char DLL_NAME[100] = "inject.dll";
char PROCESS_NAME[100] = "csgo.exe";
using namespace std;
#define JUNKS \
__asm _emit 0x64 \
__asm _emit 0x89 \
__asm _emit 0x54 \
__asm _emit 0x51 \
__asm _emit 0x78 \
__asm _emit 0x90 \
__asm _emit 0x99 \
__asm _emit 0x19 \
__asm _emit 0x17 \
__asm _emit 0x35 \
__asm _emit 0x12 \
__asm _emit 0x76 \
__asm _emit 0x43 \
__asm _emit 0x98 \
__asm _emit 0x25 \
__asm _emit 0x76 \
__asm _emit 0x24 \
__asm _emit 0x12 \
__asm _emit 0x71 \
__asm _emit 0x72 \
__asm _emit 0x73 \
__asm _emit 0x76 \
__asm _emit 0x75 \
__asm _emit 0x26 \
__asm _emit 0x34 \
__asm _emit 0x12 \
__asm _emit 0x81 \
__asm _emit 0x52 \
__asm _emit 0x23 \
__asm _emit 0x96 \
__asm _emit 0x85 \
__asm _emit 0x11 \
__asm _emit 0x32 \
__asm _emit 0x75 \
__asm _emit 0x34 \
__asm _emit 0x13 \
__asm _emit 0x93 \
__asm _emit 0x45 \
__asm _emit 0x76 \
__asm _emit 0x89 \
__asm _emit 0x23 \
__asm _emit 0x65 \
__asm _emit 0x77 \
__asm _emit 0x48 \
__asm _emit 0x39 \
__asm _emit 0x38 \
__asm _emit 0x29 \
__asm _emit 0x51 \
__asm _emit 0x82 \
__asm _emit 0x92 \
__asm _emit 0x74 \
__asm _emit 0x46 \
__asm _emit 0x56 \
__asm _emit 0x52 \
__asm _emit 0x23 \
__asm _emit 0x38 \
__asm _emit 0x14 \
__asm _emit 0x87 \
__asm _emit 0x55 \
__asm _emit 0x27 \
__asm _emit 0x94 \
__asm _emit 0x23 \
__asm _emit 0x54 \
__asm _emit 0x87 \
__asm _emit 0x32 \
__asm _emit 0x99 \
__asm _emit 0x76 \
__asm _emit 0x64 \
__asm _emit 0x98 \
__asm _emit 0x65 \
__asm _emit 0x12 \
__asm _emit 0x21 \
__asm _emit 0x73 \
__asm _emit 0x13 \
__asm _emit 0x76 \
__asm _emit 0x98 \
__asm _emit 0x99 \
__asm _emit 0x88 \
__asm _emit 0x77 \
__asm _emit 0x66 \
__asm _emit 0x55 \
__asm _emit 0x44 \
__asm _emit 0x33 \
__asm _emit 0x22 \
__asm _emit 0x11 \
__asm _emit 0x17 \
__asm _emit 0x61 \
__asm _emit 0x68 \
__asm _emit 0x51 \
__asm _emit 0x57 \
__asm _emit 0x58 \
__asm _emit 0x83 \
__asm _emit 0x64 \
__asm _emit 0x87 \
__asm _emit 0x12 \
__asm _emit 0x83 \
__asm _emit 0x78 \
__asm _emit 0x91 \
__asm _emit 0x43 \
__asm _emit 0x44 \
__asm _emit 0x31 \
__asm _emit 0x67 \
__asm _emit 0x82 \
__asm _emit 0x67 \
__asm _emit 0x64 \
__asm _emit 0x59 \
__asm _emit 0x36 \
__asm _emit 0x54 \
__asm _emit 0x37 \
__asm _emit 0x48 \
__asm _emit 0x68 \
__asm _emit 0x35 \
__asm _emit 0x27 \
__asm _emit 0x28 \
__asm _emit 0x42 \
__asm _emit 0x34 \
__asm _emit 0x23 \
__asm _emit 0x75 \
__asm _emit 0x55 \
__asm _emit 0x50 \
__asm _emit 0x30 \
__asm _emit 0x50 \
__asm _emit 0x60 \
__asm _emit 0x58 \
__asm _emit 0x78 \
#define _JUNK_BLOCK(s) __asm jmp s JUNKS __asm s:
DWORD Process(char* ProcessName)
{
_JUNK_BLOCK(jmp_label1)
HANDLE hPID = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
_JUNK_BLOCK(jmp_label2)
PROCESSENTRY32 ProcEntry;
_JUNK_BLOCK(jmp_label3)
ProcEntry.dwSize = sizeof(ProcEntry);
