[launch3] Implement DLL inject functions

2025-09-19 20:26:14 +08:00 · 2023-10-24 23:58:07 +08:00
parent a80d3607f4
commit a83e0d65cc
1 changed files with 290 additions and 0 deletions
--- a/launch3/launch3Dlg.cpp
+++ b/launch3/launch3Dlg.cpp
@ -5,12 +5,85 @@
 #include "launch3.h"
 #include "launch3Dlg.h"

+#include <windows.h>
+
 #ifdef _DEBUG
 #define new DEBUG_NEW
 #undef THIS_FILE
 static char THIS_FILE[] = __FILE__;
 #endif

+typedef BOOL (WINAPI* Proc_CreateProcessA)(LPCSTR lpApplicationName,
+										   LPSTR lpCommandLine,
+										   LPSECURITY_ATTRIBUTES lpProcessAttributes,
+										   LPSECURITY_ATTRIBUTES lpThreadAttributes,
+										   BOOL bInheritHandles,
+										   DWORD dwCreationFlags,
+										   LPVOID lpEnvironment,
+										   LPCSTR lpCurrentDirectory,
+										   LPSTARTUPINFOA lpStartupInfo,
+										   LPPROCESS_INFORMATION lpProcessInformation);
+
+BOOL WINAPI CreateProcessWithDllA(LPCSTR lpApplicationName,
+								  LPSTR lpCommandLine,
+								  LPSECURITY_ATTRIBUTES lpProcessAttributes,
+								  LPSECURITY_ATTRIBUTES lpThreadAttributes,
+								  BOOL bInheritHandles,
+								  DWORD dwCreationFlags,
+								  LPVOID lpEnvironment,
+								  LPCSTR lpCurrentDirectory,
+								  LPSTARTUPINFOA lpStartupInfo,
+								  LPPROCESS_INFORMATION lpProcessInformation,
+								  LPSTR lpDllFullPath,
+								  Proc_CreateProcessA FuncAddress);
+BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAddress, const BYTE * lpShellCode, size_t uCodeSize);
+BYTE* mov_eax_xx(BYTE* lpCurAddress, DWORD eax);
+BYTE* mov_ebx_xx(BYTE* lpCurAddress, DWORD ebx);
+BYTE* mov_ecx_xx(BYTE* lpCurAddress, DWORD ecx);
+BYTE* mov_edx_xx(BYTE* lpCurAddress, DWORD edx);
+BYTE* mov_esi_xx(BYTE* lpCurAddress, DWORD esi);
+BYTE* mov_edi_xx(BYTE* lpCurAddress, DWORD edi);
+BYTE* mov_ebp_xx(BYTE* lpCurAddress, DWORD ebp);
+BYTE* mov_esp_xx(BYTE* lpCurAddress, DWORD esp);
+BYTE* push_xx(BYTE* lpCurAddress, DWORD dwAddress);
+BYTE* mov_eip_xx(BYTE* lpCurAddress, DWORD eip, DWORD newEip);
+BYTE* Call_xx(BYTE* lpCurAddress, DWORD eip, DWORD newEip);
+
+
+/////////////////////////////////////////////////////////////////////////////
+
+PROCESS_INFORMATION ProcessInformation;
+STARTUPINFO StartupInfo;
+
+void LaunchMod(LPCSTR lpPath, LPSTR lpParams)
+{
+	char szGtaExe[256];
+	char szSampDll[256];
+
+	sprintf(szGtaExe,"%s\\%s",lpPath,"gta_sa.exe");
+	sprintf(szSampDll,"%s\\%s",lpPath,"samp.dll");
+
+	ZeroMemory(&StartupInfo, sizeof(StartupInfo));
+	StartupInfo.cb = sizeof(StartupInfo);
+	ZeroMemory(&ProcessInformation, sizeof(ProcessInformation));
+
+	if (!CreateProcessWithDllA(szGtaExe,
+		lpParams,
+		NULL,
+		NULL,
+		FALSE,
+		CREATE_DEFAULT_ERROR_MODE,
+		NULL,
+		lpPath,
+		&StartupInfo,
+		&ProcessInformation,
+		szSampDll,
+		NULL))
+	{
+		MessageBoxA(NULL, "Initialization failed.\r\nPlease reinstall.", "SA:MP", MB_OK | MB_ICONERROR | MB_HELP);	
+	}
+}
+
 /////////////////////////////////////////////////////////////////////////////
 // CLaunch3Dlg dialog

