C++

Forum

 
Looking For Hidden Module?

oguzhane (6)
http://i.hizliresim.com/W2pogP.png

http://i.hizliresim.com/38lgv5.png

As you can see there is a injected dll in process and it creates hidden thread , how can i detect this dll ? i have tried enum modules but it didn't work. Ideas??
Computergeek01 (5613)
So from what little research I did on this it appears to be a game hack tool correct? It appears to work by injecting itself into the local process of the machine. You won't be able to detect if someone else has it loaded on their machine without a whole lot of work, most of which would be inappropriate to discuss on this site. But to check if it is loaded into any processes on your machine you could try to use the "CreateToolhelp32Snapshot()", "Module32First()" and "Module32Next()" functions. This will go through and list the modules loaded with in the scope of the snapshot and fill in a 'MODULEENTRY32' struct with a bunch of details including the files name. If Process Explorer sees the DLL then this should work to.

- CreateToolhelp32Snapshot(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms682489(v=vs.85).aspx

- Module32First(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms684218(v=vs.85).aspx

- Module32Next(): http://msdn.microsoft.com/en-us/library/windows/desktop/ms684221(v=vs.85).aspx

- MODULEENTRY32: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684225(v=vs.85).aspx

If for some reason you don't have the 'Tlhelp32.h' header file then it is found in the Windows 7 SDK here: http://www.microsoft.com/en-us/download/details.aspx?id=3138
Last edited on
Duthomhas (13206)
@Computergeek01
MS websites are notorious for moving things around. I tend to use Google to resolve the correct URL for me. For example:
http://www.google.com/search?btnI=1&q=msdn+Module32First

[edit]
But, of course, now it doesn't work properly anymore.
At least the correct site is still listed first.
Last edited on
Computergeek01 (5613)
@Duoas:That's certainly a more dynamic approach. I noticed the page moves too, mostly when my bookmarks become invalidated, but they are usually valid for a reasonable amount of time after I make a post like this so I never gave it much thought. I'll try to remember to use your method next time.
oguzhane (6)
i have tried this function but it has been failed too. I can't see injecting dll.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
#include <windows.h> 
#include <tlhelp32.h> 
#include <tchar.h> 
 
//  Forward declarations: 
BOOL ListProcessModules( DWORD dwPID ); 
void printError( TCHAR* msg ); 
 
int main( void )
{
  ListProcessModules(GetCurrentProcessId() );
  return 0;
}

BOOL ListProcessModules( DWORD dwPID ) 
{ 
  HANDLE hModuleSnap = INVALID_HANDLE_VALUE; 
  MODULEENTRY32 me32; 
 
//  Take a snapshot of all modules in the specified process. 
  hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID ); 
  if( hModuleSnap == INVALID_HANDLE_VALUE ) 
  { 
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") ); 
    return( FALSE ); 
  } 
 
//  Set the size of the structure before using it. 
  me32.dwSize = sizeof( MODULEENTRY32 ); 
 
//  Retrieve information about the first module, 
//  and exit if unsuccessful 
  if( !Module32First( hModuleSnap, &me32 ) ) 
  { 
    printError( TEXT("Module32First") );  // Show cause of failure 
    CloseHandle( hModuleSnap );     // Must clean up the snapshot object! 
    return( FALSE ); 
  } 
 
//  Now walk the module list of the process, 
//  and display information about each module 
  do 
  { 
    _tprintf( TEXT("\n\n     MODULE NAME:     %s"),             me32.szModule ); 
    _tprintf( TEXT("\n     executable     = %s"),             me32.szExePath ); 
    _tprintf( TEXT("\n     process ID     = 0x%08X"),         me32.th32ProcessID ); 
    _tprintf( TEXT("\n     ref count (g)  =     0x%04X"),     me32.GlblcntUsage ); 
    _tprintf( TEXT("\n     ref count (p)  =     0x%04X"),     me32.ProccntUsage ); 
    _tprintf( TEXT("\n     base address   = 0x%08X"), (DWORD) me32.modBaseAddr ); 
    _tprintf( TEXT("\n     base size      = %d"),             me32.modBaseSize ); 
 
  } while( Module32Next( hModuleSnap, &me32 ) ); 

    _tprintf( TEXT("\n"));
 
//  Do not forget to clean up the snapshot object. 
  CloseHandle( hModuleSnap ); 
  return( TRUE ); 
} 
 
 
void printError( TCHAR* msg )
{
  DWORD eNum;
  TCHAR sysMsg[256];
  TCHAR* p;

  eNum = GetLastError( );
  FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
         NULL, eNum,
         MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
         sysMsg, 256, NULL );

  // Trim the end of the line and terminate it with a null
  p = sysMsg;
  while( ( *p > 31 ) || ( *p == 9 ) )
    ++p;
  do { *p-- = 0; } while( ( p >= sysMsg ) &&
                          ( ( *p == '.' ) || ( *p < 33 ) ) );

  // Display the message
  _tprintf( TEXT("\n  WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );
}
Last edited on
Computergeek01 (5613)
Well you could make an actual effort and not just copy and paste the sample code from MSDN. You can't tell me that you even read this code and still don't understand why it didn't see that file. If you're looking for someone to write this for you then you'll want to move this thread over to the Jobs section.
oguzhane (6)
@Computergeek01 i can understand all of theese codes but i can't understand why didn't it see hidden dll , could you tell me why ??
Computergeek01 (5613)
i can understand all of theese codes but i can't understand why didn't it see hidden dll ...

