Last active
May 26, 2018 02:09
-
-
Save rcx/157122f4c3b3e8df3700 to your computer and use it in GitHub Desktop.
CS:GO code cave proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
DWORD getPID(LPCSTR szFileName) | |
{ | |
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); | |
PROCESSENTRY32 pe; | |
pe.dwFlags = sizeof(PROCESSENTRY32); | |
if (hSnapshot == INVALID_HANDLE_VALUE) | |
return 0; | |
Process32First(hSnapshot, &pe); | |
do | |
{ | |
if (!strcmp(szFileName, pe.szExeFile)) | |
{ | |
CloseHandle(hSnapshot); | |
return pe.th32ProcessID; | |
} | |
} | |
while (Process32Next(hSnapshot, &pe)); | |
return 0; | |
} | |
typedef HMODULE(__stdcall *_GetModuleHandleA)(LPCSTR); | |
struct RemoteData | |
{ | |
_GetModuleHandleA pGetModuleHandle; | |
char szDllName[16]; | |
}; | |
inline DWORD CALLBACK cbThreadStart(RemoteData* data) | |
{ | |
DWORD hClient = (DWORD) data->pGetModuleHandle(data->szDllName); | |
DWORD pPlayer = *(DWORD*)(hClient + 0x00A6C49C); | |
while (1) | |
{ | |
int iCrosshairID = *(int*)(pPlayer + 0xC550); | |
if (iCrosshairID > 0) | |
*(int*)(hClient + 0x02EC6938) = 5; | |
else | |
*(int*)(hClient + 0x02EC6938) = 4; | |
} | |
return EXIT_SUCCESS; | |
} | |
void __declspec(naked) cbThreadStart_End() {} | |
int main() | |
{ | |
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, getPID("csgo.exe")); | |
if (!hProcess) | |
return 1; | |
RemoteData remoteData; | |
strcpy(remoteData.szDllName, "client.dll"); | |
remoteData.pGetModuleHandle = (_GetModuleHandleA) &GetModuleHandleA; | |
// Write code | |
DWORD dwCodeSize = (DWORD)&cbThreadStart_End - (uintptr_t)&cbThreadStart; | |
LPVOID pBuf = VirtualAllocEx(hProcess, NULL, dwCodeSize + sizeof(RemoteData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
WriteProcessMemory(hProcess, pBuf, (LPVOID)cbThreadStart, dwCodeSize, NULL); | |
// Write data | |
RemoteData* pData = (RemoteData*)((DWORD) pBuf + dwCodeSize); | |
WriteProcessMemory(hProcess, pData, &remoteData, sizeof(RemoteData), NULL); | |
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pBuf, pData, NULL, NULL); | |
CloseHandle(hThread); | |
CloseHandle(hProcess); | |
system("pause"); | |
return 0; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
you will need to disable incremental linking for the
DWORD dwCodeSize = (DWORD)&cbThreadStart_End - (uintptr_t)&cbThreadStart;
trick to work