[UDF]Inject.au3

[Wasiij Iwanowic]

UDFik na wstrzykiwanie plików dll do procesów.

Wymagany NomadMemory.au3

UDF został znaleziony na www.autoitscript.com a wyedytowany przezemnie i Phoenix_PL na aktualną wersje

Przed użyciem zalecane jest zastosowanie

#RequireAdmin

Inaczej skrypt może nie zadziałać!

 

 

 

#include-once

; #INDEX# =======================================================================================================================
; Title .........: Inject UDF library for AutoIt v3
; AutoIt Version : 3.3.4, Inject.au3 v 1.0 (31/1/2010)
; Language ......: English
; Description ...: Functions for getting process information and for in/ejecting a .dll file into/off a process
; Requirements ..: NomadMemory.au3, Memory.au3, WinAPI.au3, Kernel32.dll ;Script has to be compiled in x86 Mode ;#RequireAdmin
; Author(s) .....: Deathly Assassin (http://www.autoitbot.de)
; ===============================================================================================================================

; #REQUIRED INCLUDES# ===========================================================================================================
#include <Memory.au3>
#include <WinAPI.au3>
#include <NomadMemory.au3>
#include <Security.au3>
; ===============================================================================================================================

; #CURRENT# =====================================================================================================================
;_InjectAttachDll
;_InjectDetachDllEx
;_InjectDetachDll
;_InjectModulInfo
; ===============================================================================================================================

; #FUNCTION# ====================================================================================================================
; Name...........: _InjectAttachDll
; Description ...: Injects a .dll file into a process
; Syntax.........: _InjectAttachDll($sPath, $PID)
; Parameters ....: $sPath - Path and filename of the .dll file to be injected
; $PID - A process identifier
; Return values .: Success - Returns hModule of the injected dll
; Failure - Returns @Error of the failed function and sets @Error:
; |@error = 1 - _MemoryOpen failed -> $PID might be wrong
; |@error = 2 - _MemoryWrite failed -> "SeDebugPrivilege" might not have been set. #RequireAdmin might solve this problem / $sPath might not have been found
; |@error = 3 - DllOpen failed -> kernel32.dll might not have been found
; |@error = 4 - GetExitCodeThread failed
; Author ........: Deathly Assassin (http://www.autoitbot.de)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================


Func _InjectAttachDll($sPath, $PID)
Local $hRemote, $iLen = StringLen($sPath), $hProcess, $pAllocAdresse, $aError, $hOpen, $pLoadLibraryA
;~ SetPrivilege("SeDebugPrivilege", 1)
Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
Local $sPrivilege = "SeDebugPrivilege"
Local $fEnable = True
_Security__SetPrivilege($hToken, $sPrivilege, $fEnable)

SetError(0)

$hProcess = _MemoryOpen($PID)

$aError = @error
If $aError Then
SetError(1)
Return $aError
EndIf

$pAllocAdresse = _MemVirtualAllocEx($hProcess[1], 0, $iLen + 1, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)

_MemoryWrite($pAllocAdresse, $hProcess, $sPath, 'char[' & $iLen & ']')

$aError = @error
If $aError Then
SetError(2)
Return $aError
EndIf

$hOpen = DllOpen("Kernel32.dll")

$aError = @error
If $aError Then
SetError(3)
Return $aError
EndIf

$pLoadLibraryA = DllCall($hOpen, "HANDLE", "GetProcAddress", "HANDLE", _WinAPI_GetModuleHandle("kernel32.dll"), "str", "LoadLibraryA")
$hRemote = DllCall($hOpen, "HANDLE", "CreateRemoteThread", "HANDLE", $hProcess[1], "int", 0, "int", 0, "DWORD", $pLoadLibraryA[0], "ptr", $pAllocAdresse, "DWORD", 0, "DWORD*", 0)

_WinAPI_WaitForSingleObject($hRemote[0])
$vStruct = DllStructCreate("HANDLE;")
DllCall($hOpen, "BOOL", "GetExitCodeThread", "HANDLE", $hRemote[0], "ptr", DllStructGetPtr($vStruct, 1))
$aError = DllStructGetData($vStruct, 1)

DllClose($hOpen)
_MemVirtualFreeEx($hProcess, $pAllocAdresse, $iLen, $MEM_DECOMMIT)
_MemoryClose($hProcess)

