EDN Admin
Well-known member
My friend gave me the code, and moved away for a couple of months... and im getting error, after error trying to compile this, i have absolutely no knowledge in C++. I also have no way of contact with him, could someone please make it a dll file?
thanks.
HERE IT IS
<pre class="prettyprint Include these headers...
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <conio.h>
#include <io.h>
#include <string>
#include <sstream>
#include <iostream>
#include <curl.h>
#include "stdafx.h"
wchar_t *version;
void Inject(HANDLE hProcess, const char* dllname, const char* funcname)
{
//------------------------------------------//
// Function variables. //
//------------------------------------------//
// Main DLL we will need to load
HMODULE kernel32 = NULL;
// Main functions we will need to import
FARPROC loadlibrary = NULL;
FARPROC getprocaddress = NULL;
FARPROC exitprocess = NULL;
FARPROC exitthread = NULL;
FARPROC freelibraryandexitthread = NULL;
// The workspace we will build the codecave on locally
LPBYTE workspace = NULL;
DWORD workspaceIndex = 0;
// The memory in the process we write to
LPVOID codecaveAddress = NULL;
DWORD dwCodecaveAddress = 0;
// Strings we have to write into the process
char injectDllName[MAX_PATH + 1] = {0};
char injectFuncName[MAX_PATH + 1] = {0};
char injectError0[MAX_PATH + 1] = {0};
char injectError1[MAX_PATH + 1] = {0};
char injectError2[MAX_PATH + 1] = {0};
char user32Name[MAX_PATH + 1] = {0};
char msgboxName[MAX_PATH + 1] = {0};
// Placeholder addresses to use the strings
DWORD user32NameAddr = 0;
DWORD user32Addr = 0;
DWORD msgboxNameAddr = 0;
DWORD msgboxAddr = 0;
DWORD dllAddr = 0;
DWORD dllNameAddr = 0;
DWORD funcNameAddr = 0;
DWORD error0Addr = 0;
DWORD error1Addr = 0;
DWORD error2Addr = 0;
// Where the codecave execution should begin at
DWORD codecaveExecAddr = 0;
// Handle to the thread we create in the process
HANDLE hThread = NULL;
// Temp variables
DWORD dwTmpSize = 0;
// Old protection on page we are writing to in the process and the bytes written
DWORD oldProtect = 0;
DWORD bytesRet = 0;
//------------------------------------------//
// Variable initialization. //
//------------------------------------------//
// Get the address of the main DLL
kernel32 = LoadLibrary(L"kernel32.dll");
// Get our functions
loadlibrary = GetProcAddress(kernel32, "LoadLibraryA");
getprocaddress = GetProcAddress(kernel32, "GetProcAddress");
exitprocess = GetProcAddress(kernel32, "ExitProcess");
exitthread = GetProcAddress(kernel32, "ExitThread");
freelibraryandexitthread = GetProcAddress(kernel32, "FreeLibraryAndExitThread");
// This section will cause compiler warnings on VS8,
// you can upgrade the functions or ignore them
// Build names
_snprintf(injectDllName, MAX_PATH, "%s", dllname);
_snprintf(injectFuncName, MAX_PATH, "%s", funcname);
_snprintf(user32Name, MAX_PATH, "user32.dll");
_snprintf(msgboxName, MAX_PATH, "MessageBoxA");
// Build error messages
_snprintf(injectError0, MAX_PATH, "Error");
_snprintf(injectError1, MAX_PATH, "Could not load the dll: %s", injectDllName);
_snprintf(injectError2, MAX_PATH, "Could not load the function: %s", injectFuncName);
// Create the workspace
workspace = (LPBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
// Allocate space for the codecave in the process
codecaveAddress = VirtualAllocEx(hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
dwCodecaveAddress = PtrToUlong(codecaveAddress);
// Note there is no error checking done above for any functions that return a pointer/handle.
// I could have added them, but itd just add more messiness to the code and not provide any real
// benefit. Its up to you though in your final code if you want it there or not.
