Wrinting a function to a running process

I know the basics of capturing process info/handle so you can skip that, what I need to know is how I go about writing an executable piece of code to the process along with the data it needs to run.
Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// Cut down for simplicity.
typedef struct _HACK HACK;
typedef struct _HACKS HACKS;
typedef struct _CODE CODE;
typedef struct _CODES CODES;
unsigned long long readAddressPointer( unsigned long long addr )
{
  return (unisgned long long)(&(void*)addr);
}
long recursingHackReader( HACKS *hacks, long hackNum, CODES *codes ...etc )
{
  static char codePath[ FILENAME ] = {0};
  // ...code that understands the above structs
  return hackNum;
}
void startingHackRedaer( void )
{
  char hackPath[ FILENAME ] = {0};
  recursingHackReader( &hacks, hacks.buff[0].first, &codes, ...etc );
}

Obviously there would be more than what I have provided but it should give you the basic idea of what I want to write to the process and what I want it to do. I tried googling it but that just gave me crap about writing data only, since there is executable code it left me unclear as to whether I must writing it in a special way to ensure it executes the way it was supposed to or whether I just compile the functions and pass the pointers of the function like this: WriteProc( ..., recursinfHackHeader, sizeof( recursingHackHeader, ... );
The cleanest way to go about it IMHO would be DLL injection. This is where you compile your executable code into a DLL file and use VirtualAllocEx to allocate enough room in the remote program to write a string containing the name\path of your DLL. Then you use WriteProcessMemory to actually write the data into the remote process. And finally call CreateRemoteThread to execute LoadLibrary in the remote process. The trick here is that LoadLibrary will call DllMain in your custom DLL and your code can start executing as soon as it's loaded from there.

There are other ways to do this, but they involve playing around in assembly land and\or guessing at the size of the function that you're injecting and I personally prefer not to use them.

- VirtualAllocEx(): http://msdn.microsoft.com/en-us/library/windows/desktop/aa366890(v=vs.85).aspx

- WriteProcessMemory(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx

- CreateRemoteThread(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx

- LoadLibrary(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx

In the interest of completion:

- VirtualFreeEx(): http://msdn.microsoft.com/en-us/library/windows/desktop/aa366894(v=vs.85).aspx

- FreeLibrary(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms683152(v=vs.85).aspx
Thank you, I was already aware of that method and will be making it an option but some games require the programme to be as undetectable as possible so that it's hacks/cheats cannot be blocked. Because this problem with some games I wanted to make the most undetectable method the default which is why I wanted to confirm the method of which such functions must be written into an exe/process.
To be able to inject into such processes without DLL injection, which can be blocked fairly easily just by detouring LdrLoadDll(). Check my blog to see how you can prevent DLL injections: http://codeempire.blogspot.co.uk/2013/10/security-blocking-dll-injections.html

DLL injection for games is perhaps the most stupid way to go about it as its the first thing a game developer will block.

That being said, you could always perform an PE injection into that process. It tends to normally work with complex code and its pretty simple with working knowledge of PE file format:

http://www.sevagas.com/?PE-injection-explained

To learn about it check the above link its brilliant.
The 2nd 1 is what i'm looking for, thank you for your help :D
I guess there was a misunderstanding somewhere if you thought I was after DLL injection which is easy to research but thank you providing me the sort of link I needed.
Always my pleasure (unless you werent talking to me, lol)
Definitely you orion, needed the PE-injection link, wil begin trying it out on Wed, got work 2mw and Tue
You see this is a perfect example of where changing one seemingly small parameter in the problem completely changes the situation. 90% of the time you are injecting code into another process it is either for monitoring or debugging. Those processes don't care about blocking the foreign code because they have no reason to, that's what an AV suite is for. In the case of you injecting your code into a game however there are dozens of reasons for the creator to block the alien DLL. At some point in your academic career, you will be taking a class that goes over the many reasons and scenarios where details matter; I highly suggest you pay attention to that course OP.

Now as for you issue. I read the code in the article that OrionMaster linked to and I'll say that it's a cute method of accomplishing what you are setting out to do. But it does absolutely nothing to stop the target process of simply hashing itself and blasting you when it sees the discrepancy in your image. Doing this by the way, is even easier for the game's authors to do then hooking LdrLibrary() would be. And if your target process does not run a hash on itself, then why are you waiting for the image to be running in memory before making your changes? Just make your modifications to the image as it exists on disk one time and be done with it. Have you never cracked software before?
Last edited on
@Computergeek01

