORT_DESCRIPTOR pImgImpDesc = 0;
      	PIMAGE_BASE_RELOCATION pImgBaseReloc = 0;
      	PIMAGE_TLS_DIRECTORY pImgTlsDir = 0;
      
      	__try
      	{
      		// Get a handle for the target process.
      		hProcess = OpenProcess(
      			PROCESS_QUERY_INFORMATION	|	// Required by Alpha
      			PROCESS_CREATE_THREAD		|	// For CreateRemoteThread
      			PROCESS_VM_OPERATION		|	// For VirtualAllocEx/VirtualFreeEx
      			PROCESS_VM_WRITE			|	// For WriteProcessMemory
      			PROCESS_VM_READ,
      			FALSE, 
      			dwProcessId);
      		if(!hProcess)
      		{
      			PRINT_ERROR_MSGA("Could not get handle to process (PID: 0x%X).", dwProcessId);
      			__leave;
      		}
      
      		hFile = CreateFileW(
      			lpModulePath,
      			GENERIC_READ,
      			FILE_SHARE_READ | FILE_SHARE_WRITE,
      			NULL,
      			OPEN_EXISTING,
      			FILE_ATTRIBUTE_NORMAL,
      			NULL);
      		if(hFile == INVALID_HANDLE_VALUE)
      		{
      			PRINT_ERROR_MSGA("CreateFileW failed.");
      			__leave;
      		}
      
      		if(GetFileAttributesW(lpModulePath) &amp; FILE_ATTRIBUTE_COMPRESSED)
      		{
      			fileSize = GetCompressedFileSizeW(lpModulePath, NULL);
      		}
      		else
      		{
      			fileSize = GetFileSize(hFile, NULL);
      		}
      
      		if(fileSize == INVALID_FILE_SIZE)
      		{
      			PRINT_ERROR_MSGA("Could not get size of file.");
      			__leave;
      		}
      
      		dllBin = (BYTE*)malloc(fileSize);
      
      		{
      			DWORD NumBytesRead = 0;
      			if(!ReadFile(hFile, dllBin, fileSize, &amp;NumBytesRead, FALSE))
      			{
      				PRINT_ERROR_MSGA("ReadFile failed.");
      			}
      		}
      	
      		dos_header = (PIMAGE_DOS_HEADER)dllBin;
      		
      		// Make sure we got a valid DOS header
      		if(dos_header-&gt;e_magic != IMAGE_DOS_SIGNATURE)
      		{
      			PRINT_ERROR_MSGA("Invalid DOS header.");
      			__leave;
      		}
      		
      		// Get the real PE header from the DOS stub header
      		nt_header = (PIMAGE_NT_HEADERS)( (DWORD_PTR)dllBin +
      			dos_header-&gt;e_lfanew);
      
      		// Verify the PE header
      		if(nt_header-&gt;Signature != IMAGE_NT_SIGNATURE)
      		{
      			PRINT_ERROR_MSGA("Invalid PE header.");
      			__leave;
      		}
      
      		// Allocate space for the module in the remote process
      		lpModuleBase = VirtualAllocEx(
      			hProcess,
      			NULL, 
      			nt_header-&gt;OptionalHeader.SizeOfImage, 
      			MEM_COMMIT | MEM_RESERVE, 
      			PAGE_EXECUTE_READWRITE);
      		if(!lpModuleBase)
      		{
      			PRINT_ERROR_MSGA("Could not allocate memory in remote process.");
      			__leave;
      		}
      		
      		// fix imports
      		pImgImpDesc = (PIMAGE_IMPORT_DESCRIPTOR)GetPtrFromRVA(
      			nt_header-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,
      			nt_header,
      			(PBYTE)dllBin);
      		if(nt_header-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)
      		{
      			if(!FixIAT(dwProcessId, hProcess, (PBYTE)dllBin, nt_header, pImgImpDesc))
      			{
      				PRINT_ERROR_MSGA("@Fixing imports.");
      				__leave;
      			}
      		}
      		
      		// fix relocs
      		pImgBaseReloc = (PIMAGE_BASE_RELOCATION)GetPtrFromRVA(
      			(DWORD)(nt_header-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress),
      			nt_header,
      			(PBYTE)dllBin);
      		if(nt_header-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
      		{
      			if(!FixRelocations(dllBin, lpModuleBase, nt_header, pImgBaseReloc))
      			{
      				PRINT_ERROR_MSGA("@Fixing relocations.");
      				__leave;
      			}
      		}
      
      		// Write the PE header into the remote process's memory space
      		{
      			SIZE_T NumBytesWritten = 0;
      			SIZE_T nSize = nt_header-&gt;FileHeader.SizeOfOptionalHeader +
      				sizeof(nt_header-&gt;FileHeader) +
      				sizeof(nt_header-&gt;Signature);
      			
      			if(!WriteProcessMemory(hProcess, lpModuleBase, dllBin, nSize, &amp;NumBytesWritten) ||
      				NumBytesWritten != nSize)
      			{
      				PRINT_ERROR_MSGA("Could not write to memory in remote process.");
      				__leave;
      			}
      		}
      
      		// Map the sections into the remote process(they need to be aligned
      		// along their virtual addresses)
      		if(!MapSections(hProcess, lpModuleBase, dllBin, nt_header))
      		{
      			PRINT_ERROR_MSGA("@Map sections.");
      			__leave;
      		}
      
