[C++] DLL Injection

[hypn]

AliasXNeo: the short answer is, the injector injects your DLL so it's in the same memory space as the program, and then DLLMain is executed (as Dyndrilliac said), then you can write to the program's memory address.

I'd suggest using something like Drakken's Sample dll which already has some pre-written functions to make it super easy (attached below)

DLLTemplate.zip

Example (from Drakken's code):

; WriteMem works similar to WriteProcessMemory.
; WriteMem, offset, data pointer, number of bytes to write
invoke WriteMem, 004528D7h, addr JmpByte, 1 ; Start a game without an opponent

(Does anyone have a newer DLL template? I'm using my own hacked-up version, just wondering if there are any niffty features people have added since?)

[AliasXNeo]

Thanks hypn, that does simplify things greatly (my code was getting rather ugly to be honest). I noticed that the article Dyndrilliac referenced had multiple methods for injecting a DLL. Is there one preferred by programmers writing hacks for Starcraft? Or am I simply better off writing the DLL and using one of the injectors already out there?

[Intangir]

i have dll loader and dll template source with hotkey support on my website in files section:

Delinquent Minds

i made it like 10 years ago? it still works (on every version of windows since 95)

newer version has fancier graphics and a few more functions supported
autoloading/enabling

[Dyndrilliac]

This is a general skeleton I made for personal use, that you guys may use. Note that it was designed for use on systems running Windows NT 4.0 or higher (it's code makes calls to VirtualProtect).

Exodus.h:

Code:

/***********************
Exodus Main Header File
***********************/

#define WIN32_LEAN_AND_MEAN

#include <windows.h>

void MyInit();
void MyCleanUp();
DWORD WINAPI MyThread(LPVOID lpParam);

void PlaceDetour(DWORD dwAddressToPatch, DWORD dwDetourAddress, DWORD dwPadSize, BOOL bFlag);
void PatchMemory(DWORD dwAddressToPatch, BYTE *pData, DWORD dwDataLength);
LRESULT CALLBACK HotkeyHandler(int nCode, WPARAM wParam, LPARAM lParam);

static DWORD   dwThreadId;
static HANDLE  hThread;
static HMODULE hmodMyDLL;
static HHOOK   hKbdHook;

Exodus.cpp:

Code:

/***********************
Exodus Main Source File
***********************/

#include "Exodus.h"

bool WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) {

	hmodMyDLL = hModule;

	switch (dwReason) {
		case DLL_PROCESS_ATTACH:
			MyInit();
			break;
		case DLL_PROCESS_DETACH:
			MyCleanUp();
			break;
		case DLL_THREAD_ATTACH:
			break;
		case DLL_THREAD_DETACH:
			break;
		default:
			break;
	}

	return true;

}

void MyInit() {

	MessageBoxA(NULL,"Injection Successful!","[Injection Status]",MB_OK);
	hThread = CreateThread(NULL,NULL,&MyThread,NULL,NULL,&dwThreadId);

}

void MyCleanUp() {

	UnhookWindowsHookEx(hKbdHook);
	CloseHandle(hThread);

}

DWORD WINAPI MyThread(LPVOID lpParam) {

	hKbdHook = SetWindowsHookEx(WH_KEYBOARD,(HOOKPROC)&HotkeyHandler,hmodMyDLL,NULL);

	do {
		Sleep(100);
	} while (true);

	return 0;

}

void PlaceDetour(DWORD dwAddressToPatch, DWORD dwDetourAddress, DWORD dwPadSize, bool bFlag) {

	DWORD dwOldProtect = NULL;

	VirtualProtect((LPVOID)dwAddressToPatch,(dwPadSize+5),PAGE_EXECUTE_READWRITE,&dwOldProtect);

	if (bFlag) {
		*(BYTE*)(dwAddressToPatch) = 0xE9;
	} else {
		*(BYTE*)(dwAddressToPatch) = 0xE8;
	}
	*(DWORD*)(dwAddressToPatch+1) = ((dwDetourAddress-dwAddressToPatch)-5);
	for (DWORD i = dwPadSize; i > 0; i--) {
		*(BYTE*)(dwAddressToPatch+5+i) = 0x90;
	}

	VirtualProtect((LPVOID)dwAddressToPatch,(dwPadSize+5),dwOldProtect,&dwOldProtect);

}

void PatchMemory(DWORD dwAddressToPatch, BYTE *pData, DWORD dwDataLength) {

	DWORD dwOldProtect = NULL;

	VirtualProtect((LPVOID)dwAddressToPatch,dwDataLength,PAGE_EXECUTE_READWRITE,&dwOldProtect);

	for (DWORD i = 0; i < dwDataLength; i++) {
		*(BYTE*)(dwAddressToPatch+(i)) = pData[i];
	}

	VirtualProtect((LPVOID)dwAddressToPatch,dwDataLength,dwOldProtect,&dwOldProtect);

}

LRESULT CALLBACK HotkeyHandler(int nCode, WPARAM wParam, LPARAM lParam) {

	if ((nCode == HC_ACTION) && ((DWORD)lParam & 0x40000000)) {
		switch (wParam) {
			case VK_RETURN:
				MessageBoxA(NULL,"Keyboard Hook Successful!","[Keyboard Hook Status]",MB_OK);
				break;
			default:
				break;
		}
	}

	return (CallNextHookEx(hKbdHook,nCode,wParam,lParam));

}

Phenix is also sitting around here somewhere. Be sure to follow the best practices for creating DLLs. There are restrictions on what you can and can't do in DLLMain.

As for the best methods of DLL injection, I prefer SetWindowsHookEx because you can do all sorts of neat stuff with it besides DLL injection (mouse hooks, keyboard hooks, window hooks, etc) but you will need to write your own injector. Also, it only works on newer versions of Windows (Win2k and up). The CreatRemoteThread method is a popular choice, however you will need to write any hooks for the keyboard, mouse, or windows from scratch. It also does not work on Windows 95, 98, or ME. If you want universal compatibility for your injector, the Code Cave method is the way to go (but as long as you don't use the SetWindowsHookEx method, you won't need to write your own injector if you don't want to). I have a tutorial around here (Hint: check the thread in my siggy, the same place the link to the DLL injection page was) on using SetWindowsHookEx and an example of a DLL Injection API library that uses the CreateRemoteThread method, as well as an example DLL and a GUI frontend for the injector library that I made in VB (source + binaries included for all parts).

Also, Intangir makes high quality stuff. But, I assume you want to make something from scratch and not just leech your way to h4x0r fame and glory.

[MasterOfChaos]

CodeProject: A More Complete DLL Injection Solution Using CreateRemoteThread. Free source code and programming help
CodeProject: Three Ways to Inject Your Code into Another Process. Free source code and programming help
CodeProject: RemoteLib - DLL Injection for Win9x & NT Platforms. Free source code and programming help
CodeProject: Remote Library. Free source code and programming help

[AliasXNeo]

Again thanks for all the resources. I've gotten enough to last me quite awhile :p Thanks