//------------------------------------------//
// Data and string writing. //
//------------------------------------------//
// Write out the address for the user32 dll address
user32Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// Write out the address for the MessageBoxA address
msgboxAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// Write out the address for the injected DLLs module
dllAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// User32 Dll Name
user32NameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(user32Name) + 1;
memcpy(workspace + workspaceIndex, user32Name, dwTmpSize);
workspaceIndex += dwTmpSize;
// MessageBoxA name
msgboxNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(msgboxName) + 1;
memcpy(workspace + workspaceIndex, msgboxName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Dll Name
dllNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectDllName) + 1;
memcpy(workspace + workspaceIndex, injectDllName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Function Name
funcNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectFuncName) + 1;
memcpy(workspace + workspaceIndex, injectFuncName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 1
error0Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError0) + 1;
memcpy(workspace + workspaceIndex, injectError0, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 2
error1Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError1) + 1;
memcpy(workspace + workspaceIndex, injectError1, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 3
error2Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError2) + 1;
memcpy(workspace + workspaceIndex, injectError2, dwTmpSize);
workspaceIndex += dwTmpSize;
// Pad a few INT3s after string data is written for seperation
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
// Store where the codecave execution should begin
codecaveExecAddr = workspaceIndex + dwCodecaveAddress;
// For debugging - infinite loop, attach onto process and step over
//workspace[workspaceIndex++] = 0xEB;
//workspace[workspaceIndex++] = 0xFE;
//------------------------------------------//
// User32.dll loading. //
//------------------------------------------//
// User32 DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &user32NameAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;
// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// MessageBoxA Loading
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &msgboxNameAddr, 4);
workspaceIndex += 4;
// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;
// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;
// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
//------------------------------------------//
// Injected dll loading. //
//------------------------------------------//
/*
// This is the way the following assembly code would look like in C/C++
// Load the injected DLL into this process
HMODULE h = LoadLibrary("mydll.dll");
if(!h)
{
MessageBox(0, "Could not load the dll: mydll.dll", "Error", MB_ICONERROR);
ExitProcess(0);
}
// Get the address of the export function
FARPROC p = GetProcAddress(h, "Initialize");
if(!p)
{
MessageBox(0, "Could not load the function: Initialize", "Error", MB_ICONERROR);
ExitProcess(0);
}
// So we do not need a function pointer interface
__asm call p
// Exit the thread so the loader continues
ExitThread(0);
*/
// DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &dllNameAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;
// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;
// JNZ EIP + 0x1E to skip over eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1E;
// Error Code 1
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;
// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;
// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error1Addr, 4);
workspaceIndex += 4;
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, [ADDRESS] - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Now we have the address of the injected DLL, so save the handle
// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;
// Load the initilize function from it
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &funcNameAddr, 4);
workspaceIndex += 4;
// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;
// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;
// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;
// JNZ EIP + 0x1C to skip eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1C;
// Error Code 2
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;
// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;
// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error2Addr, 4);
workspaceIndex += 4;
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;
// Now that we have the address of the function, we cam call it,
// if there was an error, the messagebox would be called as well.
// CALL EAX - Call ExitProcess -or- the Initialize function
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// If we get here, the Initialize function has been called,
// so its time to close this thread and optionally unload the DLL.
//------------------------------------------//
// Exiting from the injected dll. //
//------------------------------------------//
// Call ExitThread to leave the DLL loaded
#if 1
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitthread, 4);
workspaceIndex += 4;
// CALL EAX - Call ExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif
// Call FreeLibraryAndExitThread to unload DLL
#if 0
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// PUSH [0x000000] - Push the address of the DLL module to unload
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0x35;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of FreeLibraryAndExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &freelibraryandexitthread, 4);
workspaceIndex += 4;
// CALL EAX - Call FreeLibraryAndExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif
//------------------------------------------//
// Code injection and cleanup. //
//------------------------------------------//
// Change page protection so we can write executable code
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, PAGE_EXECUTE_READWRITE, &oldProtect);
// Write out the patch
WriteProcessMemory(hProcess, codecaveAddress, workspace, workspaceIndex, &bytesRet);
// Restore page protection
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, oldProtect, &oldProtect);
// Make sure our changes are written right away
FlushInstructionCache(hProcess, codecaveAddress, workspaceIndex);
// Free the workspace memory
HeapFree(GetProcessHeap(), 0, workspace);
// Execute the thread now and wait for it to exit, note we execute where the code starts, and not the codecave start
// (since we wrote strings at the start of the codecave) -- NOTE: void* used for VC6 compatibility instead of UlongToPtr
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), 0, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
// Free the memory in the process that we allocated
VirtualFreeEx(hProcess, codecaveAddress, 0, MEM_RELEASE);
}
std::wstring getEnvVariable(const wchar_t *name)
{
return _wgetenv(name);
}
static size_t save_version(const char *ptr, size_t size, size_t nmemb, void *stream)
{
version = new wchar_t[size * nmemb];
ZeroMemory(version, wcslen(version));
int count = mbstowcs(version, ptr, size * nmemb);
version[count] = �;
return count;
}
void fatalError(const wchar_t *format, ...)
