v3.4 beta

Author: Broihon

GH Injector Library/Download Manager.cpp

@@ -6,6 +6,7 @@ DownloadManager::DownloadManager()
 {
     m_hInterruptEvent   = nullptr;
     m_fProgress         = 0.0f;
+    m_fOldProgress      = 0.0f;
 }
 
 DownloadManager::~DownloadManager()
@@ -39,20 +40,26 @@ HRESULT __stdcall DownloadManager::OnStartBinding(DWORD dwReserved, IBinding * p
     UNREFERENCED_PARAMETER(dwReserved);
     UNREFERENCED_PARAMETER(pib);
 
+    LOG("  DownloadManager: OnStartBinding\n");
+
     return S_OK;
 }
 
 HRESULT __stdcall DownloadManager::GetPriority(LONG * pnPriority)
 {
     UNREFERENCED_PARAMETER(pnPriority);
 
+    LOG("  DownloadManager: GetPriority\n");
+
     return S_OK;
 }
 
 HRESULT __stdcall DownloadManager::OnLowResource(DWORD reserved)
 {
     UNREFERENCED_PARAMETER(reserved);
 
+    LOG("  DownloadManager: OnLowResource\n");
+
     return S_OK;
 }
 
@@ -61,14 +68,18 @@ HRESULT __stdcall DownloadManager::OnStopBinding(HRESULT hresult, LPCWSTR szErro
     UNREFERENCED_PARAMETER(hresult);
     UNREFERENCED_PARAMETER(szError);
 
+    LOG("  DownloadManager: OnStopBinding\n");
+
     return S_OK;
 }
 
-HRESULT __stdcall DownloadManager::GetBindInfo(DWORD * grfBINDF, BINDINFO *pbindinfo)
+HRESULT __stdcall DownloadManager::GetBindInfo(DWORD * grfBINDF, BINDINFO * pbindinfo)
 {
     UNREFERENCED_PARAMETER(grfBINDF);
     UNREFERENCED_PARAMETER(pbindinfo);
 
+    LOG("  DownloadManager: GetBindInfo\n");
+
     return S_OK;
 }
 
@@ -79,6 +90,8 @@ HRESULT __stdcall DownloadManager::OnDataAvailable(DWORD grfBSCF, DWORD dwSize,
     UNREFERENCED_PARAMETER(pformatetc);
     UNREFERENCED_PARAMETER(pstgmed);
 
+    LOG("  DownloadManager: OnDataAvailable\n");
+
     return S_OK;
 }
 
@@ -87,6 +100,8 @@ HRESULT __stdcall DownloadManager::OnObjectAvailable(const IID & riid, IUnknown
     UNREFERENCED_PARAMETER(riid);
     UNREFERENCED_PARAMETER(punk);
 
+    LOG("  DownloadManager: OnObjectAvailable\n");
+
     return S_OK;
 }
 
@@ -97,12 +112,20 @@ HRESULT __stdcall DownloadManager::OnProgress(ULONG ulProgress, ULONG ulProgress
 
     if (m_hInterruptEvent && WaitForSingleObject(m_hInterruptEvent, 0) == WAIT_OBJECT_0)
     {
+        LOG("  DownloadManager: Interrupting download\n");
+
         return E_ABORT;
     }
 
     if (ulProgressMax)
     {
         m_fProgress = (float)ulProgress / ulProgressMax;
+
+        if (m_fProgress - m_fOldProgress >= 0.1f)
+        {
+            LOG("  DownloadManager: %2.0f%%\n", m_fProgress * 100.0f);
+            m_fOldProgress = m_fProgress;
+        }
     }
 
     return S_OK;
@@ -115,12 +138,12 @@ BOOL DownloadManager::SetInterruptEvent(HANDLE hInterrupt)
         CloseHandle(m_hInterruptEvent);
     }
 
