More error checking, fixed readme (updated this one by accident lmao), proper unicode implementation of setwindowhookex injection, GH Injector SM is also a unicode project now

Broihon · Broihon · commit 477109ae4889 · 2021-01-08T00:13:42.000+01:00
diff --git a/GH Injector Library/Error.h b/GH Injector Library/Error.h
@@ -282,6 +282,7 @@
 #define HOOK_SCAN_ERR_CREATE_PROCESS_FAILED			0x50000008	//CreateProcessW		:	win32 error
 #define HOOK_SCAN_ERR_WAIT_FAILED					0x50000009	//WaitForSingleObject	:	win32 error
 #define HOOK_SCAN_ERR_WAIT_TIMEOUT					0x5000000A	//WaitForSingleObject	:	waiting timed out
+#define HOOK_SCAN_ERR_BUFFER_TOO_SMALL				0x5000000B	//internal error		:	the buffer passed to ValidateInjectionFunctions is too small
 
 
 
diff --git a/GH Injector Library/Handle Hijacking.cpp b/GH Injector Library/Handle Hijacking.cpp
@@ -11,7 +11,7 @@ NTSTATUS EnumHandles(char * pBuffer, ULONG Size, ULONG * SizeOut, UINT & Count)
 
 	if (NT_FAIL(ntRet))
 	{
-		LOG("Failed to grab handle list\n");
+		LOG("Failed to grab handle list: %08X\n", ntRet);
 
 		return ntRet;
 	}
diff --git a/GH Injector Library/Hook Scanner.cpp b/GH Injector Library/Hook Scanner.cpp
@@ -326,6 +326,8 @@ bool __stdcall ValidateInjectionFunctions(DWORD dwTargetProcessId, DWORD & Error
 	{
 		LOG("Provided buffer too small\n");
 
+		ErrorCode = HOOK_SCAN_ERR_BUFFER_TOO_SMALL;
+
 		return false;
 	}
 
@@ -381,10 +383,10 @@ bool __stdcall RestoreInjectionFunctions(DWORD dwTargetProcessId, DWORD & ErrorC
 		*CountOut = SuccessCount;
 	}
 
-	LOG("%d of %d hook(s) restored\n", SuccessCount, Count);
-
 	CloseHandle(hTargetProc);
 
+	LOG("%d of %d hook(s) restored\n", SuccessCount, Count);
+
 	return true;
 }
 
diff --git a/GH Injector Library/Injection Generic WOW64.cpp b/GH Injector Library/Injection Generic WOW64.cpp
@@ -109,7 +109,7 @@ DWORD InjectDLL_WOW64(const wchar_t * szDllFile, HANDLE hTargetProc, INJECTION_M
 
 	LOG("Shell written to memory\n");
 
-	LOG("Enterting StartRoutine_WOW64\n");
+	LOG("Entering StartRoutine_WOW64\n");
 
 	DWORD remote_ret = 0;
 	DWORD dwRet = StartRoutine_WOW64(hTargetProc, (f_Routine_WOW64)(MDWD(pShell)), MDWD(pArg), Method, (Flags & INJ_THREAD_CREATE_CLOAKED) != 0, remote_ret, Timeout, error_data);
diff --git a/GH Injector Library/Injection Generic.cpp b/GH Injector Library/Injection Generic.cpp
@@ -96,7 +96,7 @@ DWORD InjectDLL(const wchar_t * szDllFile, HANDLE hTargetProc, INJECTION_MODE Mo
 
 	LOG("Shell written to memory\n");
 
-	LOG("Enterting StartRoutine\n");
+	LOG("Entering StartRoutine\n");
 
 	DWORD remote_ret = 0;
 	DWORD dwRet = StartRoutine(hTargetProc, ReCa<f_Routine>(pShell), pArg, Method, (Flags & INJ_THREAD_CREATE_CLOAKED) != 0, remote_ret, Timeout, error_data);
diff --git a/GH Injector Library/Injection.cpp b/GH Injector Library/Injection.cpp
@@ -488,15 +488,19 @@ DWORD HijackHandle(INJECTIONDATAW * pData, ERROR_DATA & error_data)
 			LastErrCode = INJ_ERR_CANT_OPEN_PROCESS;
 			INIT_ERROR_DATA(error_data, GetLastError());
 