If $aError = False Then
SetError(4)
Return $aError
EndIf

Return $aError
EndFunc ;==>_InjectAttachDll

; #FUNCTION# ====================================================================================================================
; Name...........: _InjectDetachDllEx
; Description ...: Ejects a .dll file off a process
; Syntax.........: _InjectDetachDllEx($hModule, $PID)
; Parameters ....: $hModule - hModule of the dll to be ejected
; $PID - A process identifier
; Return values .: Success - Returns True
; Failure - Returns @Error of the failed function and sets @Error:
; |@error = 1 - _MemoryOpen failed -> $PID might be wrong
; |@error = 2 - DllOpen failed -> kernel32.dll might not have been found
; |@error = 3 - GetExitCodeThread failed -> "SeDebugPrivilege" might not have been set. #RequireAdmin might solve this problem
; Author ........: Deathly Assassin (http://www.autoitbot.de)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================


Func _InjectDetachDllEx($hModule, $PID)
Local $hRemote, $hProcess, $aError, $hOpen, $pFreeLibrary
;~ SetPrivilege("SeDebugPrivilege", 1)
Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
Local $sPrivilege = "SeDebugPrivilege"
Local $fEnable = True
_Security__SetPrivilege($hToken, $sPrivilege, $fEnable)
SetError(0)

$hProcess = _MemoryOpen($PID)

$aError = @error
If $aError Then
SetError(1)
Return $aError
EndIf


$hOpen = DllOpen("Kernel32.dll")

$aError = @error
If $aError Then
SetError(2)
Return $aError
EndIf

$pFreeLibrary = DllCall($hOpen, "HANDLE", "GetProcAddress", "HANDLE", _WinAPI_GetModuleHandle("kernel32.dll"), "str", "FreeLibrary")
$hRemote = DllCall($hOpen, "HANDLE", "CreateRemoteThread", "HANDLE", $hProcess[1], "int", 0, "int", 0, "DWORD", $pFreeLibrary[0], "ptr", $hModule, "DWORD", 0, "DWORD*", 0)
_WinAPI_WaitForSingleObject($hRemote[0])
$vStruct = DllStructCreate("BOOL;")
$aError=DllCall($hOpen, "BOOL", "GetExitCodeThread", "HANDLE", $hRemote[0], "ptr", DllStructGetPtr($vStruct, 1))
$aError = DllStructGetData($vStruct, 1)

DllClose($hOpen)
_MemoryClose($hProcess)

If $aError = False Then
SetError(3)
Return $aError
EndIf

Return $aError
EndFunc ;==>_InjectDetachDllEx

; #FUNCTION# ====================================================================================================================
; Name...........: _InjectDetachDll
; Description ...: Ejects a .dll file off a process
; Syntax.........: _InjectDetachDll($sPath, $PID)
; Parameters ....: $sPath - Path of the dll to be ejected
; $PID - A process identifier
; Return values .: Success - Returns True
; Failure - Returns -1 and sets @Error or -1 / Returns the return of _InjectDetachDllEx and sets _InjectDetachDllEx's @Error
; |@error = -1 - _InjectModulInfo failed -> Return=1:Wrong PID; Return=2:DllOpen failed -> kernel32.dll might not have been found
; |@error = -2 - Modul wasn't found
; Author ........: Deathly Assassin (http://www.autoitbot.de)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================


Func _InjectDetachDll($sPath, $PID)
Local $aArray, $i, $aError
$aArray = _InjectModulInfo($PID)
If @error Then
SetError(-1)
Return $aError
EndIf

For $i = 0 To UBound($aArray) - 1
If $aArray[$i][9] = $sPath Then
Return _InjectDetachDllEx($aArray[$i][7], $PID)
EndIf
Next

SetError(-2)
Return -1
EndFunc ;==>_InjectDetachDll

; #FUNCTION# ====================================================================================================================
; Name...........: _InjectModulInfo
; Description ...: Returns information about every modul in the specified process
; Syntax.........: _InjectModulInfo($PID)
; Parameters ....: $PID - A process identifier
; Return values .: Success - Returns an 2d array with the modules and there information
; Failure - Returns -1 and sets @Error:
; |@error = 1 - Wrong PID
; |@error = 2 - DllOpen failed -> kernel32.dll might not have been found
; Author ........: Deathly Assassin (http://www.autoitbot.de)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================


