Jump to content
The Best Lineage 2 Mods – Free & Custom
Get Free Banners - Giveaway MaxCheaters.com
We're Rebuilding – Join Our Staff Team

[GUIDE]Injecting an x86 DLL

zlati

By zlati
in Client Development Discussion

 Share

Recommended Posts

zlati Newbie

zlati

Posted
Posted

1st Way of injecting is to use a PE editor such as Stud_PE: ( http://www.cgsoftlabs.ro/zip/Stud_PE.zip3 )

 

Open the exe in STUD_PE Exe Injector. Go to functions.

Click “Add new import”

Select “Open DLL”

Select the DLL you are going to use

Click “Select import function”

Select “DllMain@12″

Click “Add to List”

Click OK.

 

 

2nd way of injecting is to use a patcher app. Thanks to tontor for the source code. Assemble the source in MASM:

 

;Static DLL Injection for MASM by Aphex

;http://www.iamaphex.cjb.net

;unremote@knology.net

;This uses code by Yodah and Freddy K

;What this does: It forces a PE to load a DLL everytime it is ran by

;patching the actual file. No other loaders or memory injectors are needed.

 

;How it does this: It opens the PE file, adds a section to the end of the file,

;alters the entry point to execute this section first. Then the new code loads

;a dll and jumps back to the original entry point where it runs as normal. 

 

;NOTE: you must add this linker option “/SECTION:.text,RWX”

;ml.exe /coff patch.asm /link /SECTION:.text,RWX /SUBSYSTEM:WINDOWS /OPT:NOREF

.386

.model flat, stdcall

option casemap:none

include \masm32\include\windows.inc

include \masm32\include\kernel32.inc

include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib

includelib \masm32\lib\user32.lib

 

SEH_STRUCT struct

OrgEsp dword 0

OrgEbp dword 0

SaveEip dword 0

SEH_STRUCT ends

 

.data

;——-> Path to EXE to be patched with DLL <——-

szTarget byte ‘L2Server.exe’, 0

 

.data?

dwFile dword ?

dwSize dword ?

dwBytes dword ?

dwImage dword ?

dwBuffer dword ?

dwHeader dword ?

dwLength dword ?

dwSections dword ?

 

.data

errmsg  db  ’failed to open l2server.exe’,0

sucmsg  db  ’patching l2server.exe succeeded’,0

titlemsg db  ’beepbeepboop’,0

 

.code

EntryPoint:

jmp PatchEnd

PatchBegin:

jmp SkipData

szName byte ‘.PATCH’, 2 dup (0)

szLoadLibrary byte ‘LoadLibraryA’, 0

;——-> Path to DLL to be patched into EXE <——-

szDll byte ‘patch.dll’, 0

SEH SEH_STRUCT <>

_LoadLibrary dword 0

dwKernelBase dword 0

dwEntryPoint dword 0

_DllOff dword 0

SkipData:

assume fs:NOTHING

pushad

call Root

Root:

pop ebp

sub ebp, offset Root

push dword ptr [esp + 20h]

call Base

or eax, eax

jz Return

mov [ebp + dwKernelBase], eax

lea eax, [ebp + offset szLoadLibrary]

push eax

push [ebp + dwKernelBase]

call Address

or eax, eax

jz Return

mov [ebp + _LoadLibrary], eax

lea eax, [ebp + offset szDll]

push eax

call [ebp + _LoadLibrary]

mov [ebp + offset _DllOff], eax

Return:

mov eax, [ebp + dwEntryPoint]

mov [esp + 1ch], eax

popad

jmp eax

Base:

mov edi, [esp + 4]

lea eax, [ebp + offset SehHandler]

push eax

push dword ptr fs:[0]

lea eax, [ebp + offset SEH]

assume eax:ptr SEH_STRUCT

mov [eax].OrgEsp, esp

mov [eax].OrgEbp, ebp

lea ebx, [ebp + offset Continue]

mov [eax].SaveEip, ebx

mov fs:[0], esp

assume eax:NOTHING

and edi, 0FFFF0000h

.while TRUE

.if word ptr [edi] == IMAGE_DOS_SIGNATURE

mov esi, edi

add esi, [esi + 03Ch]