+			LOG("Failed to attach to process %06X\n", i.OwnerPID);
+
 			continue;
 		}
+
+		LOG("Attached to process %06X\n", i.OwnerPID);
 					
 		if (!IsElevatedProcess(hHijackProc) || !IsNativeProcess(hHijackProc))
 		{
 			LastErrCode = INJ_ERR_HIJACK_NO_NATIVE_HANDLE;
 			INIT_ERROR_DATA(error_data, INJ_ERR_ADVANCED_NOT_DEFINED);
 
-			LOG("Can't open process %06X\n", i.OwnerPID);
+			LOG("Process isn't elevated or native\n");
 
 			CloseHandle(hHijackProc);
 			
@@ -518,7 +522,7 @@ DWORD HijackHandle(INJECTIONDATAW * pData, ERROR_DATA & error_data)
 			continue;
 		}
 
-		LOG("Injection module loaded\n");
+		LOG("Injection module loaded into hijack process\n");
 
 		HINSTANCE hInjectionModuleEx = hijack_data.hDllOut;
 		f_Routine pRemoteInjectW = ReCa<f_Routine>(ReCa<UINT_PTR>(InjectW) - ReCa<UINT_PTR>(g_hInjMod) + ReCa<UINT_PTR>(hInjectionModuleEx));
@@ -554,6 +558,8 @@ DWORD HijackHandle(INJECTIONDATAW * pData, ERROR_DATA & error_data)
 			continue;
 		}
 
+		LOG("Handle value: %04X\n", i.hValue);
+
 		pData->hHandleValue = 0;
 
 		LOG("Injection data written to hijack process\n");
diff --git a/GH Injector Library/Manual Mapping WOW64.cpp b/GH Injector Library/Manual Mapping WOW64.cpp
@@ -120,7 +120,7 @@ DWORD MMAP_WOW64::ManualMap_WOW64(const wchar_t * szDllFile, HANDLE hTargetProc,
 
 	LOG("Shell written to memory\n");
 
-	LOG("Enterting StartRoutine_WOW64\n");
+	LOG("Entering StartRoutine_WOW64\n");
 
 	DWORD remote_ret = 0;
 	DWORD dwRet = StartRoutine_WOW64(hTargetProc, (f_Routine_WOW64)(MDWD(pShell)), MDWD(pArg), Method, (Flags & INJ_THREAD_CREATE_CLOAKED) != 0, remote_ret, Timeout, error_data);
diff --git a/GH Injector Library/Manual Mapping.cpp b/GH Injector Library/Manual Mapping.cpp
@@ -128,7 +128,7 @@ DWORD MMAP_NATIVE::ManualMap(const wchar_t * szDllFile, HANDLE hTargetProc, LAUN
 
 	LOG("Shell written to memory\n");
 
-	LOG("Enterting StartRoutine\n");
+	LOG("Entering StartRoutine\n");
 
 	DWORD remote_ret = 0;
 	DWORD dwRet = StartRoutine(hTargetProc, ReCa<f_Routine>(pShell), pArg, Method, (Flags & INJ_THREAD_CREATE_CLOAKED) != 0, remote_ret, Timeout, error_data);
diff --git a/GH Injector Library/SetWindowsHookEx WOW64.cpp b/GH Injector Library/SetWindowsHookEx WOW64.cpp
@@ -98,7 +98,7 @@ DWORD SR_SetWindowsHookEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW
 	std::wstring smPath = g_RootPathW;
 	smPath += SM_EXE_FILENAME86;
 
-	wchar_t cmdLine[] = L"\"" SM_EXE_FILENAME86 "\"";
+	wchar_t cmdLine[] = L"\"" SM_EXE_FILENAME86 "\" 0";
 
 	PROCESS_INFORMATION pi{ 0 };
 	STARTUPINFOW		si{ 0 };
@@ -156,6 +156,8 @@ DWORD SR_SetWindowsHookEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW
 
 		LOG("Token prepared\n");
 
+		LOG("Launching %ls:\n %ls\n", SM_EXE_FILENAME86, cmdLine);
+
 		if (!CreateProcessAsUserW(hAdminToken, smPath.c_str(), cmdLine, nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi))
 		{
 			INIT_ERROR_DATA(error_data, GetLastError());
@@ -178,6 +180,8 @@ DWORD SR_SetWindowsHookEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW
 	}
 	else
 	{
+		LOG("Launching %ls:\n %ls\n", SM_EXE_FILENAME86, cmdLine);
+
 		if (!CreateProcessW(smPath.c_str(), cmdLine, nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi))
 		{
 			INIT_ERROR_DATA(error_data, GetLastError());
diff --git a/GH Injector Library/SetWindowsHookEx.cpp b/GH Injector Library/SetWindowsHookEx.cpp
@@ -138,7 +138,7 @@ DWORD SR_SetWindowsHookEx(HANDLE hTargetProc, f_Routine pRoutine, void * pArg, U
 	std::wstring smPath = g_RootPathW;
 	smPath += SM_EXE_FILENAME;
 