{
va_list args;
std::wcout << L"FATAL ERROR: ";
va_start(args, format);
vwprintf(format, args);
va_end(args);
std::wcout << std::endl;
std::wcout << std::endl << L"Press any key to exit." << std::endl;
_getch();
}
int _tmain(int argc, _TCHAR* argv[])
{
// INTRO
std::wcout << L"Exploit "waterfall" loaded." << std::endl;
std::wcout << L"Exploit by exprohacks.net" << std::endl << std::endl;
// DOWNLOAD VERSION INFO
std::wcout << L"Checking Toony version ID..." << std::endl;
CURL* c;
CURLcode curlResult;
c = curl_easy_init();
curl_easy_setopt(c, CURLOPT_URL, "setup.Toony.com/version.txt");
curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, save_version);
curlResult = curl_easy_perform(c);
long statusCode;
curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE, &statusCode);
if(statusCode != 200)
{
curl_easy_cleanup(c);
fatalError(L"Unable download Toony version information.");
return 0;
}
curl_easy_cleanup(c);
std::wcout << "Version found: " << version << std::endl << std::endl;
// DETECT IF XP AND GET Toony PATH
std::wcout << "Locating Toony..." << std::endl;
OSVERSIONINFO OSversion;
OSversion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&OSversion);
std::wstring basePath;
std::wstring ToonyDir;
std::wstringstream ToonyDirStream;
// MAKE SURE Toony DIR EXISTS
struct _stat dirInfo;
if(OSversion.dwMajorVersion <= 5)
{
// XP
ToonyDirStream << getEnvVariable(L"USERPROFILE") << L"\Local Settings\Application Data";
} else {
// VISTA AND UP
ToonyDirStream << getEnvVariable(L"LOCALAPPDATA");
}
ToonyDirStream << L"\Toony\Versions\" << version;
ToonyDir = ToonyDirStream.str();
bool ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);
if(!ToonyDirectoryExists)
{
ToonyDirStream.str(std::wstring());
ToonyDirStream << getEnvVariable(L"ProgramFiles");
ToonyDirStream << L"\Toony\Versions\" << version;
ToonyDir = ToonyDirStream.str();
ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);
if(!ToonyDirectoryExists)
{
ToonyDirStream.str(std::wstring());
ToonyDirStream << getEnvVariable(L"ProgramFiles(x86)");
ToonyDirStream << L"\Toony\Versions\" << version;
ToonyDir = ToonyDirStream.str();
ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);
if(!ToonyDirectoryExists)
{
fatalError(L"Could not locate Toony directory. Make sure you have the latest version.");
return 0;
}
}
}
std::wcout << L"Starting Toony..." << std::endl << std::endl;
// START Toony IN SUSPENDED STATE
ToonyDirStream << L"\ToonyApp.exe";
std::wstring ToonyExe = ToonyDirStream.str();
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
BOOL result = false;
si.cb = sizeof(STARTUPINFO);
result = CreateProcess(NULL, (LPWSTR)ToonyExe.c_str(), NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, (LPWSTR)ToonyDir.c_str(), &si, &pi);
if(!result)
{
fatalError(L"Unable to start ToonyApp.exe. Make sure it is not missing or corrupted.");
return 0;
}
// INJECT DLL AND RESUME PROCESS
std::wcout << L"Injecting DLL..." << std::endl << std::endl;
wchar_t selfPath[MAX_PATH + 1];
GetModuleFileName(NULL, selfPath, MAX_PATH);
wchar_t* filename = wcsrchr(selfPath, \);
selfPath[filename - selfPath + 1] = �;
char dllPath[MAX_PATH + 1] = {0};
_snprintf(dllPath, MAX_PATH, "%SLolHack.dll", selfPath);
Inject(pi.hProcess, dllPath, "Initialize");
std::wcout << L"Resuming Toony..." << std::endl;
ResumeThread(pi.hThread);
Sleep(1000);
return 0;
}[/code]
<br/>
View the full article
thanks.
