-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathFoyBotInjector.cpp
91 lines (74 loc) · 2.71 KB
/
FoyBotInjector.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <Windows.h>
#include <TlHelp32.h>
#include <string>
#include <iostream>
#include <chrono>
#include <thread>
using namespace std;
// Thank you 'Zer0' for this function
bool InjectDynamicLibrary(DWORD processId, char* dllPath)
{
// Open a new handle to the target process
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, processId);
if (hTargetProcess) // if the handle is valid
{
// Kernel32.dll is always mapped to the same address in each process
// So we can just copy the address of it & LoadLibraryA in OUR process and
// expect it to be same in the remote process too.
LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
// We must allocate more memory in the target process to hold the path for our dll in it's addresspace.
LPVOID LoadPath = VirtualAllocEx(hTargetProcess, nullptr, strlen(dllPath),
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hTargetProcess, LoadPath, dllPath, strlen(dllPath), nullptr);
// Create a thread in the target process that will call LoadLibraryA() with the dllpath as a parameter
HANDLE RemoteThread = CreateRemoteThread(hTargetProcess, nullptr, 0,
(LPTHREAD_START_ROUTINE)LoadLibAddr, LoadPath, 0, nullptr);
// Wait for the operation to complete, then continue.
WaitForSingleObject(RemoteThread, INFINITE);
// the path to the dll is no longer needed in the remote process, so we can just free the memory now.
VirtualFreeEx(hTargetProcess, LoadPath, strlen(dllPath), MEM_RELEASE);
CloseHandle(RemoteThread);
CloseHandle(hTargetProcess);
return true;
}
return false;
}
DWORD FindProcessId(wstring processName)
{
PROCESSENTRY32 processInfo;
processInfo.dwSize = sizeof(processInfo);
HANDLE processSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (processSnapshot == INVALID_HANDLE_VALUE)
return 0;
Process32First(processSnapshot, &processInfo);
if (!processName.compare(processInfo.szExeFile))
{
CloseHandle(processSnapshot);
return processInfo.th32ProcessID;
}
while (Process32Next(processSnapshot, &processInfo))
{
if (!processName.compare(processInfo.szExeFile))
{
CloseHandle(processSnapshot);
return processInfo.th32ProcessID;
}
}
CloseHandle(processSnapshot);
return 0;
}
int main()
{
int procId = FindProcessId(L"_FoY.exe");
cout << "Process Id : " << procId << endl;
bool hasInjected = InjectDynamicLibrary(procId, "C:\\Users\\Coac\\Documents\\PersonalProjects\\FoyBot\\Debug\\FoyBot.dll");
if (hasInjected) {
cout << "Success" << endl;
}
else {
cout << "Failed" << endl;
cout << "Try to run it as admin" << endl;
}
cout << "This console will be closed in 2 seconds." << endl;
this_thread::sleep_for(chrono::milliseconds(2000));
}