Archive

Archive for the ‘Programming and Scripting’ Category

RInput library source released

May 26th, 2012

It has been a long while since I have posted. I have had some requests on releasing the source code for RInput. I found the source in an old backup and decided to make at least the library (as promised) open source under the GPL license. The injector project might be released in the future.
For anyone interested, I posted it on here on github. I will probably not have time nor interest to help everyone with using this project. I wrote a small readme file instead, which might be useful (especially for people that are not into Win32 / C/C++ programming). It would be cool to hear from you, in case you decide to use (parts of) my project.

C/C++, Gaming, Miscellaneous, Programming and Scripting, win32 , , , , , , ,

Now Palying Winamp Plugin

March 28th, 2010

It’s been a while since I’ve been posting something. I was bored and wrote a plugin for Winamp to post the artist/trackname to some games (ET/RTCW/Q3). For anyone interested, here’s the link: download. The installation instructions are included.

I can add other games upon request. This was basically just a project to see how Winamp plugins are written.

Gaming, Miscellaneous, Programming and Scripting, win32 , , , , , , , , , , , ,

RInput 1.31 sequential edition released

April 19th, 2009

rinput Logo

Just did an update on RInput as some sequential (single threaded) games were suffering from performance issues in combination with Rinput. Because the win32 dynamic library system depends on the process affinity it would’ve been quite dirty to set the process affinity inside the DLL. For anyone who was experiencing this issue, here is the single threaded version (with some minor performance improvements).

C/C++, Gaming, Programming and Scripting, win32 , , , , , , , ,

DLL Injection Class

January 25th, 2009

After posting some information about calling an exported function from a previously injected dynamic link library, I decided to release my DLL injection class for C++. The class only uses low level win32 API calls.

Click here for the source file and click here for the header file. In case you would like to see a test project click here for a rar package.

This class is written and tested in Windows XP. You need at least Windows 2000 to use this class. In order to check if the system meets the operating system requirements you might use the GetVersion/GetVersionEx function from the win32 API.

The class is released under BSD license. In case you like it or experience problems please leave me a comment.

C/C++, Programming and Scripting, win32 , , , , , , , , , , ,

RInput v1.2 released

January 3rd, 2009

 

rinput Logo

RInput allows you to override low definition windows mouse input (accurate untill 400cpi) with high definition mouse input (raw input, which is more accurate for high cpi mice). This is certainly useful for games like Wolfenstein – Enemy Territory as the engine only supports low definition windows mouse input.

 

 

Advantages

  • Prevents negative acceleration.
  • More accurate.
  • Bypass windows mouse settings (1:1, Low Level).
  • Less overhead than Direct Input.

Read the included readme to find out how to use it!
note: you need winrar to extract the file package.

Download it here.

C/C++, Gaming, Programming and Scripting, win32 , , , , , , , ,

Calling an exported function from an injected DLL library

January 2nd, 2009

As I am interested in function hooking/detouring in win32 I have read alot of articles about injecting a library into a remote process. Although none of these guides cover how to remotely call an exported function from the injected DLL. Most injectable library’s just execute their code in the DLLMain entry function.

In the past I have written a DLL that acquired the mouse using DirectInput. The initialization code in the DLLMain entry function actually made the process lockup. Microsoft doesn’t guarantee the DLLMain code to be executed successfully. Microsoft does not recommend this approach. I find creating a thread also a nasty way to initialize your code, eventhough it decreases the chance of an execution failure, creating the thread itself can still fail in theory.

This guide describes how to call a function from the injected library after injecting it.

What do you need

  • Your DLL obviously should have been injected successfully.
  • An open handle (called hProcess) to the remote process with the permission to use CreateRemoteThread.
  • You have saved the remote DLL base address into a DWORD variable called dwBaseAddress. (Use GetExitCodeThread on the remote LoadLibrary thread to retrieve this address).
  • The remote function of the injected DLL should be exported.
  • The name of the export of the DLL function (entryPoint in this guide).
  • The path to the DLL (c:\lib.dll in this guide).

The steps required after injection

  1. Load the library into the local process (injector).
  2. Retrieve the absolute address of the DLL function in the injector.
  3. Calculate the relative address using the absolute address.
  4. Locally unload the library.
  5. Calculate the absolute address of the DLL function in the remote process using adding the relative function address to the DLL base address.
  6. Call the function using CreateRemoteThread.
  7. Retrieve the remote thread exit code to determine if the remote execution was successful.

Retrieving the relative function address

FARPROC getRelativeEntryAddress(LPWSTR pwszLibrary, char* szEntryFunction) {
	if (GetFileAttributesW(pwszLibrary) == INVALID_FILE_ATTRIBUTES) return NULL;
 
	HINSTANCE hLibrary = LoadLibraryW(pwszLibrary);
	if (!hLibrary) return NULL;
 
	FARPROC pFunction = GetProcAddress(hLibrary, szEntryFunction);
	if (!pFunction) return NULL;
 
	return (FARPROC)((DWORD)pFunction - (DWORD)hLibrary);
}

Retrieving the absolute address of the remote function

LPVOID getAbsoluteAddress(DWORD dwBaseAddress, LPVOID pFunction) {
	return (LPVOID)((DWORD)pFunction + dwBaseAddress);
}

Calling the remote function by it’s absolute address

bool callRemoteFunction(HANDLE hProcess, LPVOID pFunction) {
	DWORD dwExitCode;
 
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunction, NULL, 0, NULL);
	if (!hThread) return false;
 
	if (WaitForSingleObject(hThread, THREAD_WAIT) != WAIT_OBJECT_0) return false;
 
	if (!GetExitCodeThread(hThread, &dwExitCode)) return false;
 
	return (dwExitCode != 0);    // Assuming your function returns 0 if it does not succeed
}

Using the functions in your code

// You should have an open handle to the process, called hProcess
// You also should have the base address of the DLL, called dwBaseAddress
FARPROC pEntry = getRelativeEntryAddress(L"c:\\lib.dll", "entryPoint");
if (!pEntry) {
	// Failed to load the library into local process or retrieve the function address
}
 
LPVOID pFunction = getAbsoluteAddress(dwBaseAddress, pEntry);
if (!callRemoteFunction(hProcess, pFunction)) {
	// Failed to call the remote function
}

If you found this article useful please leave me a comment.

C/C++, Programming and Scripting, win32 , , , , , , , , , , , , ,