_JUNK_BLOCK(jmp_label4)
do
{
_JUNK_BLOCK(jmp_label5)
if (!strcmp(ProcEntry.szExeFile, ProcessName))
{
_JUNK_BLOCK(jmp_label6)
DWORD dwPID = ProcEntry.th32ProcessID;
_JUNK_BLOCK(jmp_label7)
CloseHandle(hPID);
_JUNK_BLOCK(jmp_label8)
return dwPID;
}
_JUNK_BLOCK(jmp_label9)
} while (Process32Next(hPID, &ProcEntry));
_JUNK_BLOCK(jmp_label10)
}
TypeNtUnmapViewOfSection NtUnmapViewOfSection;
TypeNtCreateSection NtCreateSection;
TypeNtMapViewOfSection NtMapViewOfSection;
TypeNtClose NtClose;
int RemoteMain();
BOOL ResolveNativeApis()
{
HMODULE ntdll = GetModuleHandleA("ntdll.dll");
NtUnmapViewOfSection = (TypeNtUnmapViewOfSection)GetProcAddress(ntdll, "NtUnmapViewOfSection");
if (!NtUnmapViewOfSection)
return FALSE;
NtCreateSection = (TypeNtCreateSection)GetProcAddress(ntdll, "NtCreateSection");
if (!NtCreateSection)
return FALSE;
NtMapViewOfSection = (TypeNtMapViewOfSection)GetProcAddress(ntdll, "NtMapViewOfSection");
if (!NtMapViewOfSection)
return FALSE;
NtClose = (TypeNtClose)GetProcAddress(ntdll, "NtClose");
if (!NtClose)
return FALSE;
return TRUE;
}
BOOL RelocatePE(PBYTE CodeBuffer, LPVOID NewBase)
{
DWORD delta, RelocTableOffset, TotalSize, RelocTableSize, EntryOffset;
int NumberOfEntries;
PWORD StartOfEntries;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_BASE_RELOCATION reloc;
delta = (DWORD)NewBase - (DWORD)GetModuleHandleA(NULL);
NtHeaders = (PIMAGE_NT_HEADERS)((DWORD)CodeBuffer +
((PIMAGE_DOS_HEADER)CodeBuffer)->e_lfanew);
if (NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress <= 0)
return FALSE;
RelocTableOffset = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
RelocTableSize = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
reloc = (PIMAGE_BASE_RELOCATION)& CodeBuffer[RelocTableOffset];
for (TotalSize = 0; TotalSize < RelocTableSize; TotalSize += reloc->SizeOfBlock, *(DWORD*)& reloc += reloc->SizeOfBlock)
{
NumberOfEntries = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
StartOfEntries = (PWORD)((DWORD)(reloc)+sizeof(IMAGE_BASE_RELOCATION));
for (int i = 0; i < NumberOfEntries; i++)
{
if ((StartOfEntries[i] >> 12) & IMAGE_REL_BASED_HIGHLOW)
{
EntryOffset = reloc->VirtualAddress + (StartOfEntries[i] & 0xFFF);
*(PDWORD)& CodeBuffer[EntryOffset] += (delta);
}
}
}
return TRUE;
}
LPVOID InjectProcess(HANDLE ProcessHandle)
{
DWORD OriginalBaseAddress, OurBaseAddress;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_SECTION_HEADER SectionHeader;
NTSTATUS status;
HANDLE SectionHandle = NULL;
LARGE_INTEGER SectionMaxSize = { 0,0 };
PVOID LocalAddress = NULL, RemoteAddress = NULL;
DWORD ViewSize = 0;
int i;
BOOL success = FALSE;
do { //This isn't a loop
OurBaseAddress = (DWORD)GetModuleHandle(NULL);
NtHeaders = (PIMAGE_NT_HEADERS)((DWORD)OurBaseAddress + ((PIMAGE_DOS_HEADER)OurBaseAddress)->e_lfanew);
