-
-
Save Warpten/aa98fa4871f8a500a809 to your computer and use it in GitHub Desktop.
Derp stuff
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// dllmain.cpp : Defines the entry point for the DLL application. | |
#include "stdafx.h" | |
#include <windows.h> | |
__declspec(dllexport) void InitConsole(); | |
__declspec(dllexport) void InitSniffer(); | |
__declspec(dllexport) void JmpPatch(void *pDest, void *pSrc, int nNops = 0); | |
__declspec(dllexport) void JmpPatch(unsigned long dest, unsigned long src, int nNops = 0) { JmpPatch((PBYTE)dest, (PBYTE)src, nNops); }; | |
void _printf(char* str); | |
void OnPacketReceive(); | |
BOOL APIENTRY DllMain( HMODULE Module, | |
DWORD callReason, | |
LPVOID lpReserved | |
) | |
{ | |
switch (callReason) | |
{ | |
case DLL_PROCESS_ATTACH: | |
InitConsole(); | |
InitSniffer(); | |
break; | |
case DLL_THREAD_ATTACH: | |
_printf("Got attached to a thread\n"); | |
break; | |
case DLL_THREAD_DETACH: | |
case DLL_PROCESS_DETACH: | |
_printf("Detaching ...\n"); | |
Sleep(100); | |
FreeConsole(); | |
TerminateThread(Module, 0); | |
FreeLibrary(Module); | |
break; | |
} | |
return true; | |
} | |
void OnPacketReceive() { | |
__asm pushad; | |
_printf("Hello world!\n"); | |
__asm popad; | |
} | |
__declspec(dllexport) void InitConsole() | |
{ | |
AllocConsole(); | |
SetConsoleTitle(TEXT("Flu 1.0 - Created by Warpten <vertozor@gmail.com>")); | |
_printf("Welcome to Flu 1.0\n"); | |
_printf("Successfully injected - DLL is now running.\n\n"); | |
} | |
__declspec(dllexport) void InitSniffer() | |
{ | |
_printf("Checking build ID\n"); | |
// ReadProcessMemory(GetCurrentProcess(), 0xBB8638, // Errr ....J'sais pas | |
HMODULE wowHandle = GetModuleHandle(NULL); | |
printf("Handle %u", (void*)wowHandle); | |
//if (!wowHandle) | |
//_printf("Errr derp, bad shit\n"); | |
//BYTE clientBuild = *(BYTE*)(0x00BB8638 - 0x400000 + wowHandle); | |
} | |
void _printf(char* str) | |
{ | |
HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE); | |
WriteConsole(h, str, strlen(str), NULL, NULL); | |
} | |
__declspec(dllexport) void JmpPatch(void *pDest, void *pSrc, int nNops) { | |
DWORD OldProt; | |
VirtualProtect(pSrc, 5 + nNops, PAGE_EXECUTE_READWRITE, &OldProt); | |
*(char*)pSrc = (char)0xE9; | |
*(DWORD*)((DWORD)pSrc + 1) = (DWORD)pDest - (DWORD)pSrc - 5; | |
for (int i = 0; i < nNops; ++i) { *(BYTE*)((DWORD)pSrc + 5 + i) = 0x90; } | |
VirtualProtect(pSrc, 5 + nNops, OldProt, &OldProt); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#undef UNICODE | |
#include <windows.h> | |
#include <windowsx.h> | |
#include <iostream> | |
#include <cstdio> | |
#include <string> | |
#include <vector> | |
#include <string> | |
#include <windows.h> | |
#include <tlhelp32.h> | |
#include <iostream> | |
#include <psapi.h> | |
#pragma comment(lib, "psapi.lib") | |
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) | |
#define CLIENT_BUILD_335 12340 | |
#define CLIENT_BUILD_434 15595 | |
#define HookAddrCMSG 0x77B16A // 5.0.5 (Rebased to 0x0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "Helper.h" | |
#include <strsafe.h> | |
#include <direct.h> | |
#include <sstream> | |
#include <algorithm> | |
void ErrorExit(LPTSTR lpszFunction); | |
void CheckClientBuild(HANDLE clientHandle, DWORD address, int len, void* buffer); | |
HMODULE WINAPI GetRemoteModuleHandle(HANDLE hProcess, LPCSTR lpModuleName); | |
std::string GetDllPath(); | |
int main() | |
{ | |
std::cout << "Welcome to Flu - World of Warcraft 4.3.4.15595 Sniffer" << std::endl; | |
std::cout << "Written by Warpten <vertozor@gmail.com>" << std::endl << std::endl; | |
// EnableTokenPrivilege(SE_DEBUG_NAME); | |
PROCESSENTRY32 pe32; | |
pe32.dwSize = sizeof(PROCESSENTRY32); | |
