Can somebody help me with this dll code my friend gave me?

EDN Admin

Well-known member
Joined
Aug 7, 2010
Messages
12,794
Location
In the Machine
My friend gave me the code, and moved away for a couple of months... and im getting error, after error trying to compile this, i have absolutely no knowledge in C++. I also have no way of contact with him, could someone please make it a dll file?
thanks.


HERE IT IS

<pre class="prettyprint Include these headers...


#include "targetver.h"

#include <stdio.h>
#include <tchar.h>
#include <Windows.h>

#include <conio.h>
#include <io.h>
#include <string>
#include <sstream>
#include <iostream>
#include <curl.h>

#include "stdafx.h"

wchar_t *version;

void Inject(HANDLE hProcess, const char* dllname, const char* funcname)
{
//------------------------------------------//
// Function variables. //
//------------------------------------------//

// Main DLL we will need to load
HMODULE kernel32 = NULL;

// Main functions we will need to import
FARPROC loadlibrary = NULL;
FARPROC getprocaddress = NULL;
FARPROC exitprocess = NULL;
FARPROC exitthread = NULL;
FARPROC freelibraryandexitthread = NULL;

// The workspace we will build the codecave on locally
LPBYTE workspace = NULL;
DWORD workspaceIndex = 0;

// The memory in the process we write to
LPVOID codecaveAddress = NULL;
DWORD dwCodecaveAddress = 0;

// Strings we have to write into the process
char injectDllName[MAX_PATH + 1] = {0};
char injectFuncName[MAX_PATH + 1] = {0};
char injectError0[MAX_PATH + 1] = {0};
char injectError1[MAX_PATH + 1] = {0};
char injectError2[MAX_PATH + 1] = {0};
char user32Name[MAX_PATH + 1] = {0};
char msgboxName[MAX_PATH + 1] = {0};

// Placeholder addresses to use the strings
DWORD user32NameAddr = 0;
DWORD user32Addr = 0;
DWORD msgboxNameAddr = 0;
DWORD msgboxAddr = 0;
DWORD dllAddr = 0;
DWORD dllNameAddr = 0;
DWORD funcNameAddr = 0;
DWORD error0Addr = 0;
DWORD error1Addr = 0;
DWORD error2Addr = 0;

// Where the codecave execution should begin at
DWORD codecaveExecAddr = 0;

// Handle to the thread we create in the process
HANDLE hThread = NULL;

// Temp variables
DWORD dwTmpSize = 0;

// Old protection on page we are writing to in the process and the bytes written
DWORD oldProtect = 0;
DWORD bytesRet = 0;

//------------------------------------------//
// Variable initialization. //
//------------------------------------------//

// Get the address of the main DLL
kernel32 = LoadLibrary(L"kernel32.dll");

// Get our functions
loadlibrary = GetProcAddress(kernel32, "LoadLibraryA");
getprocaddress = GetProcAddress(kernel32, "GetProcAddress");
exitprocess = GetProcAddress(kernel32, "ExitProcess");
exitthread = GetProcAddress(kernel32, "ExitThread");
freelibraryandexitthread = GetProcAddress(kernel32, "FreeLibraryAndExitThread");

// This section will cause compiler warnings on VS8,
// you can upgrade the functions or ignore them

// Build names
_snprintf(injectDllName, MAX_PATH, "%s", dllname);
_snprintf(injectFuncName, MAX_PATH, "%s", funcname);
_snprintf(user32Name, MAX_PATH, "user32.dll");
_snprintf(msgboxName, MAX_PATH, "MessageBoxA");

// Build error messages
_snprintf(injectError0, MAX_PATH, "Error");
_snprintf(injectError1, MAX_PATH, "Could not load the dll: %s", injectDllName);
_snprintf(injectError2, MAX_PATH, "Could not load the function: %s", injectFuncName);

// Create the workspace
workspace = (LPBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);

// Allocate space for the codecave in the process
codecaveAddress = VirtualAllocEx(hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
dwCodecaveAddress = PtrToUlong(codecaveAddress);

// Note there is no error checking done above for any functions that return a pointer/handle.
// I could have added them, but itd just add more messiness to the code and not provide any real
// benefit. Its up to you though in your final code if you want it there or not.