if (NtHeaders->Signature != IMAGE_NT_SIGNATURE)
{
printf("DAEGER ERROR: File is not valid PE\n");
break;
}
SectionMaxSize.LowPart = NtHeaders->OptionalHeader.SizeOfImage;
status = NtCreateSection(&SectionHandle, SECTION_MAP_EXECUTE | SECTION_MAP_READ | SECTION_MAP_WRITE, NULL, &SectionMaxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
if (!NT_SUCCESS(status))
{
printf("DAEGER ERROR: NtCreateSection() failed with error: %X\n", status);
break;
}
//Map a view of the section into the local process
//RemoteAddress is set to NULL which means the system will choose where to allocate the memory, to avoid any address conflicts
status = NtMapViewOfSection(SectionHandle, GetCurrentProcess(), &LocalAddress, NULL, NULL, NULL, &ViewSize, 2, NULL, PAGE_EXECUTE_READWRITE);
if (!NT_SUCCESS(status))
{
printf("DAEGER ERROR: NtMapViewOfSection() failed with error: %X\n", status);
break;
}
//Map a view of the section into the remote process
//RemoteAddress is set to NULL which means the system will choose where to allocate the memory, to avoid any address conflicts
status = NtMapViewOfSection(SectionHandle, ProcessHandle, &RemoteAddress, NULL, NULL, NULL, &ViewSize, 2, NULL, PAGE_EXECUTE_READWRITE);
if (!NT_SUCCESS(status))
{
printf("DAEGER ERROR: NtMapViewOfSection() failed with error: %X\n", status);
break;
}
//Remote section is a mirror of local one, everything we do to local section is reflected in remote
memcpy(LocalAddress, (LPVOID)OurBaseAddress, NtHeaders->OptionalHeader.SizeOfImage);
RelocatePE((PBYTE)LocalAddress, RemoteAddress);
success = TRUE;
} while (FALSE);
if (success == FALSE && RemoteAddress != NULL)
{
NtUnmapViewOfSection(ProcessHandle, RemoteAddress);
RemoteAddress = NULL;
}
if (LocalAddress != NULL)
NtUnmapViewOfSection(GetCurrentProcess(), LocalAddress);
if (SectionHandle != NULL)
NtClose(SectionHandle);
return RemoteAddress;
}
/*
Run the target process in a suspended state, inject our code, then resume process
Parameters:
ImagePath - The path of the executable to Zombify
*/
int CreateZombifiedProcess(WCHAR* ImagePath)
{
setlocale(LC_ALL, "rus");
setlocale(LC_ALL, "UTF-8");
setlocale(LC_ALL, "ASCII");
setlocale(0, ".1251");
BOOL success = FALSE;
PROCESS_INFORMATION ProcessInfo = { 0 };
STARTUPINFOW StartupInfo = { 0 };
CONTEXT ThreadContext;
LPVOID BaseAddress;
do { //This isn't a loop
if (!ResolveNativeApis())
{
printf("DAEGER ERROR: Failed to resolve functions from ntdll\n");
break;
}
if (!CreateProcessW(NULL, ImagePath, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &StartupInfo, &ProcessInfo))
{
printf("DAEGER ERROR: CreateProcessA() Failed with error: %d\n", GetLastError());
break;
}
BaseAddress = InjectProcess(ProcessInfo.hProcess);
if (!BaseAddress)
{
printf("DAEGER ERROR: Failed to remap process\n");