HERE IT IS
<pre class="prettyprint Include these headers...
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <conio.h>
#include <io.h>
#include <string>
#include <sstream>
#include <iostream>
#include <curl.h>
#include "stdafx.h"
wchar_t *version;
void Inject(HANDLE hProcess, const char* dllname, const char* funcname)
{
//------------------------------------------//
// Function variables. //
//------------------------------------------//
// Main DLL we will need to load
HMODULE kernel32 = NULL;
// Main functions we will need to import
FARPROC loadlibrary = NULL;
FARPROC getprocaddress = NULL;
FARPROC exitprocess = NULL;
FARPROC exitthread = NULL;
FARPROC freelibraryandexitthread = NULL;
// The workspace we will build the codecave on locally
LPBYTE workspace = NULL;
DWORD workspaceIndex = 0;
// The memory in the process we write to
LPVOID codecaveAddress = NULL;
DWORD dwCodecaveAddress = 0;
// Strings we have to write into the process
char injectDllName[MAX_PATH + 1] = {0};
char injectFuncName[MAX_PATH + 1] = {0};
char injectError0[MAX_PATH + 1] = {0};
char injectError1[MAX_PATH + 1] = {0};
char injectError2[MAX_PATH + 1] = {0};
char user32Name[MAX_PATH + 1] = {0};
char msgboxName[MAX_PATH + 1] = {0};
// Placeholder addresses to use the strings
DWORD user32NameAddr = 0;
DWORD user32Addr = 0;
DWORD msgboxNameAddr = 0;
DWORD msgboxAddr = 0;
DWORD dllAddr = 0;
DWORD dllNameAddr = 0;
DWORD funcNameAddr = 0;
DWORD error0Addr = 0;
DWORD error1Addr = 0;
DWORD error2Addr = 0;
// Where the codecave execution should begin at
DWORD codecaveExecAddr = 0;
// Handle to the thread we create in the process
HANDLE hThread = NULL;
// Temp variables
DWORD dwTmpSize = 0;
// Old protection on page we are writing to in the process and the bytes written
DWORD oldProtect = 0;
DWORD bytesRet = 0;
//------------------------------------------//
// Variable initialization. //
//------------------------------------------//
// Get the address of the main DLL
kernel32 = LoadLibrary(L"kernel32.dll");
// Get our functions
loadlibrary = GetProcAddress(kernel32, "LoadLibraryA");
getprocaddress = GetProcAddress(kernel32, "GetProcAddress");
exitprocess = GetProcAddress(kernel32, "ExitProcess");
exitthread = GetProcAddress(kernel32, "ExitThread");
freelibraryandexitthread = GetProcAddress(kernel32, "FreeLibraryAndExitThread");
// This section will cause compiler warnings on VS8,
// you can upgrade the functions or ignore them
// Build names
_snprintf(injectDllName, MAX_PATH, "%s", dllname);
_snprintf(injectFuncName, MAX_PATH, "%s", funcname);
_snprintf(user32Name, MAX_PATH, "user32.dll");
_snprintf(msgboxName, MAX_PATH, "MessageBoxA");
// Build error messages
_snprintf(injectError0, MAX_PATH, "Error");
_snprintf(injectError1, MAX_PATH, "Could not load the dll: %s", injectDllName);
_snprintf(injectError2, MAX_PATH, "Could not load the function: %s", injectFuncName);
// Create the workspace
workspace = (LPBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 1024);
// Allocate space for the codecave in the process
codecaveAddress = VirtualAllocEx(hProcess, 0, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
dwCodecaveAddress = PtrToUlong(codecaveAddress);
// Note there is no error checking done above for any functions that return a pointer/handle.
// I could have added them, but itd just add more messiness to the code and not provide any real
// benefit. Its up to you though in your final code if you want it there or not.
//------------------------------------------//
// Data and string writing. //
//------------------------------------------//
// Write out the address for the user32 dll address
user32Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// Write out the address for the MessageBoxA address
msgboxAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// Write out the address for the injected DLLs module
dllAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = 0;
memcpy(workspace + workspaceIndex, &dwTmpSize, 4);
workspaceIndex += 4;
// User32 Dll Name
user32NameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(user32Name) + 1;
memcpy(workspace + workspaceIndex, user32Name, dwTmpSize);
workspaceIndex += dwTmpSize;
// MessageBoxA name
msgboxNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(msgboxName) + 1;
memcpy(workspace + workspaceIndex, msgboxName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Dll Name
dllNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectDllName) + 1;
memcpy(workspace + workspaceIndex, injectDllName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Function Name
funcNameAddr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectFuncName) + 1;
memcpy(workspace + workspaceIndex, injectFuncName, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 1
error0Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError0) + 1;
memcpy(workspace + workspaceIndex, injectError0, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 2
error1Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError1) + 1;
memcpy(workspace + workspaceIndex, injectError1, dwTmpSize);
workspaceIndex += dwTmpSize;
// Error Message 3
error2Addr = workspaceIndex + dwCodecaveAddress;
dwTmpSize = (DWORD)strlen(injectError2) + 1;
memcpy(workspace + workspaceIndex, injectError2, dwTmpSize);
workspaceIndex += dwTmpSize;
// Pad a few INT3s after string data is written for seperation
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
workspace[workspaceIndex++] = 0xCC;
// Store where the codecave execution should begin
codecaveExecAddr = workspaceIndex + dwCodecaveAddress;
// For debugging - infinite loop, attach onto process and step over
//workspace[workspaceIndex++] = 0xEB;
//workspace[workspaceIndex++] = 0xFE;
//------------------------------------------//
// User32.dll loading. //
//------------------------------------------//
// User32 DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &user32NameAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;
// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// MessageBoxA Loading
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &msgboxNameAddr, 4);
workspaceIndex += 4;
// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;
// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;
// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
//------------------------------------------//
// Injected dll loading. //
//------------------------------------------//
/*
// This is the way the following assembly code would look like in C/C++
// Load the injected DLL into this process
HMODULE h = LoadLibrary("mydll.dll");
if(!h)
{
MessageBox(0, "Could not load the dll: mydll.dll", "Error", MB_ICONERROR);
ExitProcess(0);
}
// Get the address of the export function
FARPROC p = GetProcAddress(h, "Initialize");
if(!p)
{
MessageBox(0, "Could not load the function: Initialize", "Error", MB_ICONERROR);
ExitProcess(0);
}
// So we do not need a function pointer interface
__asm call p
// Exit the thread so the loader continues
ExitThread(0);
*/
// DLL Loading
// PUSH 0x00000000 - Push the address of the DLL name to use in LoadLibraryA
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &dllNameAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of LoadLibraryA into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &loadlibrary, 4);
workspaceIndex += 4;
// CALL EAX - Call LoadLibraryA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;
// JNZ EIP + 0x1E to skip over eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1E;
// Error Code 1
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;
// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;
// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error1Addr, 4);
workspaceIndex += 4;
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, [ADDRESS] - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Now we have the address of the injected DLL, so save the handle
// MOV [ADDRESS], EAX - Save the address to our variable