-	wchar_t cmdLine[] = L"\"" SM_EXE_FILENAME "\"";
+	wchar_t cmdLine[] = L"\"" SM_EXE_FILENAME "\" 0";
 
 	PROCESS_INFORMATION pi{ 0 };
 	STARTUPINFOW		si{ 0 };
@@ -199,6 +199,8 @@ DWORD SR_SetWindowsHookEx(HANDLE hTargetProc, f_Routine pRoutine, void * pArg, U
 
 		LOG("Token prepared\n");
 
+		LOG("Launching %ls:\n %ls\n", SM_EXE_FILENAME, cmdLine);
+
 		if (!CreateProcessAsUserW(hAdminToken, smPath.c_str(), cmdLine, nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi))
 		{
 			INIT_ERROR_DATA(error_data, GetLastError());
@@ -221,7 +223,9 @@ DWORD SR_SetWindowsHookEx(HANDLE hTargetProc, f_Routine pRoutine, void * pArg, U
 		CloseHandle(hUserToken);
 	}
 	else
-	{		
+	{
+		LOG("Launching %ls:\n %ls\n", SM_EXE_FILENAME, cmdLine);
+
 		if (!CreateProcessW(smPath.c_str(), cmdLine, nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi))
 		{
 			INIT_ERROR_DATA(error_data, GetLastError());
diff --git a/GH Injector Library/Tools.cpp b/GH Injector Library/Tools.cpp
@@ -143,12 +143,9 @@ bool IsElevatedProcess(HANDLE hTargetProc)
 
 void ErrorLog(ERROR_INFO * info)
 {
-	wchar_t ErrorLogName[] = L"GH_Inj_Log.txt";
+	auto FullPath = g_RootPathW;
+	FullPath += L"GH_Inj_Log.txt";
 
-	wchar_t FullPath[MAX_PATH]{ 0 };
-	StringCbCopyW(FullPath, sizeof(FullPath), g_RootPathW.c_str());
-	StringCbCatW(FullPath, sizeof(FullPath), ErrorLogName);
-		
 	time_t time_raw	= time(nullptr);
 	tm time_info;
 	localtime_s(&time_info, &time_raw);
@@ -189,7 +186,7 @@ void ErrorLog(ERROR_INFO * info)
 	std::wofstream error_log(FullPath, std::ios_base::out | std::ios_base::app);
 	if (!error_log.good())
 	{
-		LOG("Failed to open/create error log file:\n%ls\n", FullPath);
+		LOG("Failed to open/create error log file:\n%ls\n", FullPath.c_str());
 
 		return;
 	}
@@ -226,6 +223,9 @@ std::wstring InjectionModeToString(INJECTION_MODE mode)
 		case INJECTION_MODE::IM_LdrpLoadDll:
 			return std::wstring(L"LdrpLoadDll");
 
+		case INJECTION_MODE::IM_LdrpLoadDllInternal:
+			return std::wstring(L"LdrpLoadDllInternal");
+
 		case INJECTION_MODE::IM_ManualMap:
 			return std::wstring(L"ManualMap");
 
diff --git a/GH Injector Library/main.cpp b/GH Injector Library/main.cpp
@@ -86,7 +86,9 @@ BOOL WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, void * pReserved)
 		if (sym_ntdll_native_ret.wait_for(std::chrono::milliseconds(0)) != std::future_status::ready)
 		{
 			LOG("Attempting to interrupt native ntdll.pdb donwload thread\n");
+
 			sym_ntdll_native.Interrupt();
+
 			if (sym_ntdll_native_ret.wait_for(std::chrono::milliseconds(100)) != std::future_status::ready)
 			{
 				LOG("Native ntdll pdb download thread didn't exit properly.\n");
@@ -97,7 +99,9 @@ BOOL WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, void * pReserved)
 		if (sym_ntdll_wow64_ret.wait_for(std::chrono::milliseconds(0)) != std::future_status::ready)
 		{
 			LOG("Attempting to interrupt wow64 ntdll.pdb donwload thread\n");
+
 			sym_ntdll_wow64.Interrupt();
+
 			if (sym_ntdll_wow64_ret.wait_for(std::chrono::milliseconds(100)) != std::future_status::ready)
 			{
 				LOG("Wow64 ntdll pdb download thread didn't exit properly.\n");
diff --git a/GH Injector SM/GH Injector SM/main.cpp b/GH Injector SM/GH Injector SM/main.cpp
@@ -2,7 +2,9 @@
 