//------------------------------------------//
// Data and string writing. //
//------------------------------------------//

// Write out the address for the user32 dll address
user32Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;

// Write out the address for the MessageBoxA address
msgboxAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;

// Write out the address for the injected DLLs module
dllAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;

// User32 Dll Name
user32NameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(user32Name) + 1;
memcpy(workspace + workspaceIndex, user32Name, dwTmpSize);
workspaceIndex += dwTmpSize;

// MessageBoxA name
msgboxNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(msgboxName) + 1;
memcpy(workspace + workspaceIndex, msgboxName, dwTmpSize);
workspaceIndex += dwTmpSize;

// Dll Name
dllNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectDllName) + 1;
memcpy(workspace + workspaceIndex, injectDllName, dwTmpSize);
workspaceIndex += dwTmpSize;

// Function Name
funcNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectFuncName) + 1;
memcpy(workspace + workspaceIndex, injectFuncName, dwTmpSize);
workspaceIndex += dwTmpSize;

// Error Message 1
error0Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError0) + 1;
memcpy(workspace + workspaceIndex, injectError0, dwTmpSize);
workspaceIndex += dwTmpSize;

// Error Message 2
error1Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError1) + 1;
memcpy(workspace + workspaceIndex, injectError1, dwTmpSize);
workspaceIndex += dwTmpSize;

// Error Message 3
error2Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError2) + 1;
memcpy(workspace + workspaceIndex, injectError2, dwTmpSize);
workspaceIndex += dwTmpSize;

// Pad a few INT3s after string data is written for seperation
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;

// Store where the codecave execution should begin
codecaveExecAddr = workspaceIndex + dwCodecaveAddress;

// For debugging - infinite loop, attach onto process and step over
//workspace[workspaceIndex++] = 0xEB;
//workspace[workspaceIndex++] = 0xFE;

//------------------------------------------//
// User32.dll loading. //
//------------------------------------------//

// User32 DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &user32NameAddr, 4);
workspaceIndex += 4;

// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;

// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// MessageBoxA Loading
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &msgboxNameAddr, 4);
workspaceIndex += 4;

// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;

// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;

// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;

//------------------------------------------//
// Injected dll loading. //
//------------------------------------------//

/*
// This is the way the following assembly code would look like in C/C++

// Load the injected DLL into this process
HMODULE h = LoadLibrary("mydll.dll");
if(!h)
{
MessageBox(0, "Could not load the dll: mydll.dll", "Error", MB_ICONERROR);
ExitProcess(0);
}

// Get the address of the export function
FARPROC p = GetProcAddress(h, "Initialize");
if(!p)
{
MessageBox(0, "Could not load the function: Initialize", "Error", MB_ICONERROR);
ExitProcess(0);
}

// So we do not need a function pointer interface
__asm call p

// Exit the thread so the loader continues
ExitThread(0);
*/

// DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &dllNameAddr, 4);
workspaceIndex += 4;

// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;

// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;

// JNZ EIP + 0x1E to skip over eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1E;

// Error Code 1
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;

// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;

// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error1Addr, 4);
workspaceIndex += 4;

// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;

// MOV EAX, [ADDRESS] - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;

// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;

// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;

// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// Now we have the address of the injected DLL, so save the handle

// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;

// Load the initilize function from it

// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &funcNameAddr, 4);
workspaceIndex += 4;

// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;

// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;

// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;

// JNZ EIP + 0x1C to skip eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1C;

// Error Code 2
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;

// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;

// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error2Addr, 4);
workspaceIndex += 4;

// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;

// MOV EAX, ADDRESS - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;

// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;

// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;

// Now that we have the address of the function, we cam call it,
// if there was an error, the messagebox would be called as well.

// CALL EAX - Call ExitProcess -or- the Initialize function
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;

// If we get here, the Initialize function has been called,
// so its time to close this thread and optionally unload the DLL.

//------------------------------------------//
// Exiting from the injected dll. //
//------------------------------------------//

// Call ExitThread to leave the DLL loaded
#if 1
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;

// MOV EAX, ADDRESS - Move the address of ExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitthread, 4);
workspaceIndex += 4;

// CALL EAX - Call ExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif

// Call FreeLibraryAndExitThread to unload DLL
#if 0
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;

// PUSH [0x000000] - Push the address of the DLL module to unload
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0x35;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;

// MOV EAX, ADDRESS - Move the address of FreeLibraryAndExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &freelibraryandexitthread, 4);
workspaceIndex += 4;

// CALL EAX - Call FreeLibraryAndExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif

//------------------------------------------//
// Code injection and cleanup. //
//------------------------------------------//

// Change page protection so we can write executable code
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, PAGE_EXECUTE_READWRITE, &oldProtect);

// Write out the patch
WriteProcessMemory(hProcess, codecaveAddress, workspace, workspaceIndex, &bytesRet);

// Restore page protection
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, oldProtect, &oldProtect);

// Make sure our changes are written right away
FlushInstructionCache(hProcess, codecaveAddress, workspaceIndex);

// Free the workspace memory
HeapFree(GetProcessHeap(), 0, workspace);

