DLL Injection Possible

Hi,

first of all sorry guys for posing this without any comment on it (It was 1 AM and i wanted to share).

The DLL gets injected to the parent process of FW and executed. Funny is (i am guessing here, but i guess it's true) FW hooks LoadLibraryA and loads all libraries that were loaded there on the ChildProcess too. If your DLL MessageBoxA(0, "Attach", "Attach", MB_OK); on Attach and MessageBoxA(0, "Detach", "Detach", MB_OK); on Detach, you will see an Attach MessageBox from the parent thread and an Attach MessageBox from the child thread. Directly after that the Parent Thread Detaches. Now we can pretty much do whatever we want to and develope it in C/C++. What else do we need ;). I recommend to first restore DbgUiRemoteBreakin so you can debug (Thanks to Dwar for this, alot games use this technique [Only registered and activated users can see links. Click Here To Register...]). So you can attach a Debugger and have full access to the Games Memory. After this hooking into PackageSend and writing infos to a logfile or something like this would be nice. I wanted todo this, this weekend sorry i had no time. But at least i gave you something ;):

PHP Code:

---

// DLL Injection Method1.cpp : Definiert den Einstiegspunkt für die Konsolenanwendung.
//

#include "stdafx.h"
#include <Windows.h>

void createShellcode(int ret, int str, unsigned char** shellcode, int* shellcodeSize)
{
    unsigned char* retChar = (unsigned char*) &ret;
    unsigned char* strChar = (unsigned char*) &str;
    int api = (int) GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA");
    unsigned char* apiChar = (unsigned char*) &api;
    unsigned char sc[] = {
        // Push ret
        0x68, retChar[0], retChar[1], retChar[2], retChar[3],
        // Push all flags
        0x9C,
        // Push all register
        0x60,
        // Push 0x66666666 (later we convert it to the string of "C:\DLLInjectionTest.dll")
        0x68, strChar[0], strChar[1], strChar[2], strChar[3],
        // Mov eax, 0x66666666 (later we convert it to LoadLibrary adress)
        0xB8, apiChar[0], apiChar[1], apiChar[2], apiChar[3],
        // Call eax
        0xFF, 0xD0,
        // Pop all register
        0x61,
        // Pop all flags
        0x9D,
        // Ret
        0xC3
    };

    *shellcodeSize = 22;
    *shellcode = (unsigned char*) malloc(22);
    memcpy(*shellcode, sc, 22);
}

int _tmain(int argc, char* argv[])
{
    // Path to the DLL, which you want to inject
    char dllPath[] = "C:\\DLLInjectionTest.dll";

    unsigned char* shellcode;
    int shellcodeLen;

    LPVOID remote_dllStringPtr;
    LPVOID remote_shellcodePtr;

    CONTEXT ctx;

    // Create Process SUSPENDED
    PROCESS_INFORMATION pi;
    STARTUPINFOA Startup;
    ZeroMemory(&Startup, sizeof(Startup));
    ZeroMemory(&pi, sizeof(pi));
    CreateProcessA("game.exe", NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, &Startup, &pi);

    ResumeThread(pi.hThread);
    Sleep(1000);
    SuspendThread(pi.hThread);

    printf("Allocating Remote Memory For DLL Path\n");
    remote_dllStringPtr = VirtualAllocEx(pi.hProcess, NULL, strlen(dllPath)+1, MEM_COMMIT, PAGE_READWRITE);
    printf("DLL Adress: %X\n", remote_dllStringPtr);

    printf("Get EIP\n");
    ctx.ContextFlags = CONTEXT_CONTROL;
    GetThreadContext(pi.hThread, &ctx);
    printf("EIP: %X\n", ctx.Eip);

    printf("Build Shellcode\n");
    createShellcode(ctx.Eip, (int) remote_dllStringPtr, &shellcode, &shellcodeLen);

    printf ("Created Shellcode: \n");
    for(int i=0; i<shellcodeLen; i++)
        printf ("%X ", shellcode[i]);
    printf("\n");

    printf("Allocating Remote Memory For Shellcode\n");
    remote_shellcodePtr = VirtualAllocEx(pi.hProcess, NULL, shellcodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    printf("Shellcode Adress: %X\n", remote_shellcodePtr);

    printf("Write DLL Path To Remote Process\n");
    WriteProcessMemory(pi.hProcess, remote_dllStringPtr, dllPath, strlen(dllPath)+1, NULL);

    printf("Write Shellcode To Remote Process\n");
    WriteProcessMemory(pi.hProcess, remote_shellcodePtr, shellcode, shellcodeLen, NULL);

    printf("Set EIP\n");
    ctx.Eip = (DWORD)remote_shellcodePtr;
    ctx.ContextFlags = CONTEXT_CONTROL;
    SetThreadContext(pi.hThread, &ctx);
    
    printf("Run The Shellcode\n");
    ResumeThread(pi.hThread);

    printf("Wait Till Code Was Executed\n");
    Sleep(80000);

    printf("Free Remote Resources\n");
    VirtualFreeEx(pi.hProcess, remote_dllStringPtr, strlen(dllPath)+1, MEM_DECOMMIT);
    VirtualFreeEx(pi.hProcess, remote_shellcodePtr, shellcodeLen, MEM_DECOMMIT);
    
    return 0;
} 


---

source: [Only registered and activated users can see links. Click Here To Register...]