break;
}
ThreadContext.ContextFlags = CONTEXT_INTEGER;
if (!GetThreadContext(ProcessInfo.hThread, &ThreadContext))
{
printf("DAEGER ERROR: GetThreadContext() Failed with error: %d\n", GetLastError());
break;
}
//Thread begins at BaseThreadInitThunk which gets the entry point from the EAX register then calls it
ThreadContext.Eax = (DWORD)((DWORD)& RemoteMain - (DWORD)GetModuleHandle(NULL)) + (DWORD)BaseAddress;
if (!SetThreadContext(ProcessInfo.hThread, &ThreadContext))
{
printf("DAEGER ERROR: SetThreadContext() Failed with error: %d\n", GetLastError());
break;
}
if (!ResumeThread(ProcessInfo.hThread))
{
printf("DAEGER ERROR: Failed to unsuspended process, Error: %d\n", GetLastError());
break;
}
printf("Injection Succesful!\n");
printf("Расширенная версия инжектора находится в группе в вк 'https://vk.com/daegerhack' в ссылках.\n");
printf("Injector by DAEGER https://vk.com/daegerhacks");
success = TRUE;
} while (FALSE);
if (success == FALSE && ProcessInfo.hProcess != NULL)
{
TerminateProcess(ProcessInfo.hProcess, 0);
}
if (ProcessInfo.hProcess != NULL)
CloseHandle(ProcessInfo.hProcess);
if (ProcessInfo.hThread != NULL)
CloseHandle(ProcessInfo.hThread);
return success;
}
int main()
{
setlocale(LC_ALL, "rus");
setlocale(LC_ALL, "UTF-8");
setlocale(LC_ALL, "ASCII");
setlocale(0, ".1251");
printf("Starting injection!\n");
DWORD WdwProcess;
if (!DLL_NAME)
{
MessageBoxA(NULL, "", "DAEGERInjector", MB_OK | MB_ICONINFORMATION);
return 0;
}
WdwProcess = Process(PROCESS_NAME);
if (!WdwProcess)
{
MessageBoxA(NULL, "Процесс не найден! Запустите CSGO!", "DAEGERInjector", MB_OK | MB_ICONINFORMATION);
return 0;
}
WCHAR ImagePath[MAX_PATH];
LPCWSTR testString = L"%windir%\\system32\\svchost.exe";
ExpandEnvironmentStringsW(testString, ImagePath, MAX_PATH - 1);
CreateZombifiedProcess(ImagePath);
getchar();
return 0;
}
int RemoteMain()
{
_JUNK_BLOCK(jmp_label11)
DWORD dwProcess;
_JUNK_BLOCK(jmp_label12)
char myDLL[MAX_PATH];
_JUNK_BLOCK(jmp_label13)
GetFullPathName(DLL_NAME, MAX_PATH, myDLL, 0);
_JUNK_BLOCK(jmp_label4)
dwProcess = Process(PROCESS_NAME);
_JUNK_BLOCK(jmp_label15)
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwProcess);
_JUNK_BLOCK(jmp_label16)
LPVOID allocatedMem = VirtualAllocEx(hProcess, NULL, sizeof(myDLL), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
_JUNK_BLOCK(jmp_label17)
WriteProcessMemory(hProcess, allocatedMem, myDLL, sizeof(myDLL), NULL);
_JUNK_BLOCK(jmp_label18)
CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, allocatedMem, 0, 0);
_JUNK_BLOCK(jmp_label19)
CloseHandle(hProcess);
_JUNK_BLOCK(jmp_label20)
_JUNK_BLOCK(jmp_label21)
MessageBoxA(NULL, "DAEGERInjectorLog: Injected successfully! VK GROUP: vk.com/daegerhacks", "DAEGERInjector", MB_OK | MB_ICONINFORMATION);
return 0;
}