 #include "main.h"
 
-int main(int argc, char * argv[])
+#pragma comment(linker, "/SUBSYSTEM:WINDOWS /ENTRY:wmainCRTStartup")
+
+int wmain(int argc, wchar_t * argv[])
 {
 	if (argc < 2)
 	{
@@ -16,10 +18,10 @@ int main(int argc, char * argv[])
 #ifndef _WIN64
 	else if (argv[1][0] == '1')
 	{
-		HANDLE hEventStart = reinterpret_cast<HANDLE>(strtol(argv[2], nullptr, 0x10));
+		HANDLE hEventStart = reinterpret_cast<HANDLE>(wcstol(argv[2], nullptr, 0x10));
 		SetEvent(hEventStart);
 
-		HANDLE hEventEnd = reinterpret_cast<HANDLE>(strtol(argv[3], nullptr, 0x10));
+		HANDLE hEventEnd = reinterpret_cast<HANDLE>(wcstol(argv[3], nullptr, 0x10));
 		WaitForSingleObject(hEventEnd, INFINITE);
 
 		CloseHandle(hEventStart);
diff --git a/README.md b/README.md
@@ -31,20 +31,14 @@ Session seperation can be bypassed with all methods.
 - TLS initialization
 - Security cookie initalization
 
-### Additional features
+### Additional features:
+
 - Various cloaking options
 	- PEB unlinking
 	- PE header cloaking
 	- Thread cloaking
 - Handle hijacking
 - Hook scanning/restoring
-- Fancy process picker
-
-### Shortcut generation:
-
-Too lazy to reopen the injector everytime you want to inject the same dll? Generate a shortcut.
-Select the dll you want to inject in the list, configure the options you want and make sure the target process is running. Then click the "Generate Shortcut" button and a shortcut will be generated in the directory of the injector.
-Now you can just double click to perform the injection. The spawned console injector waits for the specified target process to launch.
 