Func _InjectModulInfo($PID)
Local $hModule, $hSnapshot, $hOpen, $iCount = 0, $aArray[1][10], $i

If Not ProcessExists($PID) Then
SetError(1)
Return -1
EndIf

;~ SetPrivilege("SeDebugPrivilege", 1)
Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
Local $sPrivilege = "SeDebugPrivilege"
Local $fEnable = True
_Security__SetPrivilege($hToken, $sPrivilege, $fEnable)
$hOpen = DllOpen("Kernel32.dll")

If @error Then
SetError(2)
Return -1
EndIf

$vMODULEENTRY32 = DllStructCreate("DWORD dwSize; DWORD th32ModuleID; DWORD th32ProcessID; DWORD GlblcntUsage; DWORD ProccntUsage; ptr modBaseAddr; DWORD modBaseSize; HANDLE hModule; CHAR szModule[256]; CHAR szExePath[260];")
DllStructSetData($vMODULEENTRY32, 1, DllStructGetSize($vMODULEENTRY32))
$hSnapshot = DllCall($hOpen, "HANDLE", "CreateToolhelp32Snapshot", "DWORD", 8, "DWORD", $PID)
DllCall($hOpen, "BOOL", "Module32First", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($vMODULEENTRY32))

Do
ReDim $aArray[$iCount + 1][10]
For $i = 1 To 10
$aArray[$iCount][$i - 1] = DllStructGetData($vMODULEENTRY32, $i)
Next
$iCount += 1
$aError = DllCall($hOpen, "BOOL", "Module32Next", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($vMODULEENTRY32))
Until Not $aError[0]

DllClose($hOpen)

Return $aArray
EndFunc ;==>_InjectModulInfo

 

 

 

I jeszcze example:

inject example.rar

[Phoenix_PL]

Chwała tobie, nastały czasy robienia pro haxów do metka w AutoIT

Lajk ^_^

[Wasiij Iwanowic]

Moje marzenie - DZIAŁAJĄCY injector w autoit

Widzę ,że te 42 wyświetlenia huhu.

[Arkeus]

Super !

[Phoenix_PL]

A wiesz że mogę nawet spróbować takiego injectora napisać?

Przecież z tym nie jest niewiadomoile roboty jak się ma tego UDFa

Daj mi czas do środy maksimum :P

[Wasiij Iwanowic]

@up

Ja napisze go jeszcze dzisaj

 

@up

Ja napisze go jeszcze dzisaj

[Arkeus]

Btw. da się za pomocą tego wstrzyknąc cc do procesu ?

[Wasiij Iwanowic]

cc? Co to jest .

[woBniaR]

code cave

[Aslani]

A wiesz że mogę nawet spróbować takiego injectora napisać?

Przecież z tym nie jest niewiadomoile roboty jak się ma tego UDFa

Daj mi czas do środy maksimum :P

 

Ja zrobiłem injector bez funkcji z tego udf'a :P

Jak nie zapomnę to jutro wam wrzucę.

[Wasiij Iwanowic]

@ Arkeus

No nie wiem. Bo to tylko wstrzykuje i nic nie robi poza tym. Całość operacji na adresach siedzi w Dllce którą chce wstrzyknąć.

Powinno

[Aslani]

Proszę, wyciągnięte wprost z mojego bota:

 

 

 

$hwnd = WinGetHandle("NosTale") ;Nazwa okna

Global Const $dllpath = @ScriptDir & "\nosPacket.dll" ;scieżka DLLki
Global Const $dllname = "nosPacket.dll" ; nazwa DLLki

If Not FileExists($dllpath) Then
   MsgBox(0x10, "Error", $dllpath & " Nie znaleziono DLL w tej lokacji")
   Exit
EndIf

$hMod = GetModule($hwnd, $dllname)
If $hMod = 0 Then
   $iDLL = InjectModule($hwnd, $dllpath)
   If Not @error Then
       WinWait("NosTale Packetlogger [1.2] by Elektrochemie")
       ;_GUICtrlEdit_InsertText($edit1, "["&@HOUR&":"&@MIN&":"&@SEC&"]"&" Packet Logger załadowany poprawnie"& @CRLF, 0)

   Else
       MsgBox(0x10, "NexBot", "Nie mogę wstrzyknąć DLL do tego procesu" )
   EndIf
Else
   MsgBox(0, "NexBot", $dllname & " jest już włączony", 1)
EndIf