.if dword ptr [esi] == IMAGE_NT_SIGNATURE

.break

.endif

.endif

Continue:

sub edi, 010000h

.if edi < 070000000h

mov edi, 0BFF70000h

.break

.endif

.endw

xchg eax, edi

pop dword ptr fs:[0]

add esp, 4

ret 4

Address:

lea eax, [ebp + offset SehHandler]

push eax

push dword ptr fs:[0]

lea eax, [ebp + offset SEH]

assume eax:ptr SEH_STRUCT

mov [eax].OrgEsp, esp

mov [eax].OrgEbp, ebp

lea ebx, [ebp + offset Continue]

mov [eax].SaveEip, ebx

mov fs:[0], esp

assume eax:NOTHING

mov esi, [esp + 0ch]

.if word ptr [esi] != IMAGE_DOS_SIGNATURE

jmp Halt

.endif

add esi, [esi + 03Ch]

.if dword ptr [esi] != IMAGE_NT_SIGNATURE

jmp Halt

.endif

mov edi, [esp + 10h]

mov ecx, 150

xor al, al

repnz scasb

mov ecx, edi

sub ecx, [esp + 10h]

mov edx, [esi + 078h]

add edx, [esp + 0ch]

assume edx:ptr IMAGE_EXPORT_DIRECTORY

mov ebx, [edx].AddressOfNames

add ebx, [esp + 0ch]

xor eax, eax

.repeat

mov edi, [ebx]

add edi, [esp + 0ch]

mov esi, [esp + 10h]

push ecx

repz cmpsb

.if zero?

add esp, 4

.break

.endif

pop ecx

add ebx, 4

inc eax

.until eax == [edx].NumberOfNames

.if eax == [edx].NumberOfNames

jmp Halt

.endif

mov esi, [edx].AddressOfNameOrdinals

add esi, [esp + 0ch]

push edx

mov ebx, 2

xor edx, edx

mul ebx

pop edx

add eax, esi

xor ecx, ecx

mov word ptr cx, [eax]

mov edi, [edx].AddressOfFunctions

xor edx, edx

mov ebx, 4

mov eax, ecx

mul ebx

add eax, [esp + 0ch]

add eax, edi

mov eax, [eax]

add eax, [esp + 0ch]

jmp Exit

assume edx:nothing

Halt:

xor eax, eax

Exit:

pop dword ptr fs:[0]

add esp, 4

ret 8

SehHandler proc c pExcept:dword, pFrame:dword, pContext:dword, pDispatch:dword

mov eax, pContext

assume eax:ptr CONTEXT

push SEH.SaveEip

pop [eax].regEip

push SEH.OrgEsp

pop [eax].regEsp

push SEH.OrgEbp

pop [eax].regEbp

mov eax, ExceptionContinueExecution

ret

SehHandler endp

PatchEnd:

mov eax, offset PatchEnd

sub eax, offset PatchBegin

mov dwLength, eax

invoke CreateFile, offset szTarget, GENERIC_READ or GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0

.if eax == INVALID_HANDLE_VALUE

invoke MessageBox, NULL,addr errmsg,addr titlemsg,MB_OK

invoke ExitProcess, 0

.endif

mov dwFile, eax

invoke GetFileSize, dwFile, 0

mov dwSize, eax

add eax, 2000h

invoke GlobalAlloc, GMEM_FIXED or GMEM_ZEROINIT, eax

mov dwBuffer, eax

invoke ReadFile, dwFile, dwBuffer, dwSize, offset dwBytes, 0

mov esi, dwBuffer

add esi, 03ch

mov eax, dword ptr [esi]

mov dwHeader, eax

sub eax, 03ch

add esi, eax

assume esi:ptr IMAGE_NT_HEADERS

mov ax, [esi].FileHeader.NumberOfSections

mov dwSections, eax

inc [esi].FileHeader.NumberOfSections

mov eax, [esi].OptionalHeader.AddressOfEntryPoint

add eax, [esi].OptionalHeader.ImageBase

mov dwEntryPoint, eax

mov eax, [esi].OptionalHeader.SizeOfImage

mov dwImage, eax

add [esi].OptionalHeader.SizeOfImage, 1000h

mov [esi].OptionalHeader.AddressOfEntryPoint, eax

assume esi:NOTHING

mov esi, dwBuffer

add esi, dwHeader

add esi, 0f8h

assume esi:ptr IMAGE_SECTION_HEADER

mov eax, 0E0000060h

mov [esi].Characteristics, eax

mov eax, 28h

mov ecx, dwSections

imul ecx

add esi, eax

mov eax, dword ptr [szName]

mov dword ptr [esi].Name1, eax

mov eax, dword ptr[szName+4]

mov dword ptr [esi].Name1+4, eax

mov eax, 1000h

mov [esi].Misc.VirtualSize, eax

mov eax, dwImage

mov [esi].VirtualAddress, eax

mov eax, dwLength

mov [esi].SizeOfRawData, eax

mov eax, dwSize

mov [esi].PointerToRawData, eax

mov eax, 0E0000020h

mov [esi].Characteristics, eax

assume esi:NOTHING

mov edi, dwBuffer

add edi, dwSize

lea eax, PatchBegin

xchg esi, eax

mov ecx, dwLength

rep movsb

invoke SetFilePointer, dwFile, 0, 0, FILE_BEGIN

mov eax, dwSize

add eax, dwLength

invoke  WriteFile, dwFile, dwBuffer, eax, offset dwBytes, 0

invoke CloseHandle, dwFile

invoke GlobalFree, dwBuffer

invoke MessageBox, NULL,addr sucmsg,addr titlemsg,MB_OK

invoke ExitProcess, 0

end EntryPoint

 

That's all folks ;)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • DreamHunter
      [L2J] L2Doll Tyria

      By DreamHunter · Posted

      Donations can provide anything that can be obtained through normal gameplay. There are no augmentations on armors, no stuck skills, and no custom items. Therefore, donations do not affect the game balance.     thank you!
    • Atom
      [L2J] L2Doll Tyria

      By Atom · Posted

      Good luck!
    • MoMoProxy
      Facebook-Ins-X-Pin-Proxy - 150M+ Fresh Residential Proxies