      		// call all tls callbacks
      		//
      		pImgTlsDir = (PIMAGE_TLS_DIRECTORY)GetPtrFromRVA(
      			nt_header-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress,
      			nt_header,
      			(PBYTE)dllBin);
      		if(nt_header-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size)
      		{
      			if(!CallTlsInitializers(dllBin, nt_header, hProcess, (HMODULE)lpModuleBase, DLL_PROCESS_ATTACH, pImgTlsDir))
      			{
      				PRINT_ERROR_MSGA("@Call TLS initializers.");
      				__leave;
      			}
      		}
      
      		// call entry point
      		if(!RemoteDllMainCall(
      			hProcess,
      			(LPVOID)( (DWORD_PTR)lpModuleBase + nt_header-&gt;OptionalHeader.AddressOfEntryPoint),
      			(HMODULE)lpModuleBase, 1, 0))
      		{
      			PRINT_ERROR_MSGA("@Call DllMain.");
      			__leave;
      		}
      
      		bRet = TRUE;
      
      		wprintf(L"Successfully injected (%s | PID: %x):\n\n"
      			L" AllocationBase:\t0x%p\n"
      			L" EntryPoint:\t\t0x%p\n"
      			L" SizeOfImage:\t\t0x%p\n"
      			L" CheckSum:\t\t0x%p\n",
      			lpModulePath,
      			dwProcessId,
      			lpModuleBase,
      			(DWORD_PTR)lpModuleBase + nt_header-&gt;OptionalHeader.AddressOfEntryPoint,
      			nt_header-&gt;OptionalHeader.SizeOfImage,
      			nt_header-&gt;OptionalHeader.CheckSum);
      	}
      	__finally
      	{
      		if(hFile)
      		{
      			CloseHandle(hFile);
      		}
      
      		if(dllBin)
      		{
      			free(dllBin);
      		}
      
      		if(hProcess)
      		{
      			CloseHandle(hProcess);
      		}
      	}
      	
      	return bRet;
      }

    3. Thanks Wall-e, NTvalk, PrinceOfSaiyans thanked for this post
    4. #3
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Sleinzel's Avatar
      Join Date
      May 2012
      Posts
      0
      Thanks (-->)
      0
      Thanks (<--)
      1

      Re: DLL Injection ManualMapping method

      Thank you Fleep.

      I'm gonna create a video tutorial this weekend, if I can fix my bad english accent and if I get ManualMap to work with imports/relocs.

    5. #4
      Hacker
      Learning to hack games!
       
      Pawning
       
      Fleep's Avatar
      Join Date
      May 2012
      Posts
      626
      Thanks (-->)
      208
      Thanks (<--)
      727

      Re: DLL Injection ManualMapping method

      Im sure your voice will be fine, talk slowly if you have to as long as people can see what your doing they can puzzle it all together.

      Look forward to seeing this method in action

      Fleep

    6. #5
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Sleinzel's Avatar
      Join Date
      May 2012
      Posts
      0
      Thanks (-->)
      0
      Thanks (<--)
      1

      Re: DLL Injection ManualMapping method

      [quote author=Fleep link=topic=74.msg314#msg314 date=1337958723]
      Im sure your voice will be fine, talk slowly if you have to as long as people can see what your doing they can puzzle it all together.

      Look forward to seeing this method in action

      Fleep
      [/quote]

      Yeah. I hope it will come out good

    7. #6
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      supercjb1's Avatar
      Join Date
      May 2012
      Posts
      19
      Thanks (-->)
      0
      Thanks (<--)
      1

      Re: DLL Injection ManualMapping method

      Personally I think it would be a great thing if you posted the video, it would help a lot of people, who cares about your accent, as long as its understandable, it doesn't matter. Your doing this to help people out, so if they dont listen to it, its their loss.

    8. #7
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Sleinzel's Avatar
      Join Date
      May 2012
      Posts
      0
      Thanks (-->)
      0
      Thanks (<--)
      1

      Re: DLL Injection ManualMapping method

      I'm still fixing some major errors... But it seems like there's no way to get it to work on 64-bit...

    9. #8
      Hacker
      Learning to hack games!
       
      Pawning
       
      Fleep's Avatar
      Join Date
      May 2012
      Posts
      626
      Thanks (-->)
      208
      Thanks (<--)
      727

      Re: DLL Injection ManualMapping method

      [quote author=Sleinzel link=topic=74.msg412#msg412 date=1338027973]
      I'm still fixing some major errors... But it seems like there's no way to get it to work on 64-bit...
      [/quote]

      Ah that's unfortunate :/ I haven't got much experience in dealing with 64bit specific code so cant help you much on that.

      Fleep

    10. Thanks PrinceOfSaiyans thanked for this post
    11. #9
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      VirtualCoder's Avatar
      Join Date
      Mar 2016
      Posts
      4
      Thanks (-->)
      0
      Thanks (<--)
      0

      Manual Map Injection C++ Load Library From Memory


    12. #10
      edgy 5 y/o
      __fastcall is superior
       
      Trolling
       
      Broihon's Avatar
      Join Date
      Jul 2015
      Location
      Gro▀deutsches Reich
      Posts
      698
      Thanks (-->)
      94
      Thanks (<--)
      254
      Cheats'n'Trainers
      Lots of copy/paste. Gj.

    Page 1 of 2 12 LastLast

    Similar Game Hacker Threads

    1. [Help] manual mapping into 64bit Process
      By Loset in forum Hacking Help
      Replies: 4
      Last Post: 03-24-2016, 12:08 PM
    2. Manual Mapping / Dll Injection
      By R3Z in forum Hacking Help
      Replies: 1
      Last Post: 02-13-2015, 04:47 PM
    3. Point Addresses Manual vs Pointer Scans
      By mepath in forum Hacking Help
      Replies: 5
      Last Post: 09-05-2012, 06:21 PM