// Execute the thread now and wait for it to exit, note we execute where the code starts, and not the codecave start
// (since we wrote strings at the start of the codecave) -- NOTE: void* used for VC6 compatibility instead of UlongToPtr
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), 0, 0, NULL);
WaitForSingleObject(hThread, INFINITE);

// Free the memory in the process that we allocated
VirtualFreeEx(hProcess, codecaveAddress, 0, MEM_RELEASE);
}

std::wstring getEnvVariable(const wchar_t *name)
{
return _wgetenv(name);
}

static size_t save_version(const char *ptr, size_t size, size_t nmemb, void *stream)
{
version = new wchar_t[size * nmemb];
ZeroMemory(version, wcslen(version));
int count = mbstowcs(version, ptr, size * nmemb);
version[count] = ;
return count;
}

void fatalError(const wchar_t *format, ...)
{
va_list args;

std::wcout << L"FATAL ERROR: ";
va_start(args, format);
vwprintf(format, args);
va_end(args);
std::wcout << std::endl;
std::wcout << std::endl << L"Press any key to exit." << std::endl;
_getch();
}

int _tmain(int argc, _TCHAR* argv[])
{
// INTRO
std::wcout << L"Exploit "waterfall" loaded." << std::endl;
std::wcout << L"Exploit by exprohacks.net" << std::endl << std::endl;

// DOWNLOAD VERSION INFO
std::wcout << L"Checking Toony version ID..." << std::endl;

CURL* c;
CURLcode curlResult;

c = curl_easy_init();
curl_easy_setopt(c, CURLOPT_URL, "setup.Toony.com/version.txt");
curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, save_version);
curlResult = curl_easy_perform(c);

long statusCode;
curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE, &statusCode);

if(statusCode != 200)
{
curl_easy_cleanup(c);
fatalError(L"Unable download Toony version information.");
return 0;
}

curl_easy_cleanup(c);

std::wcout << "Version found: " << version << std::endl << std::endl;

// DETECT IF XP AND GET Toony PATH
std::wcout << "Locating Toony..." << std::endl;

OSVERSIONINFO OSversion;
OSversion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&OSversion);

std::wstring basePath;
std::wstring ToonyDir;
std::wstringstream ToonyDirStream;

// MAKE SURE Toony DIR EXISTS

struct _stat dirInfo;

if(OSversion.dwMajorVersion <= 5)
{
// XP
ToonyDirStream << getEnvVariable(L"USERPROFILE") << L"\Local Settings\Application Data";
} else {
// VISTA AND UP
ToonyDirStream << getEnvVariable(L"LOCALAPPDATA");
}

ToonyDirStream << L"\Toony\Versions\" << version;

ToonyDir = ToonyDirStream.str();

bool ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);

if(!ToonyDirectoryExists)
{
ToonyDirStream.str(std::wstring());

ToonyDirStream << getEnvVariable(L"ProgramFiles");
ToonyDirStream << L"\Toony\Versions\" << version;

ToonyDir = ToonyDirStream.str();

ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);

if(!ToonyDirectoryExists)
{
ToonyDirStream.str(std::wstring());

ToonyDirStream << getEnvVariable(L"ProgramFiles(x86)");
ToonyDirStream << L"\Toony\Versions\" << version;

ToonyDir = ToonyDirStream.str();

ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);

if(!ToonyDirectoryExists)
{
fatalError(L"Could not locate Toony directory. Make sure you have the latest version.");
return 0;
}
}
}

std::wcout << L"Starting Toony..." << std::endl << std::endl;

// START Toony IN SUSPENDED STATE
ToonyDirStream << L"\ToonyApp.exe";

std::wstring ToonyExe = ToonyDirStream.str();

STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
BOOL result = false;

si.cb = sizeof(STARTUPINFO);

result = CreateProcess(NULL, (LPWSTR)ToonyExe.c_str(), NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, (LPWSTR)ToonyDir.c_str(), &si, &pi);

if(!result)
{
fatalError(L"Unable to start ToonyApp.exe. Make sure it is not missing or corrupted.");
return 0;
}

// INJECT DLL AND RESUME PROCESS
std::wcout << L"Injecting DLL..." << std::endl << std::endl;

wchar_t selfPath[MAX_PATH + 1];
GetModuleFileName(NULL, selfPath, MAX_PATH);
wchar_t* filename = wcsrchr(selfPath, \);
selfPath[filename - selfPath + 1] = ;

char dllPath[MAX_PATH + 1] = {0};
_snprintf(dllPath, MAX_PATH, "%SLolHack.dll", selfPath);

Inject(pi.hProcess, dllPath, "Initialize");

std::wcout << L"Resuming Toony..." << std::endl;

ResumeThread(pi.hThread);

Sleep(1000);
return 0;
}[/code]
<br/>


View the full article
 
Back
Top