@ -43,6 +116,19 @@ BEGIN_MESSAGE_MAP(CLaunch3Dlg, CDialog)
 	//}}AFX_MSG_MAP
 END_MESSAGE_MAP()

+/////////////////////////////////////////////////////////////////////////////
+
+CString GetAppPath ()
+{
+TCHAR app_path[_MAX_PATH];
+
+GetModuleFileName((HMODULE)AfxGetApp()->m_hInstance, app_path, MAX_PATH);
+CString app_str = app_path;
+app_str = app_str.Left(app_str.ReverseFind('\\')+1);
+
+return app_str;
+}
+
 /////////////////////////////////////////////////////////////////////////////
 // CLaunch3Dlg message handlers

@ -109,13 +195,217 @@ void CLaunch3Dlg::OnChangeNick()

 void CLaunch3Dlg::OnLaunch() 
 {
+	LaunchMod(GetAppPath(), "-d");
 }

 void CLaunch3Dlg::OnButton2() 
 {
+	this->OnCancel();
 }

 void CLaunch3Dlg::OnButton1() 
 {
+	LaunchMod(GetAppPath(), "-c -h 127.0.0.1 -p 7777 -n Player");
 }

+DWORD GetFuncAddress()
+{
+	return (DWORD)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryA");
+}
+
+BOOL WINAPI CreateProcessWithDllA(LPCSTR lpApplicationName,
+								  LPSTR lpCommandLine,
+								  LPSECURITY_ATTRIBUTES lpProcessAttributes,
+								  LPSECURITY_ATTRIBUTES lpThreadAttributes,
+								  BOOL bInheritHandles,
+								  DWORD dwCreationFlags,
+								  LPVOID lpEnvironment,
+								  LPCSTR lpCurrentDirectory,
+								  LPSTARTUPINFOA lpStartupInfo,
+								  LPPROCESS_INFORMATION lpProcessInformation,
+								  LPSTR lpDllFullPath,
+								  Proc_CreateProcessA FuncAddress)
+{
+	BOOL bResult = FALSE;
+	size_t uCodeSize;
+	DWORD dwCreaFlags = dwCreationFlags;
+	PROCESS_INFORMATION pi;
+
+	if (FuncAddress == NULL)
+	{
+		FuncAddress = CreateProcessA;
+	}
+
+	dwCreaFlags = dwCreationFlags | CREATE_SUSPENDED;
+
+	if (FuncAddress(lpApplicationName,
+		lpCommandLine,
+		lpProcessAttributes,
+		lpThreadAttributes,
+		bInheritHandles,
+		dwCreaFlags,
+		lpEnvironment,
+		lpCurrentDirectory,
+		lpStartupInfo,
+		&pi))
+	{
+		if (lpDllFullPath)
+			uCodeSize = strlen(lpDllFullPath) + 1;
+		else
+			uCodeSize = 0;
+
+		DWORD dwLoadDllProc = GetFuncAddress();
+
+		if (SuspendTidAndInjectCode(pi.hProcess, pi.hThread, dwLoadDllProc, (BYTE*)lpDllFullPath, uCodeSize))
+		{
+			if (lpProcessInformation)
+				memcpy(lpProcessInformation, &pi, sizeof(PROCESS_INFORMATION));
+
+			if (!(dwCreationFlags & CREATE_SUSPENDED))
+				ResumeThread(pi.hThread);
+
+			bResult = TRUE;
+		}
+	}
+
+	return bResult;
+}
+
+BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAddress, const BYTE * lpShellCode, size_t uCodeSize)
+{
+	BYTE ShellCodeBuf[0x480];
+	CONTEXT Context;
+	DWORD flOldProtect = 0;
+	SIZE_T NumberOfBytesWritten = 0;
+	LPBYTE lpCurESPAddress;
+	LPBYTE lpCurBufAddress;
+	BOOL bResult = FALSE;
+
+	SuspendThread(hThread);
+
+	memset(&Context,0,sizeof(Context));
+	Context.ContextFlags = CONTEXT_FULL;
+
+	if (GetThreadContext(hThread, &Context))
+	{
+		lpCurESPAddress = (LPBYTE)((Context.Esp - 0x480) & 0xFFFFFFE0);
+
+		lpCurBufAddress = &ShellCodeBuf[0];
+
+		if (lpShellCode)
+		{
+			memcpy(ShellCodeBuf + 128, lpShellCode, uCodeSize);
+			lpCurBufAddress = push_xx(lpCurBufAddress, (DWORD)(lpCurESPAddress + 128));