That is a problem but its perhaps the best solution in-fact we could even simply evade that by creating the game in an suspended state then injecting before even its protection is initialized, using PE injection.
Last edited on
Thank you for your replies, I am aware of those issues and as I said before I want to make the least detectable method the default, as for why I want to do it in a pre-existing process it's because what I'm making is a general purpose hacking software that deliberately supports cheats/codelists since they're the main reason the common Joe would download this software, tools like http://www.cheatengine.org/ are nice but they leave a lot to be desired which is why I'm making the software.
Example scenario:
User starts up a game, they play for a a while, they've gathered 1000 gold or something and then decide they can't be bothered to put in the effort to acquire say 10000 gold, they want to cheat so they switch out of the window look up a codelist on the net and download it, they boot up my app and load the codelist, it reveals itself as a tree instead a list the user then selects multiple codes and hits the activated "(M) Hook" instead of "Own Hook" the app now injects either a DLL or peice of code into the running process the user has already selected, now the user has much more than the 10000 gold they originally wanted the codelist for and they didn't have to figure out which way they should hook the game.

In the event there is no codelist available the user could simply search out the addresses themselves which can sometimes be better then simply getting on with the in-game method.
Last edited on
Still working on it (albeit slowly), so far the code compiles to just 194KB for the EXE that will be injected into other EXEs, only posting to make sure thread doesn't close before I finish implementing it and trying it out. Once I do I will post here again regardless of whether I fail or succeed with the injection and reading of codes (at least it will be of use to others trying similar stuff)
Alright my injectable executable is now as ready as I can think to make it, next I need to know how to launch it with the desired process as it's parent which it will then identify on the 1st iteration of main allow it to inject itself into it's parent and begin loading the hacks & their codes based on the process id. I tried googling it but it brings up CreateProcess and that doesn't seem to cover external parents but rather uses the current process as parent, that interferes with my EXEs effort to identify where it is injecting itself as it cannot be given that information directly.
Never mind, I found a way to pass the pid to the process directly:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
// GUI
void execHacksId( DWORD pid )
{
  DWORD buf[2] = {0, pid};
  STARTUPINFO si = { sizeof(si), 0 };
  PROCESS_INFORMATION pi = {0};
  si.lpReserved2 = (BYTE*)buf;
#ifdef _DEBUG
#if _WIN == 32
  CreateProcess( "hackProc-msw-x86-d-vc.exe",
#else
  CreateProcess( "hackProc-msw-x64-d-vc.exe",
#endif
#else
#if _WIN == 32
  CreateProcess( "hackProc-msw-x86-vc.exe",
#else
  CreateProcess( "hackProc-msw-x64-vc.exe",
#endif
#endif
    NULL, NULL, NULL, 0, 0, NULL, NULL, &si, &pi );
}
// Injectable EXE
DWORD  main()
{
  int   procId = s_getpid();
  STARTUPINFO si = { sizeof(si), 0 };
  char  procIdTxt[ 10 ] = {0};
  char  procTmp[ MAX_PATH ] = {0};
  HACKDATA data = {0};
  char tmp[ MAX_PATH ] = {0};
  char *procTmp2 = procTmp, *tmp2 = tmp;
  UZ   envRetSize = 0;
  HACKINFO hackInfo = {0};
  CODES codes = {0};
  GetStartupInfo(&si);
  if ( si.lpReserved2 && ((DWORD*)si.lpReserved2)[0] == 0 )
    entryPoint( ((DWORD*)si.lpReserved2)[1] );
  else
  {
    _itoa_s( procId, procIdTxt, 10, 16 );
    getenv_s( &envRetSize, data.folder, MAX_PATH, "TMP" );
    strcat_s( data.folder, MAX_PATH, "\\" );
    strcat_s( data.folder, MAX_PATH, procIdTxt );
    strcat_s( data.folder, MAX_PATH, "\\" );
    strcpy_s( data.file, MAX_PATH, data.folder );
    strcat_s( data.file, MAX_PATH, "hacks.bin" );
    MessageBoxA( NULL, procTmp, NULL, 0 );
    if ( PathFileExistsA( data.folder ) )
    {
      if ( sfopen_s( &data.hacks, data.file, "rb" ) == 0 )
      {
        strcpy_s( data.file, MAX_PATH, data.folder );
        strcat_s( data.file, MAX_PATH, "codes.bin" );
        if( sfopen_s( &data.codes, data.file, "rwb" ) == 0 &&
           sfread( &hackInfo, sizeof( HACKINFO ), 1, data.hacks ) != 0 )
        {
          // Start Loading codes
          hackProc( &data, &hackInfo, &codes, -1, 0 );
          sfclose( data.codes );
        }
        sfclose( data.hacks );
      }
    }
  }
  ExitThread(0);
  return 0;
}

I'll have to look into a unix/osx solution later after confirming the hacks/codes are being read/written correctly as I'm supporting multiple text formats as well, they will be converted from text to raw and back again once I'm done.
For anyone interested in what I'm doing I'm uploading my source code to https://github.com/awsdert/medit
Topic archived. No new replies allowed.