-    LOG("New interrupt event specified\n");
+    LOG("  DownloadManager: New interrupt event specified\n");
 
     return DuplicateHandle(GetCurrentProcess(), hInterrupt, GetCurrentProcess(), &m_hInterruptEvent, NULL, FALSE, DUPLICATE_SAME_ACCESS);
 }
 
 float DownloadManager::GetDownloadProgress()
 {
     return m_fProgress;
-}
+}

GH Injector Library/Download Manager.h

@@ -10,6 +10,7 @@ class DownloadManager : public IBindStatusCallback
 {
     HANDLE  m_hInterruptEvent;
     float   m_fProgress;
+    float   m_fOldProgress;
 
 public:
 

GH Injector Library/Eject.cpp

@@ -2,23 +2,50 @@
 
 #include "Eject.h"
 
-//gonna make this better eventually, forgot it existed
-
-void EjectDll(HANDLE hTargetProc, HINSTANCE hModBase)
+bool EjectDll(HANDLE hTargetProc, HINSTANCE hModule)
 {
-	LOG("Ejecting injection library from hijack process\n");
+	LOG("    EjectDll called\n");
+	LOG("     PID     = %08X\n", GetProcessId(hTargetProc));
+	LOG("     hModule = %p\n", hModule);
 
 	HANDLE hThread = nullptr;
-	if (FAILED(NATIVE::NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, nullptr, hTargetProc, FreeLibrary, ReCa<void*>(hModBase), NULL, 0, 0, 0, nullptr)))
+	auto ntRet = NATIVE::NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, nullptr, hTargetProc, NATIVE::LdrUnloadDll, ReCa<void *>(hModule), NULL, 0, 0, 0, nullptr);
+	if (FAILED(ntRet))
 	{
-		LOG("Failed to eject library\n");
+		LOG("    NtCreateThreadEx failed: %08X\n", ntRet);
 
-		return;
+		return false;
 	}
 
-	WaitForSingleObject(hThread, 500);
+	if (WaitForSingleObject(hThread, 500) != WAIT_OBJECT_0)
+	{
+		LOG("    Ejection thread timed out\n");
+
+		TerminateThread(hThread, 0);
+		CloseHandle(hThread);
+
+		return false;
+	}
+
+	if (!GetExitCodeThread(hThread, ReCa<DWORD *>(&ntRet)))
+	{
+		LOG("    GetExitCodeThread failed: %08X\n", GetLastError());
+	
+		CloseHandle(hThread);
+
+		return false;
+	}
 
 	CloseHandle(hThread);
 
-	LOG("Library ejected\n");
+	if (NT_FAIL(ntRet))
+	{
+		LOG("    LdrUnloadDll failed: %08X\n", ntRet);
+
+		return false;
+	}
+
+	LOG("    Dll ejected successfully\n");
+
+	return true;
 }

GH Injector Library/Eject.h

@@ -2,8 +2,8 @@
 
 #include "Import Handler.h"
 
-void EjectDll(HANDLE hTargetProc, HINSTANCE hModBase);
-//Unloads a Dll using FreeLibrary by creating a thread in the target process using NtCreateThreadEx (native only).
+bool EjectDll(HANDLE hTargetProc, HINSTANCE hModule);
+//Unloads a dll using LdrUnloadDll by creating a thread in the target process using NtCreateThreadEx (native only).
 //
 //Arguments:
 //		hTargetProc (HANDLE):
@@ -13,8 +13,9 @@ void EjectDll(HANDLE hTargetProc, HINSTANCE hModBase);
 ///				PROCESS_VM_OPERATION
 ///				PROCESS_VM_WRITE
 ///				PROCESS_VM_READ
-//		hModBase (HINSTANCE):
+//		hModule (HINSTANCE):
 ///			The baseaddress of the module to unload.
 //
-//Returnvalue:
-///		void
+//Returnvalue (bool):
+///		true:	the module was unloaded successfully.
+///		false:	something went wrong, see logs