+			lpCurBufAddress = Call_xx(lpCurBufAddress, dwFuncAddress, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAddress - (DWORD)&ShellCodeBuf);
+		}
+
+		lpCurBufAddress = mov_eax_xx(lpCurBufAddress, Context.Eax);
+        lpCurBufAddress = mov_ebx_xx(lpCurBufAddress, Context.Ebx);
+        lpCurBufAddress = mov_ecx_xx(lpCurBufAddress, Context.Ecx);
+        lpCurBufAddress = mov_edx_xx(lpCurBufAddress, Context.Edx);
+        lpCurBufAddress = mov_esi_xx(lpCurBufAddress, Context.Esi);
+        lpCurBufAddress = mov_edi_xx(lpCurBufAddress, Context.Edi);
+        lpCurBufAddress = mov_ebp_xx(lpCurBufAddress, Context.Ebp);
+        lpCurBufAddress = mov_esp_xx(lpCurBufAddress, Context.Esp);
+		lpCurBufAddress = mov_eip_xx(lpCurBufAddress, Context.Eip, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAddress - (DWORD)&ShellCodeBuf);
+		Context.Esp = (DWORD)(lpCurESPAddress - 4);
+		Context.Eip = (DWORD)lpCurESPAddress;
+
+		if (VirtualProtectEx(hProcess, lpCurESPAddress, 0x480, PAGE_EXECUTE_READWRITE, &flOldProtect)
+			&& WriteProcessMemory(hProcess, lpCurESPAddress, &ShellCodeBuf, 0x480, &NumberOfBytesWritten)
+			&& FlushInstructionCache(hProcess, lpCurESPAddress, 0x480)
+			&& SetThreadContext(hThread, &Context) )
+		{
+			bResult = TRUE;
+		}
+	}
+
+	ResumeThread(hThread);
+
+	return bResult;
+}
+
+BYTE* mov_eax_xx(BYTE* lpCurAddress, DWORD eax)
+{
+	*lpCurAddress = 0xB8;
+	*(DWORD*)(lpCurAddress + 1) = eax;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_ebx_xx(BYTE* lpCurAddress, DWORD ebx)
+{
+	*lpCurAddress = 0xBB;
+	*(DWORD*)(lpCurAddress + 1) = ebx;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_ecx_xx(BYTE* lpCurAddress, DWORD ecx)
+{
+	*lpCurAddress = 0xB9;
+	*(DWORD*)(lpCurAddress + 1) = ecx;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_edx_xx(BYTE* lpCurAddress, DWORD edx)
+{
+	*lpCurAddress = 0xBA;
+	*(DWORD*)(lpCurAddress + 1) = edx;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_esi_xx(BYTE* lpCurAddress, DWORD esi)
+{
+	*lpCurAddress = 0xBE;
+	*(DWORD*)(lpCurAddress + 1) = esi;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_edi_xx(BYTE* lpCurAddress, DWORD edi)
+{
+	*lpCurAddress = 0xBF;
+	*(DWORD*)(lpCurAddress + 1) = edi;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_ebp_xx(BYTE* lpCurAddress, DWORD ebp)
+{
+	*lpCurAddress = 0xBD;
+	*(DWORD*)(lpCurAddress + 1) = ebp;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_esp_xx(BYTE* lpCurAddress, DWORD esp)
+{
+	*lpCurAddress = 0xBC;
+	*(DWORD*)(lpCurAddress + 1) = esp;
+	return lpCurAddress + 5;
+}
+
+BYTE* push_xx(BYTE* lpCurAddress, DWORD dwAddress)
+{
+	*lpCurAddress = 0x68;
+	*(DWORD*)(lpCurAddress + 1) = dwAddress;
+	return lpCurAddress + 5;
+}
+
+BYTE* mov_eip_xx(BYTE* lpCurAddress, DWORD eip, DWORD newEip)
+{
+	if (!newEip)
+	{
+		newEip = (DWORD)lpCurAddress;
+	}
+	*lpCurAddress = 0xE9;
+	*(DWORD*)(lpCurAddress + 1) = eip - (newEip + 5);
+	return lpCurAddress + 5;
+}
+
+BYTE* Call_xx(BYTE* lpCurAddress, DWORD eip, DWORD newEip)
+{
+	if (!newEip)
+	{
+		newEip = (DWORD)lpCurAddress;
+	}
+	*lpCurAddress = 0xE8;
+	*(DWORD*)(lpCurAddress + 1) = eip - (newEip + 5);
+	return lpCurAddress + 5;
+}