HANDLE tool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); | |
BOOL process = Process32First(tool32, &pe32); | |
bool foundWow = false; | |
while ((Process32Next(tool32, &pe32)) == TRUE) { | |
if (strcmp(pe32.szExeFile, "Wow.exe") != 0) | |
continue; | |
foundWow = true; | |
break; | |
} | |
CloseHandle(tool32); | |
if (!foundWow) { | |
std::cout << "Wow.exe is not running." << std::endl; | |
return 1; | |
} | |
// 1. Grab the handle -- [[ | |
HANDLE clientHandle = OpenProcess(0x1FFFFFu, FALSE, pe32.th32ProcessID); | |
if (!clientHandle) { | |
ErrorExit("OpenProcess()"); | |
return 1; | |
} | |
// ]] | |
// 2. Get path to executable -- [[ | |
TCHAR wowPath[MAX_PATH]; | |
if (!GetModuleFileNameEx(clientHandle, NULL, wowPath, MAX_PATH)) { // Serious shit going on, invoke GetLastError here. | |
ErrorExit("GetModuleFileNameEx(clientHandle, NULL, wowPath, MAX_PATH)"); | |
return 1; | |
} | |
std::cout << "Wow exe found at: " << wowPath << std::endl; | |
// ]] | |
// 3. Find the path to the DLL (same folder where we are) | |
std::string injectedDLL = GetDllPath(); | |
// 4. Check if DLL is already injected. | |
/*// 5. Check build | |
char clientBuild[6] = {0}; | |
CheckClientBuild(clientHandle, 0x00BB8638, 6, &clientBuild); | |
printf("Tried reading client build: %s, %u", clientBuild, (void*)clientModule);*/ | |
// 5. Get LoadLibraryAddr | |
LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); | |
// 6. Allocate memory inside Wow.exe and write dll path it | |
LPVOID allocatedBlock = (LPVOID)VirtualAllocEx(clientHandle, NULL, injectedDLL.size(), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); | |
WriteProcessMemory(clientHandle, allocatedBlock, injectedDLL.c_str(), injectedDLL.size(), NULL); | |
// 7. Create a thread inside a virtual address space of Wow.exe | |
HANDLE dllHandle = CreateRemoteThread(clientHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, allocatedBlock, NULL, NULL); | |
CloseHandle(clientHandle); | |
return 0; | |
} | |
void CheckClientBuild(HANDLE clientHandle, DWORD address, int len, void* buffer) | |
{ | |
ReadProcessMemory(clientHandle, (void*)address, buffer, len, NULL); | |
} | |
void ErrorExit(LPTSTR lpszFunction) | |
{ | |
// Retrieve the system error message for the last-error code | |
LPVOID lpMsgBuf; | |
LPVOID lpDisplayBuf; | |
DWORD dw = GetLastError(); | |
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, | |
NULL, | |
dw, | |
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), | |
(LPTSTR) &lpMsgBuf, | |
0, NULL); | |
// Display the error message and exit the process | |
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT, (lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR)); | |
StringCchPrintf((LPTSTR)lpDisplayBuf, | |
LocalSize(lpDisplayBuf) / sizeof(TCHAR), | |
TEXT("%s failed with error %d : %s"), | |
lpszFunction, dw, lpMsgBuf); | |
MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK); | |
LocalFree(lpMsgBuf); | |
LocalFree(lpDisplayBuf); | |
ExitProcess(dw); | |
} | |
std::string GetDllPath() | |
{ | |
char currentPath[MAX_PATH]; | |
if (!GetModuleFileName(NULL, currentPath, MAX_PATH)) { // Serious shit going on, invoke GetLastError here. | |
ErrorExit("GetModuleFileName(NULL, currentPath, MAX_PATH)"); | |
return NULL; | |
} | |
std::string injectedDLL; | |
std::string snifferPath(currentPath); | |
std::stringstream dllPath; | |
std::string::size_type i = snifferPath.find_last_of('\\'); | |
snifferPath.erase(snifferPath.begin() + i + 1, snifferPath.end()); | |
dllPath << snifferPath << "InjectedDLL.dll"; | |
injectedDLL = dllPath.str(); | |
std::replace(injectedDLL.begin(), injectedDLL.end(), '\\', '/'); | |
return injectedDLL; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment