Dll Injection (Pipe Server & Client) Tutorial

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
supMarco
Table Makers
Table Makers
Posts: 62
Joined: Mon May 22, 2017 11:15 am
Reputation: 9

Dll Injection (Pipe Server & Client) Tutorial

Post by supMarco » Sun Mar 10, 2019 8:18 am

First of all what's a pipe ? and why am I using a pipe server?

A pipe is a section of shared memory that processes use for communication. The process that creates a pipe is the pipe server.
A process that connects to a pipe is a pipe client. One process writes information to the pipe, then the other process reads the information from the pipe.
This overview describes how to create, manage, and use pipes. (https://docs.microsoft.com/en-us/window ... /ipc/pipes)

I'm about to inject a DLL with a few functions (Including the one that starts a pipe server in the target process), then I'm going to use a pipe client in order to call the DLL's functions from the outside:

DLL (Server):

Code: Select all

#include "stdafx.h"
#include <stdlib.h>

#define STRSIZE 256

bool Compare(const BYTE*, const BYTE*, const char*);
DWORD Pattern(DWORD, DWORD, BYTE *, const char *);

BOOL money_flag = FALSE;
DWORD moneyHook = NULL;

_declspec(dllexport) void PipeServerStart(); //This is the only function I need to export
void init();
void money();

_declspec(dllexport) void PipeServerStart()
{
	HANDLE hPipe;
	char cheatName[STRSIZE];
	DWORD bytesRead;

	hPipe = CreateNamedPipe(TEXT("\\\\.\\pipe\\Test"), PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT, 1, 1024 * 16, 1024 * 16, INFINITE, NULL);
	if (hPipe != INVALID_HANDLE_VALUE)
	{
		if (ConnectNamedPipe(hPipe, NULL)) //Waits for a client to connect
		{
			while (ReadFile(hPipe, cheatName, STRSIZE - 1, &bytesRead, NULL)) //This will constantly read the client's "command" I will send
			{
				cheatName[bytesRead] = '\0';
				//We will call a certain DLL function accortding to the "command"
				if (!strcmp(cheatName, "money"))
				{
					money();
				}
				else if (!strcmp(cheatName, "init"))
				{
					init();
				}
			}
		}
		DisconnectNamedPipe(hPipe);
	}

}
void init()
{
	DWORD vpTemp;
	moneyHook = Pattern((DWORD)GetModuleHandleA("DKII.EXE"), 0x7fffffffffff, (BYTE *)"\x74\x03\x89\x6F\x7E", "xxxxx"); //Fetches the Hook location in the target
	VirtualProtect((LPVOID)moneyHook, 0x64, PAGE_EXECUTE_READWRITE, &vpTemp); //Makes the page that contains the code I want to modify writeable
}

void money()
{
	__asm {
	  cmp byte ptr [money_flag],0
	  jne l_disable
	  mov eax, [moneyHook]
      mov byte ptr [eax], 0xEB //Changes "je" (0x74) to "jmp" (0xEB)
	  mov byte ptr[money_flag], 1
	  jmp l_exit
	  l_disable:
	  mov eax, [moneyHook]
	  mov byte ptr[eax], 0x74 //Changes "jmp" (0xEB) back to "je" (0x74)
	  mov byte ptr[money_flag], 0
	  l_exit:
	}
}

//AOB Scanning Functions

bool Compare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for (; *szMask; ++szMask, ++pData, ++bMask)
		if (*szMask == 'x' && *pData != *bMask)   return 0;
	return (*szMask) == NULL;
}

DWORD Pattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, const char * szMask)
{
	for (DWORD i = 0; i < dwLen; i++)
		if (Compare((BYTE*)(dwAddress + i), bMask, szMask))  return (DWORD)(dwAddress + i);
	return 0
Client:

Code: Select all

#define STRSIZE 256

#include <Windows.h>
#include <stdio.h>

int main(void)
{
	HANDLE hPipe;
	DWORD bytesWritten;
	char buffer[STRSIZE];

	hPipe = CreateFile(TEXT("\\\\.\\pipe\\Test"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); //Connects to the pipe server
	if (hPipe != INVALID_HANDLE_VALUE)
	{
		while (1)
		{
			scanf("%s", buffer);
			if (!strcmp(buffer, "exit"))
				break;
			WriteFile(hPipe, buffer, STRSIZE - 1, &bytesWritten, NULL); //Sends your "command" to the server
		}

		CloseHandle(hPipe);
	}

	return (0);
}
Result:
https://youtu.be/5lujwFZp-KU

supMarco
Table Makers
Table Makers
Posts: 62
Joined: Mon May 22, 2017 11:15 am
Reputation: 9

Re: Dll Injection (Pipe Server & Client) Tutorial

Post by supMarco » Mon Mar 11, 2019 6:10 pm

Update #1:

Added more examples
Added basic injection
Added some checks
Added various improvements
Added a github repo: https://github.com/supMarco/PipeServer

Result:
https://youtu.be/PWHGYDW1rmc
(the song you will hear in the video is powered by SunBeam :P )

Credits: I was inspired by a DB tip

supMarco
Table Makers
Table Makers
Posts: 62
Joined: Mon May 22, 2017 11:15 am
Reputation: 9

Re: Dll Injection (Pipe Server & Client) Tutorial

Post by supMarco » Wed Mar 20, 2019 10:39 am

Update #3:

Added a GUI (pure win32 API )
Added more features
Github repo: https://github.com/supMarco/PipeServer

Result:
https://youtu.be/pRBIKJ3hrts

Post Reply

Who is online

Users browsing this forum: No registered users