GH Injector Library/Error.h

@@ -27,7 +27,7 @@
 #define INJ_ERR_INVALID_PID					0x00000006	//internal error					: -						: provided process id is 0
 #define INJ_ERR_CANT_OPEN_PROCESS			0x00000007	//OpenProcess						: win32 error			: opening the specified target process failed
 #define INJ_ERR_INVALID_PROC_HANDLE			0x00000008	//GetHandleInformation				: win32 error			: the provided handle value is not a valid handle
-#define INJ_ERR_CANT_GET_EXE_FILENAME		0x00000009	//(K32)GetModuleBaseNameW			: win32 error			: failed to resolve the file name of the target process
+#define INJ_ERR_CANT_GET_EXE_FILENAME		0x00000009	//QueryFullProcessImageNameW		: win32 error			: failed to resolve the file name of the target process
 #define INJ_ERR_PLATFORM_MISMATCH			0x0000000A	//internal error					: file error			: the provided file can't be injected (file error 0x20000001 - 0x20000003)
 #define INJ_ERR_CANT_GET_TEMP_DIR			0x0000000B	//GetTempPathW						: win32 error			: unable to retrieve the path to the current users temp directory
 #define INJ_ERR_CANT_COPY_FILE				0x0000000C	//CopyFileW							: win32 error			: unable to create a copy of the specified dll file
@@ -65,12 +65,18 @@
 #define INJ_ERR_CANT_GET_PEB				0x0000002C	//__readgsqword or __readfsdword	: -						: reading the linear address of the PEB failed
 #define INJ_ERR_INVALID_PEB_DATA			0x0000002D	//internal error					: -						: peb data required to erase/fake header or unlike the module from the peb wasn't findable
 #define INJ_ERR_UPDATE_PROTECTION_FAILED	0x0000002E	//NtProtectVirtualMemory			: NTSTATUS				: updating the page protection of the pe header failed
-#define INJ_ERR_WOW64_NTDLL_MISSING			0x0000002F	//internal error					: -						: can't resolve address of the wow64 ntdll
+#define INJ_ERR_WOW64_NTDLL_MISSING			0x0000002F	//internal error					: -						: can't resolve address of the wow64 ntdll.dll
 #define INJ_ERR_INVALID_PATH_SEPERATOR		0x00000030	//internal error					: -						: can't find '\' in a path. '/' as seperators aren't supported
 #define INJ_ERR_LDRP_PREPROCESS_FAILED		0x00000031	//LdrpPreprocessDllName				: NTSTATUS				: preprocessing the dll name for LdrpLoadDll(Internal) failed
 #define INJ_ERR_INVALID_POINTER				0x00000032	//internal error					: -						: an invalid funtion pointer was passed to SetRawPrintCallback
 #define INJ_ERR_NOT_IMPLEMENTED				0x00000033	//internal error					: -						: the module was compiled without DEBUG_INFO being defined, check pch.h for more information if you want to redirect debug output
 #define INJ_ERR_KERNEL32_MISSING			0x00000034	//internal error					: -						: failed to resolve address of kernel32.dll (native)
+#define INJ_ERR_WOW64_KERNEL32_MISSING		0x00000035	//internal error					: -						: can't resolve address of the wow64 kernel32.dll
+#define INJ_ERR_OPEN_WOW64_PROCESS			0x00000036	//OpenProcess						: win32 error			: failed to attach to wow64 process to resolve addresses
+#define INJ_ERR_IMPORT_HANDLER_NOT_DONE		0x00000037	//internal error					: -						: import handler isn't finished resolving all required functions or is waiting for symbol parser thread(s) to finish
+#define INJ_ERR_WCSRCHR_FAILED				0x00000038	//wcsrchr							: -						: wcsrchr failed to find a character in a string (usually '\\' in a path)
+#define INJ_ERR_TARGET_EXE_NAME_IS_NULL		0x00000039	//internal error					: -						: the length of the name of the specified process is 0
+#define INJ_ERR_LDR_ENTRY_IS_NULL			0x0000003A	//internal error					: -						: LdrpLoadDll(Internal) didn't return a valid LDR_DATA_TABLE_ENTRY pointer
 