 ----
 

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ NTSTATUS EnumHandles(char * pBuffer, ULONG Size, ULONG * SizeOut, UINT & Count)`
`11`	`11`
`12`	`12`	`if (NT_FAIL(ntRet))`
`13`	`13`	`{`
`14`		`- LOG("Failed to grab handle list\n");`
	`14`	`+ LOG("Failed to grab handle list: %08X\n", ntRet);`
`15`	`15`
`16`	`16`	`return ntRet;`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -326,6 +326,8 @@ bool __stdcall ValidateInjectionFunctions(DWORD dwTargetProcessId, DWORD & Error`
`326`	`326`	`{`
`327`	`327`	`LOG("Provided buffer too small\n");`
`328`	`328`
	`329`	`+ ErrorCode = HOOK_SCAN_ERR_BUFFER_TOO_SMALL;`
	`330`	`+`
`329`	`331`	`return false;`
`330`	`332`	`}`
`331`	`333`
`@@ -381,10 +383,10 @@ bool __stdcall RestoreInjectionFunctions(DWORD dwTargetProcessId, DWORD & ErrorC`
`381`	`383`	`*CountOut = SuccessCount;`
`382`	`384`	`}`
`383`	`385`
`384`		`- LOG("%d of %d hook(s) restored\n", SuccessCount, Count);`
`385`		`-`
`386`	`386`	`CloseHandle(hTargetProc);`
`387`	`387`
	`388`	`+ LOG("%d of %d hook(s) restored\n", SuccessCount, Count);`
	`389`	`+`
`388`	`390`	`return true;`
`389`	`391`	`}`
`390`	`392`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ DWORD SR_SetWindowsHookEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW`
`98`	`98`	`std::wstring smPath = g_RootPathW;`
`99`	`99`	`smPath += SM_EXE_FILENAME86;`
`100`	`100`
`101`		`- wchar_t cmdLine[] = L"\"" SM_EXE_FILENAME86 "\"";`
	`101`	`+ wchar_t cmdLine[] = L"\"" SM_EXE_FILENAME86 "\" 0";`
`102`	`102`
`103`	`103`	`PROCESS_INFORMATION pi{ 0 };`
`104`	`104`	`STARTUPINFOW si{ 0 };`
`@@ -156,6 +156,8 @@ DWORD SR_SetWindowsHookEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW`
`156`	`156`
`157`	`157`	`LOG("Token prepared\n");`
`158`	`158`
	`159`	`+ LOG("Launching %ls:\n %ls\n", SM_EXE_FILENAME86, cmdLine);`
	`160`	`+`
`159`	`161`	`if (!CreateProcessAsUserW(hAdminToken, smPath.c_str(), cmdLine, nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi))`
`160`	`162`	`{`
`161`	`163`	`INIT_ERROR_DATA(error_data, GetLastError());`
`@@ -178,6 +180,8 @@ DWORD SR_SetWindowsHookEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW`
`178`	`180`	`}`
`179`	`181`	`else`
`180`	`182`	`{`
	`183`	`+ LOG("Launching %ls:\n %ls\n", SM_EXE_FILENAME86, cmdLine);`
	`184`	`+`
`181`	`185`	`if (!CreateProcessW(smPath.c_str(), cmdLine, nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi))`
`182`	`186`	`{`
`183`	`187`	`INIT_ERROR_DATA(error_data, GetLastError());`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,9 @@ BOOL WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, void * pReserved)`
`86`	`86`	`if (sym_ntdll_native_ret.wait_for(std::chrono::milliseconds(0)) != std::future_status::ready)`
`87`	`87`	`{`
`88`	`88`	`LOG("Attempting to interrupt native ntdll.pdb donwload thread\n");`
	`89`	`+`
`89`	`90`	`sym_ntdll_native.Interrupt();`
	`91`	`+`
`90`	`92`	`if (sym_ntdll_native_ret.wait_for(std::chrono::milliseconds(100)) != std::future_status::ready)`
`91`	`93`	`{`
`92`	`94`	`LOG("Native ntdll pdb download thread didn't exit properly.\n");`
`@@ -97,7 +99,9 @@ BOOL WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, void * pReserved)`
`97`	`99`	`if (sym_ntdll_wow64_ret.wait_for(std::chrono::milliseconds(0)) != std::future_status::ready)`
`98`	`100`	`{`
`99`	`101`	`LOG("Attempting to interrupt wow64 ntdll.pdb donwload thread\n");`
	`102`	`+`
`100`	`103`	`sym_ntdll_wow64.Interrupt();`
	`104`	`+`
`101`	`105`	`if (sym_ntdll_wow64_ret.wait_for(std::chrono::milliseconds(100)) != std::future_status::ready)`
`102`	`106`	`{`
`103`	`107`	`LOG("Wow64 ntdll pdb download thread didn't exit properly.\n");`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,9 @@`
`2`	`2`
`3`	`3`	`#include "main.h"`
`4`	`4`
`5`		`-int main(int argc, char * argv[])`
	`5`	`+#pragma comment(linker, "/SUBSYSTEM:WINDOWS /ENTRY:wmainCRTStartup")`
	`6`	`+`
	`7`	`+int wmain(int argc, wchar_t * argv[])`
`6`	`8`	`{`
`7`	`9`	`if (argc < 2)`
`8`	`10`	`{`
`@@ -16,10 +18,10 @@ int main(int argc, char * argv[])`
`16`	`18`	`#ifndef _WIN64`
`17`	`19`	`else if (argv[1][0] == '1')`
`18`	`20`	`{`
`19`		`- HANDLE hEventStart = reinterpret_cast<HANDLE>(strtol(argv[2], nullptr, 0x10));`
	`21`	`+ HANDLE hEventStart = reinterpret_cast<HANDLE>(wcstol(argv[2], nullptr, 0x10));`
`20`	`22`	`SetEvent(hEventStart);`
`21`	`23`
`22`		`- HANDLE hEventEnd = reinterpret_cast<HANDLE>(strtol(argv[3], nullptr, 0x10));`
	`24`	`+ HANDLE hEventEnd = reinterpret_cast<HANDLE>(wcstol(argv[3], nullptr, 0x10));`
`23`	`25`	`WaitForSingleObject(hEventEnd, INFINITE);`
`24`	`26`
`25`	`27`	`CloseHandle(hEventStart);`