rcx/codecave.cpp

## codecave.cpp
#include "stdafx.h"

DWORD getPID(LPCSTR szFileName)
{
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	PROCESSENTRY32 pe;
	pe.dwFlags = sizeof(PROCESSENTRY32);

	if (hSnapshot == INVALID_HANDLE_VALUE)
		return 0;

	Process32First(hSnapshot, &pe);
	do
	{
		if (!strcmp(szFileName, pe.szExeFile))
		{
			CloseHandle(hSnapshot);
			return pe.th32ProcessID;
		}
	}
	while (Process32Next(hSnapshot, &pe));
	return 0;
}

typedef HMODULE(__stdcall *_GetModuleHandleA)(LPCSTR);

struct RemoteData
{
	_GetModuleHandleA pGetModuleHandle;
	char szDllName[16];
};

inline DWORD CALLBACK cbThreadStart(RemoteData* data)
{
	DWORD hClient = (DWORD) data->pGetModuleHandle(data->szDllName);
	DWORD pPlayer = *(DWORD*)(hClient + 0x00A6C49C);

	while (1)
	{
		int iCrosshairID = *(int*)(pPlayer + 0xC550);
		if (iCrosshairID > 0)
			*(int*)(hClient + 0x02EC6938) = 5;
		else
			*(int*)(hClient + 0x02EC6938) = 4;
	}

	return EXIT_SUCCESS;
}
void __declspec(naked) cbThreadStart_End() {}

int main()
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, getPID("csgo.exe"));
	if (!hProcess)
		return 1;

	RemoteData remoteData;
	strcpy(remoteData.szDllName, "client.dll");
	remoteData.pGetModuleHandle = (_GetModuleHandleA) &GetModuleHandleA;

	// Write code
	DWORD dwCodeSize = (DWORD)&cbThreadStart_End - (uintptr_t)&cbThreadStart;
	LPVOID pBuf = VirtualAllocEx(hProcess, NULL, dwCodeSize + sizeof(RemoteData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess, pBuf, (LPVOID)cbThreadStart, dwCodeSize, NULL);

	// Write data
	RemoteData* pData = (RemoteData*)((DWORD) pBuf + dwCodeSize);
	WriteProcessMemory(hProcess, pData, &remoteData, sizeof(RemoteData), NULL);

	HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pBuf, pData, NULL, NULL);
	CloseHandle(hThread);
	CloseHandle(hProcess);

	system("pause");
    return 0;
}
	#include "stdafx.h"

	DWORD getPID(LPCSTR szFileName)
	{
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	PROCESSENTRY32 pe;
	pe.dwFlags = sizeof(PROCESSENTRY32);

	if (hSnapshot == INVALID_HANDLE_VALUE)
	return 0;

	Process32First(hSnapshot, &pe);
	do
	{
	if (!strcmp(szFileName, pe.szExeFile))
	{
	CloseHandle(hSnapshot);
	return pe.th32ProcessID;
	}
	}
	while (Process32Next(hSnapshot, &pe));
	return 0;
	}

	typedef HMODULE(__stdcall *_GetModuleHandleA)(LPCSTR);

	struct RemoteData
	{
	_GetModuleHandleA pGetModuleHandle;
	char szDllName[16];
	};

	inline DWORD CALLBACK cbThreadStart(RemoteData* data)
	{
	DWORD hClient = (DWORD) data->pGetModuleHandle(data->szDllName);
	DWORD pPlayer = (DWORD)(hClient + 0x00A6C49C);

	while (1)
	{
	int iCrosshairID = (int)(pPlayer + 0xC550);
	if (iCrosshairID > 0)
	(int)(hClient + 0x02EC6938) = 5;
	else
	(int)(hClient + 0x02EC6938) = 4;
	}

	return EXIT_SUCCESS;
	}
	void __declspec(naked) cbThreadStart_End() {}

	int main()
	{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, getPID("csgo.exe"));
	if (!hProcess)
	return 1;

	RemoteData remoteData;
	strcpy(remoteData.szDllName, "client.dll");
	remoteData.pGetModuleHandle = (_GetModuleHandleA) &GetModuleHandleA;

	// Write code
	DWORD dwCodeSize = (DWORD)&cbThreadStart_End - (uintptr_t)&cbThreadStart;
	LPVOID pBuf = VirtualAllocEx(hProcess, NULL, dwCodeSize + sizeof(RemoteData), MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess, pBuf, (LPVOID)cbThreadStart, dwCodeSize, NULL);

	// Write data
	RemoteData* pData = (RemoteData*)((DWORD) pBuf + dwCodeSize);
	WriteProcessMemory(hProcess, pData, &remoteData, sizeof(RemoteData), NULL);

	HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pBuf, pData, NULL, NULL);
	CloseHandle(hThread);
	CloseHandle(hProcess);

	system("pause");
	return 0;
	}