Func GetModule($hWnd, $ModuleName)

   Local Const $MODULEENTRY32Struct = DllStructCreate("dword dwsize;" & _
           "dword th32ModuleID;" & _
           "dword th32ProcessId;" & _
           "dword GlblcntUsage;" & _
           "dword ProccntUsage;" & _
           "dword modBaseAddr;" & _
           "dword modBaseSize;" & _
           "dword hModule;" & _
           "char szModule[256];" & _
           "char szExePath[260];")

   Local $SnapShot = DllCall("Kernel32.dll", "hwnd", "CreateToolhelp32Snapshot", "dword", 0x08, "dword", WinGetProcess($hWnd))

   DllStructSetData($MODULEENTRY32Struct, "dwsize", DllStructGetSize($MODULEENTRY32Struct))

   Local $State = DllCall("Kernel32.dll", "int", "Module32First", "hwnd", $SnapShot[0], "ptr", DllStructGetPtr($MODULEENTRY32Struct))

   Do
       $ReadModule = DllStructGetData($MODULEENTRY32Struct, "szModule")
       If $ReadModule == $ModuleName Then Return "0x" & (Hex(DllStructGetData($MODULEENTRY32Struct, 'modBaseAddr')))
       $State = DllCall("Kernel32.dll", "int", "Module32Next", "hwnd", $SnapShot[0], "ptr", DllStructGetPtr($MODULEENTRY32Struct))
       Sleep(1)
   Until Not $State[0]
   DllCall("Kernel32.dll", "int", "CloseHandle", "int", $SnapShot[0])

   Return 0
EndFunc   ;==>GetModule

Func InjectModule($hwnd, $dllpath)
   If IsHWnd($hwnd) = 0 Then
       SetError(-1)
       Return False
   ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
       SetError(-2)
       Return False
   EndIf

   Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread

   Local $kernel32 = DllOpen("kernel32.dll")
   If $kernel32 = -1 Then
       Exit
   EndIf

   $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $hwnd, "int*", 0)
   If IsArray($pid) Then
       $pid = $pid[2]
   Else
       SetError(-3)
       Return False
   EndIf

   $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid)
   If IsArray($pHandle) And $pHandle[0] > 0 Then
       $pHandle = $pHandle[0]
   Else
       SetError(-4)
       Return False
   EndIf

   $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
   If IsArray($pLibRemote) Then
       If $pLibRemote[0] > 0 Then
           ;ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
           $pLibRemote = $pLibRemote[0]
       Else
           SetError(-5)
           Return False
       EndIf
   Else
       SetError(-6)
       Return False
   EndIf

   For $i = 0 To StringLen($dllpath)
       $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int*", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
       If IsArray($ret) Then
           If $ret[0] = 0 Then
               SetError(-7)
               Return False
           EndIf
       Else
           SetError(-8)
           Return False
       EndIf
   Next

   $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
   If IsArray($modHandle) Then
       If $modHandle[0] > 0 Then
           $modHandle = $modHandle[0]
       Else
           SetError(-9)
           Return False
       EndIf
   Else
       SetError(-10)
       Return False
   EndIf

   $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
   If IsArray($LoadLibraryA) Then
       If $LoadLibraryA[0] > 0 Then
           $LoadLibraryA = $LoadLibraryA[0]
       Else
           SetError(-11)
           Return False
       EndIf
   Else
       SetError(-12)
       Return False
   EndIf

   $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
   If IsArray($hThread) Then
       ;ConsoleWrite($hThread[0] & @CR)
       If $hThread[0] > 0 Then
           $hThread = $hThread[0]
       Else
           SetError(-13)
           Return False
       EndIf
   Else
       SetError(-14)
       Return False
   EndIf

   DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
   DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
   DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)

   DllClose($kernel32)

   Return True



EndFunc   ;==>InjectDll

 

 

[Wasiij Iwanowic]

@up

Ładnie ,ładnie wszystko działa na tych samych zasadach.

Najpierw deklaruje miejsce dla dllki a potem wstrzykuje.

Ah czasami żałuję ,że w autoit nie można dllek robić

 

I tak dalej nie ogarniam jądra windowsowego i dllek

Jak byś mógł to podeślij mi na PW albo tutaj jakieś tuty.