workspace[workspaceIndex++] = 0xA3;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;
// Load the initilize function from it
// PUSH 0x000000 - Push the address of the function name to load
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &funcNameAddr, 4);
workspaceIndex += 4;
// Push EAX, module to use in GetProcAddress
workspace[workspaceIndex++] = 0x50;
// MOV EAX, ADDRESS - Move the address of GetProcAddress into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &getprocaddress, 4);
workspaceIndex += 4;
// CALL EAX - Call GetProcAddress
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// Error Checking
// CMP EAX, 0
workspace[workspaceIndex++] = 0x83;
workspace[workspaceIndex++] = 0xF8;
workspace[workspaceIndex++] = 0x00;
// JNZ EIP + 0x1C to skip eror code
workspace[workspaceIndex++] = 0x75;
workspace[workspaceIndex++] = 0x1C;
// Error Code 2
// MessageBox
// PUSH 0x10 (MB_ICONHAND)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x10;
// PUSH 0x000000 - Push the address of the MessageBox title
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error0Addr, 4);
workspaceIndex += 4;
// PUSH 0x000000 - Push the address of the MessageBox message
workspace[workspaceIndex++] = 0x68;
memcpy(workspace + workspaceIndex, &error2Addr, 4);
workspaceIndex += 4;
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of MessageBoxA into EAX
workspace[workspaceIndex++] = 0xA1;
memcpy(workspace + workspaceIndex, &msgboxAddr, 4);
workspaceIndex += 4;
// CALL EAX - Call MessageBoxA
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// ExitProcess
// Push 0
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitProcess into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitprocess, 4);
workspaceIndex += 4;
// Now that we have the address of the function, we cam call it,
// if there was an error, the messagebox would be called as well.
// CALL EAX - Call ExitProcess -or- the Initialize function
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
// If we get here, the Initialize function has been called,
// so its time to close this thread and optionally unload the DLL.
//------------------------------------------//
// Exiting from the injected dll. //
//------------------------------------------//
// Call ExitThread to leave the DLL loaded
#if 1
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// MOV EAX, ADDRESS - Move the address of ExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &exitthread, 4);
workspaceIndex += 4;
// CALL EAX - Call ExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif
// Call FreeLibraryAndExitThread to unload DLL
#if 0
// Push 0 (exit code)
workspace[workspaceIndex++] = 0x6A;
workspace[workspaceIndex++] = 0x00;
// PUSH [0x000000] - Push the address of the DLL module to unload
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0x35;
memcpy(workspace + workspaceIndex, &dllAddr, 4);
workspaceIndex += 4;
// MOV EAX, ADDRESS - Move the address of FreeLibraryAndExitThread into EAX
workspace[workspaceIndex++] = 0xB8;
memcpy(workspace + workspaceIndex, &freelibraryandexitthread, 4);
workspaceIndex += 4;
// CALL EAX - Call FreeLibraryAndExitThread
workspace[workspaceIndex++] = 0xFF;
workspace[workspaceIndex++] = 0xD0;
#endif
//------------------------------------------//
// Code injection and cleanup. //
//------------------------------------------//
// Change page protection so we can write executable code
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, PAGE_EXECUTE_READWRITE, &oldProtect);
// Write out the patch
WriteProcessMemory(hProcess, codecaveAddress, workspace, workspaceIndex, &bytesRet);
// Restore page protection
VirtualProtectEx(hProcess, codecaveAddress, workspaceIndex, oldProtect, &oldProtect);
// Make sure our changes are written right away
FlushInstructionCache(hProcess, codecaveAddress, workspaceIndex);
// Free the workspace memory
HeapFree(GetProcessHeap(), 0, workspace);
// Execute the thread now and wait for it to exit, note we execute where the code starts, and not the codecave start
// (since we wrote strings at the start of the codecave) -- NOTE: void* used for VC6 compatibility instead of UlongToPtr
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), 0, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
// Free the memory in the process that we allocated
VirtualFreeEx(hProcess, codecaveAddress, 0, MEM_RELEASE);
}
std::wstring getEnvVariable(const wchar_t *name)
{
return _wgetenv(name);
}
static size_t save_version(const char *ptr, size_t size, size_t nmemb, void *stream)
{
version = new wchar_t[size * nmemb];
ZeroMemory(version, wcslen(version));
int count = mbstowcs(version, ptr, size * nmemb);
version[count] = �;
return count;
}
void fatalError(const wchar_t *format, ...)