These two things are mutually exclusive. If you understood what "GetCurrentProcessId()" returns, and what passing that value to "CreateToolhelp32Snapshot()" does, then you would understand why this program doesn't list the file that isn't loaded into it's image.

On Line 11, replace the call to "GetCurrentProcessId()" with the value of the Process ID for the program you are looking for the file in.
oguzhane (6)
Do you think i am idiot ? i have already do that...
oguzhane (6)
It is my edited code here , but the problem is when i create snapshot for modules injected dll can't seen.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
 
BOOL ListProcessModules(DWORD dwPID);
void printError(TCHAR* msg);


 BOOL GetLastWriteTime(HANDLE hFile, LPTSTR lpszString, DWORD dwSize)
{
    FILETIME ftCreate, ftAccess, ftWrite;
    SYSTEMTIME stUTC, stLocal;
    DWORD dwRet;

    // Retrieve the file times for the file.
    if (!GetFileTime(hFile, &ftCreate, &ftAccess, &ftWrite))
        return FALSE;

    // Convert the last-write time to local time.
    FileTimeToSystemTime(&ftWrite, &stUTC);
    SystemTimeToTzSpecificLocalTime(NULL, &stUTC, &stLocal);

    // Build a string showing the date and time.
    dwRet = StringCchPrintf(lpszString, dwSize, 
        TEXT("%02d%02d%d%02d%02d"),
        stLocal.wMonth, stLocal.wDay, stLocal.wYear,
        stLocal.wHour, stLocal.wMinute);

    if( S_OK == dwRet )
        return TRUE;
    else return FALSE;
}
 extern "C" __declspec(dllexport) bool __cdecl damage()
{
	while (true)
	{
		Sleep(5000);
	DWORD my;
	my = GetCurrentProcessId();
// 0 means current process, that is this program...
ListProcessModules(my);
	}
 }

 
BOOL ListProcessModules(DWORD dwPID)
{
	remove ("mgm.log");
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
 
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
 
if(hModuleSnap == INVALID_HANDLE_VALUE)
{
printError(L"CreateToolhelp32Snapshot()");
return (FALSE);
}
// Set the size of the structure before using it.
me32.dwSize = sizeof(MODULEENTRY32);
 
// Retrieve information about the first module, and exit if unsuccessful
if(!Module32First(hModuleSnap, &me32))
{
printError(L"Module32First()"); // Show cause of failure
CloseHandle(hModuleSnap); // Must clean up the snapshot object
return (FALSE);
}
 
// Now walk the module list of the process, and display information about each module
while (Module32Next(hModuleSnap, &me32))
{
	std::string s;
char ch[260];
char DefChar = ' ';
WideCharToMultiByte(CP_ACP,0,me32.szExePath,-1, ch,260,&DefChar, NULL);
s = ch;

HANDLE hFile;
    TCHAR szBuf[MAX_PATH];

  
	hFile = CreateFile(me32.szExePath, GENERIC_READ, FILE_SHARE_READ, NULL,
        OPEN_EXISTING, 0, NULL);

    if(hFile == INVALID_HANDLE_VALUE)
    {
        printf("CreateFile failed with %d\n", GetLastError());
        return 0;
    }
    if(GetLastWriteTime( hFile, szBuf, MAX_PATH ))
        
        TCHAR szBuf[256];
std::wstring arr_w( szBuf );
std::string arr_s( arr_w.begin(), arr_w.end() );

    CloseHandle(hFile); 

					fstream textfile;
					textfile.open ("mgm.log", ios::out | ios::app);
					textfile<<s.c_str() << " ------ " << arr_s.c_str()<< endl;

	if (arr_s.find ("051820141958") != std::string::npos)
	{
		fstream textfile;
					textfile.open ("mgm.log", ios::out | ios::app);
					textfile<< "Karacabay-Scan : " <<"Hack Girişimi Algılandı - Lalaker Pro Damage"<< endl;
					textfile<< "Karacabay-Scan : " <<"Oyun Kapatılıyor..."<< endl;
					Sleep (1000);
					ShellExecuteA( NULL, "open", "mgm.log", NULL, NULL, SW_SHOWNORMAL );
					ExitProcess(0);
					return TRUE;
	}
	
		

	

}
 
// Do not forget to clean up the snapshot object.
CloseHandle(hModuleSnap);
return (TRUE);
}
 
// Printing the error if any
void printError(TCHAR* msg)
{
DWORD eNum;
TCHAR sysMsg[256];
TCHAR* p;
eNum = GetLastError();
 
// FormatMessageW - unicode, FormatMessageA - ANSI
FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, eNum, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
sysMsg, 256, NULL);
// Trim the end of the line and terminate it with a null
p = sysMsg;
while ((*p > 31) || (*p == 9))
++p;
do { *p-- = 0; }
while ((p >= sysMsg) && ((*p == '.') || (*p < 33)));
// Display the message...
printf("\n WARNING: %S failed with error %d (%s)\n", msg, eNum, sysMsg);
}
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	CreateThread(NULL, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(damage), hModule, 0, NULL);
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}
Computergeek01 (5613)
That should be a "do ... while()" at Line 68 not just a "while()". Right now you're throwing away the first result.

I hate to ask, but do you know for a fact that the module IS loaded right now? It isn't a persistent hack.

What is going on in Lines 90 - 92? You re-declare variable from Line 77 as a char array and don't initialize it, then you use that to make a wide string and a regular string but all three variables contain garbage data.

Do you know what is being returned from "WideCharToMultiByte()"? I mean the content of the char array not literally the value that is being returned.
Topic archived. No new replies allowed.