 
 ///////////////////
@@ -89,9 +95,10 @@
 #define INJ_MM_ERR_IMPORT_FAIL					0x0040000A	//internal error					: NTSTATUS				: one module couldn't be loaded or an import couldn't be resolved, if ntRet is STATUS_HEAP_CORRUPTION, memory allocation failed
 #define INJ_MM_ERR_DELAY_IMPORT_FAIL			0x0040000B	//internal error					: NTSTATUS				: one module couldn't be loaded or an import couldn't be resolved, if ntRet is STATUS_HEAP_CORRUPTION, memory allocation failed
 #define INJ_MM_ERR_ENABLING_SEH_FAILED			0x0040000C	//RtlInsertInvertedFunctionTable	: NTSTATUS				: enabling exception handling by calling RtlInsertInvertedFunctionTable failed
-#define INJ_MM_ERR_INVALID_HEAP_HANDLE			0x0040000D	//internal error					: -						: the provided pointer to the LdrpHeap is invalid
-#define INJ_MM_ERR_CANT_GET_PEB					0x0040000E	//__readgsqword or __readfsdword	: -						: reading the linear address of the PEB failed
-#define INJ_MM_ERR_INVALID_PEB_DATA				0x0040000F	//internal error					: -						: peb data required to fake header wasn't findable
+#define INJ_MM_ERR_NOT_IN_LDRP_SEH_TABLE		0x0040000D	//internal error					: -						: RtlInsertInvertedFunctionTable didn't insert data into LdrpInvertedFunctionTable, manual insertion currently not supported
+#define INJ_MM_ERR_INVALID_HEAP_HANDLE			0x0040000E	//internal error					: -						: the provided pointer to the LdrpHeap is invalid
+#define INJ_MM_ERR_CANT_GET_PEB					0x0040000F	//__readgsqword or __readfsdword	: -						: reading the linear address of the PEB failed
+#define INJ_MM_ERR_INVALID_PEB_DATA				0x00400010	//internal error					: -						: peb data required to fake header wasn't findable
 
 
 
@@ -159,7 +166,7 @@
 #define SR_SWHEX_ERR_GET_ADMIN_TOKEN_FAIL	0x10300006	//GetTokenInformation	: win32 error			: failed to retrieve information from the token handle
 #define SR_SWHEX_ERR_CANT_CREATE_PROCESS	0x10300007	//CreateProcessAsUserW	: win32 error			: failed to launch SM_EXE_FILENAME.exe to execute shellcode
 														//CreateProcessW		: win32 error			: failed to launch SM_EXE_FILENAME.exe to execute shellcode
-#define SR_SWHEX_ERR_SWHEX_TIMEOUT			0x10300008	//WaitForSingleObject	: win32 error			:
+#define SR_SWHEX_ERR_SWHEX_TIMEOUT			0x10300008	//WaitForSingleObject	: win32 error			: SM_EXE_FILENAME.exe execution time exceeded
 #define SR_SWHEX_ERR_REMOTE_TIMEOUT			0x10300009	//internal error		: -						: execution time exceeded SR_REMOTE_TIMEOUT
 #define SR_SWHEX_ERR_RPM_FAIL				0x1030000A	//ReadProcessMemory		: win32 error			: reading the results of the shellcode failed
 
@@ -177,6 +184,27 @@
 #define SR_QUAPC_ERR_REMOTE_TIMEOUT			0x10400006	//internal error			: -						: execution time exceeded SR_REMOTE_TIMEOUT
 #define SR_QUAPC_ERR_RPM_FAIL				0x10400007	//WriteProcessMemory		: win32 error			: reading the results of the shellcode failed
 