{
va_list args;
std::wcout << L"FATAL ERROR: ";
va_start(args, format);
vwprintf(format, args);
va_end(args);
std::wcout << std::endl;
std::wcout << std::endl << L"Press any key to exit." << std::endl;
_getch();
}
int _tmain(int argc, _TCHAR* argv[])
{
// INTRO
std::wcout << L"Exploit "waterfall" loaded." << std::endl;
std::wcout << L"Exploit by exprohacks.net" << std::endl << std::endl;
// DOWNLOAD VERSION INFO
std::wcout << L"Checking Toony version ID..." << std::endl;
CURL* c;
CURLcode curlResult;
c = curl_easy_init();
curl_easy_setopt(c, CURLOPT_URL, "setup.Toony.com/version.txt");
curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, save_version);
curlResult = curl_easy_perform(c);
long statusCode;
curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE, &statusCode);
if(statusCode != 200)
{
curl_easy_cleanup(c);
fatalError(L"Unable download Toony version information.");
return 0;
}
curl_easy_cleanup(c);
std::wcout << "Version found: " << version << std::endl << std::endl;
// DETECT IF XP AND GET Toony PATH
std::wcout << "Locating Toony..." << std::endl;
OSVERSIONINFO OSversion;
OSversion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&OSversion);
std::wstring basePath;
std::wstring ToonyDir;
std::wstringstream ToonyDirStream;
// MAKE SURE Toony DIR EXISTS
struct _stat dirInfo;
if(OSversion.dwMajorVersion <= 5)
{
// XP
ToonyDirStream << getEnvVariable(L"USERPROFILE") << L"\Local Settings\Application Data";
} else {
// VISTA AND UP
ToonyDirStream << getEnvVariable(L"LOCALAPPDATA");
}
ToonyDirStream << L"\Toony\Versions\" << version;
ToonyDir = ToonyDirStream.str();
bool ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);
if(!ToonyDirectoryExists)
{
ToonyDirStream.str(std::wstring());
ToonyDirStream << getEnvVariable(L"ProgramFiles");
ToonyDirStream << L"\Toony\Versions\" << version;
ToonyDir = ToonyDirStream.str();
ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);
if(!ToonyDirectoryExists)
{
ToonyDirStream.str(std::wstring());
ToonyDirStream << getEnvVariable(L"ProgramFiles(x86)");
ToonyDirStream << L"\Toony\Versions\" << version;
ToonyDir = ToonyDirStream.str();
ToonyDirectoryExists = (_wstat(ToonyDir.c_str(), &dirInfo) == 0);
if(!ToonyDirectoryExists)
{
fatalError(L"Could not locate Toony directory. Make sure you have the latest version.");
return 0;
}
}
}
std::wcout << L"Starting Toony..." << std::endl << std::endl;
// START Toony IN SUSPENDED STATE
ToonyDirStream << L"\ToonyApp.exe";
std::wstring ToonyExe = ToonyDirStream.str();
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
BOOL result = false;
si.cb = sizeof(STARTUPINFO);
result = CreateProcess(NULL, (LPWSTR)ToonyExe.c_str(), NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, (LPWSTR)ToonyDir.c_str(), &si, &pi);
if(!result)
{
fatalError(L"Unable to start ToonyApp.exe. Make sure it is not missing or corrupted.");
return 0;
}
// INJECT DLL AND RESUME PROCESS
std::wcout << L"Injecting DLL..." << std::endl << std::endl;
wchar_t selfPath[MAX_PATH + 1];
GetModuleFileName(NULL, selfPath, MAX_PATH);
wchar_t* filename = wcsrchr(selfPath, \);
selfPath[filename - selfPath + 1] = �;
char dllPath[MAX_PATH + 1] = {0};
_snprintf(dllPath, MAX_PATH, "%SLolHack.dll", selfPath);
Inject(pi.hProcess, dllPath, "Initialize");
std::wcout << L"Resuming Toony..." << std::endl;
ResumeThread(pi.hThread);
Sleep(1000);
return 0;
}[/code]
<br/>
View the full article