      By MoMoProxy · Posted

      Facebook-Ins-X-Pin-Proxy - 150M+ Fresh Residential Proxies    MoMoProxy Official Site: MoMoProxy.com   1. Features ------------------------------------------ 1. 190+ Countries And Millions of City Targeting”; 2. 80M+ Rotating Residential Proxies”; 3. 5M+ 240 Minutes Lasting Sticky Residential Proxies”; 4. 99.64% Request Success Rate.” 5. High Anonymous Clean Residential Proxies. 6. 50M-1GB/S Download and Upload Speed. 7. IP Whitelist Or User Pass Authentication. 8. Convenient IP Abstracting On User Panel, No APP Download. 9. IP Pool Covers 190+ Countries. 10. API For Automation Workflow. 11. Compatible With All Browsers & Devices. 12. SOCKS5 HTTP(S) Proxies. 13. 99.64% Request Success Rate and 99.9% Update. 2. Use Cases: Web Scraping and Data Extraction Use MoMoProxy to access websites anonymously and avoid IP blocking while scraping large volumes of data for research, business intelligence, or competitive analysis. Social Media Management (Multiple Accounts) Manage multiple social media accounts (e.g., Instagram, Twitter, Facebook) simultaneously with different proxy IPs to avoid account bans and increase operational efficiency. SEO and SERP Tracking Use MoMoProxy to perform SEO audits and track search engine result page (SERP) rankings without being blocked by search engines, simulating searches from different geographical locations. E-commerce Price Monitoring Monitor competitors' prices on e-commerce platforms (like Amazon, eBay) by using MoMoProxy's rotating residential IPs to simulate user requests from different regions without getting flagged. Web Testing and Automation Conduct automated web testing by using MoMoProxy to simulate user behavior across different locations, devices, and networks, ensuring that web applications behave consistently under various conditions. Ad Verification Verify online advertisements (display ads, pay-per-click ads) from different IP addresses to ensure proper targeting and compliance with advertising policies. Fraud Prevention and Security Safeguard your online activities (such as financial transactions or account logins) by using MoMoProxy to rotate IP addresses and protect against IP-based attacks or fraud. Market Research Collect data from various sources without being detected or restricted, allowing for comprehensive market research, competitor analysis, and trend forecasting. Mobile App Testing Use MoMoProxy to test mobile applications across different regions and simulate real-world user scenarios, ensuring that apps perform correctly in various network environments. Ticketing and Event Booking Secure tickets for high-demand events by using MoMoProxy to mask your real IP and bypass ticket purchasing limits based on IP addresses. Ad Fraud Prevention Prevent ad fraud by rotating IPs to detect and block suspicious activities related to advertising, ensuring accurate attribution and campaign performance analysis. Academic Research and Surveys Use MoMoProxy to distribute surveys or gather data from different regions without bias due to regional IP filtering or restrictions.   3. Pricing List: ----------------------------------------------- Note: Price List will be changable based on our promotion every month or in some Dig Days. If any question or help please contact our support online timely: Telegram: https://t.me/momoproxy_com Email: support@momoproxy.com 4. Payments: Now MoMoProxy Supports: A. Crypto Currency Payment, including USDT, BTC, and more; B. Alipay HK, UnionPay; C. Doku For local Southeast Asia payment; D. Offline Aliay and WeChat, please contact support Online; (Note: Visa, MasterCard and Paypal is coming within 30 days). 5.Return Policy MoMoProxy Offer 3 days free trial for all new users that will be helpful for you get further experience on MoMoProxy quality before payment. We also provide 24 hours money-back guarantee, which only applies to technical issues related to MoMoProxy servers that we can not fix within 24 hours. 6. FAQ A. How to buy a plan and how about MoMoProxy payments? After logging in, and enter into the user dashboard, please choose the right plan that be suitable for you, and click [Buy Proxy]. Now MoMoProxy Supports: A. Crypto Currency Payment, including USDT, BTC, and more; B. Alipay HK, UnionPay; C. Doku For local Southeast Asia payment; D. Offline Aliay and WeChat, please contact support Online; (Note: Visa, MasterCard and Paypal is coming within 30 days). B. Where can I use residential IP addresses? a. For Handle Proxy Generate, Just Choose [Proxy Setup], Click [Residential Proxies], and go to [Endpoint Generator] Part, and choose [location] and [proxy type], click [Generate] to generate Proxy List, all steps will be easily; b. Residential Proxies (API) is also available for automation. Can I integrate proxies with 3rd party software, bots and automation tools? You can integrate MoMoProxy proxies with all major automation bots under the help of our API. C. Can I select proxies from specific locations? You can access residential proxies through country-specific, state-targeting or city-targeting after using your login credentials (username and password) or in Allowlisted IPs, such as Los Angeles, California, USA. 7. Contact Us Telegram: https://t.me/momoproxy_com Email: support@momoproxy.com 8. How To Get A FREE Trial? Please register your account firstly, and contact support online to get A 1GB Free Trial! Get 1GB Free Trial NOW! Get 1GB Free Trial NOW! Get 1GB Free Trial NOW! Get 1GB Free Trial NOW! Get 1GB Free Trial NOW! Get 1GB Free Trial NOW!
    • TommyVersace
      [L2J] L2Doll Tyria

      By TommyVersace · Posted

      Hello! That's funny things: Rates x3 And  "No Donate things affect the game balance"                           GM Donate Shop - B-A-S grade for Donation Coins VIP Status: Rates x8
    • Traumann
      Vibe-sms.net – sms activations. Over 60 countries

      By Traumann · Posted

      I’ve been using SMS.To for a while now and it’s been solid. No issues with delays so far, and the text messaging works right away for verification. Way easier than dealing with local SIM cards for every site.

  • Topics

×
×
  • Create New...

AdBlock Extension Detected!

Our website is made possible by displaying online advertisements to our members.

Please disable AdBlock browser extension first, to be able to use our community.

I've Disabled AdBlock