+///////////////
+///KernelCallback
+													//Source				: advanced error type	: error description
+
+#define SR_KC_ERR_CANT_OPEN_INFO_TXT	0x10500001	//internal error		: -						: can't open kc info file
+#define SR_KC_ERR_PROC_INFO_FAIL		0x10500002	//internal error		: -						: can't grab process information
+#define SR_KC_ERR_CANT_GET_PEB			0x10500003	//internal error		: -						: failed to retrieve pointer to the (wow64) peb
+#define SR_KC_ERR_RPM_FAIL				0x10500004	//ReadProcessMemory		: win32 error			: failed to read memory from the target process
+#define SR_KC_ERR_NO_INITIALIZED		0x10500005	//internal error		: -						: the kernel callback table is not initialized
+#define SR_KC_ERR_CANT_ALLOC_MEM		0x10500006	//VirtualAllocEx		: win32 error			: memory allocation for the shellcode/table failed
+#define SR_KC_ERR_WPM_FAIL				0x10500007	//WriteProcessMemory	: win32 error			: writing the shellcode/table into the target process' memory failed
+#define SR_KC_ERR_WTSQUERY_FAIL			0x10500008	//WTSQueryUserToken		: win32 error			: failed to query the token for the target process user session
+#define SR_KC_ERR_DUP_TOKEN_FAIL		0x10500009	//DuplicateTokenEx		: win32 error			: failed to duplicate the token for the target process user session
+#define SR_KC_ERR_GET_ADMIN_TOKEN_FAIL	0x1050000A	//GetTokenInformation	: win32 error			: failed to retrieve information from the token handle
+#define SR_KC_ERR_CANT_CREATE_PROCESS	0x1050000B	//CreateProcessAsUserW	: win32 error			: failed to launch SM_EXE_FILENAME.exe to execute shellcode
+													//CreateProcessW		: win32 error			: failed to launch SM_EXE_FILENAME.exe to execute shellcode
+#define SR_KC_ERR_KC_TIMEOUT			0x1050000C	//WaitForSingleObject	: win32 error			: SM_EXE_FILENAME.exe execution time exceeded
+#define SR_KC_ERR_REMOTE_TIMEOUT		0x1050000D	//internal error		: -						: execution time exceeded SR_REMOTE_TIMEOUT
+
+#define SR_KC_ERR_KC_EXT_ERROR			0x1050000E	//SM_EXE_FILENAME.exe	: "GH Injector SM - XX.exe" error code, 0x50100001 - 0x50100006 (see below) or win32 exception
+
 
 
 /// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -210,9 +238,10 @@
 #define SM_ERR_INVALID_ARGV	0x30000002			//main		:	GH Injector SM - XX.exe was called with invalid arguments
 
 ////////////////////////////////////////////////////////////
-///GH Injector SM - XX.exe - SetWindowsHookEx specific erros:
-#define SWHEX_ERR_SUCCESS			0x00000000
+//GH Injector SM - XX.exe specific errors:
 
+///SetWindowHookEx:
+#define SWHEX_ERR_SUCCESS 0x00000000
 												//Source				:	error description
 
 #define SWHEX_ERR_INVALID_PATH		0x30100001	//StringCchLengthW		:	path exceeds MAX_PATH * 2 chars
@@ -222,6 +251,17 @@
 #define SWHEX_ERR_ENUM_WINDOWS_FAIL 0x30100005	//EnumWindows			:	API fail
 #define SWHEX_ERR_NO_WINDOWS		0x30100006	//internal error		:	no compatible window found
 
+///KernelCallbackTable
+#define KC_ERR_SUCCESS 0x00000000
+												//Source				:	error description
+
+#define KC_ERR_INVALID_PATH			0x50100001	//StringCchLengthW		:	path exceeds MAX_PATH * 2 chars
+#define KC_ERR_CANT_OPEN_FILE		0x50100002	//std::ifstream::good	:	openening the SMXX.txt failed
+#define KC_ERR_EMPTY_FILE			0x50100003	//internal error		:	SMXX.txt is empty
+#define KC_ERR_INVALID_INFO			0x50100004	//internal error		:	provided info is wrong / invalid
+#define KC_ERR_ENUM_WINDOWS_FAIL	0x50100005	//EnumWindows			:	API fail
+#define KC_ERR_NO_WINDOWS			0x50100006	//internal error		:	no compatible window found
+
 
 
 /// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////