mactec0 / kernelmode-manual-mapping-through-iat Goto Github PK

Hello, firstly thank you for this release, its been a great learning tool.

I've been tinkering with it and have been trying to get it to work on Rainbow Six (game was packed with vmprotect). R6 doesn't import TranslateMesssage so I used SetCursorPos. When running the program it says 'Injected Successfully' yet nothing happens. I figured it was because the game was packed so I dumped it with Scylla and opened it in IDA. I was able to find the address for the import table and hard coded it in the program.

After running the program with the hardcoded iat adress the game will crash. The cause cant be the DLL as it works with notepad. I have all the correct settings aswell.

Any ideas what to do?

/del

It works with regular apps in kernelmode injection but while it's still kernelmode, it gives that error with EAC enabled game.

it gives an error like this

hi, i tried the kernel injector this version (https://github.com/mactec0/Kernelmode-manual-mapping-through-IAT/tree/swapchain_vmt_example)

i'm testing on RainbowSix when i open the injector the console says everything is fine even tho the dll is not being injected (using testdll)

EDIT: Oh, nevermind. i figured out GameOverlayRenderer64.dll is from steam overlay but i'm using the uplay version. my bad
anyways now it's saying "Cannot find vmt table" so i'm guessing the offsets changed?

Alright, compiled this and also compiled the target DLL. Both x64 obviously.
Whenever injecting (tested both usermode & kernel mode), the target application just shuts down.
I've disabled optimization on the target DLL.

Hi, I tried to compile the driver and I succeeded. But mmap threw errors
C4996 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. ConsoleApplication1 C:\Users\Александр\Desktop\Kernelmode-manual-mapping-through-IAT-master\mmap\kernelmode_proc_handler.cpp
Error C2664 "HMODULE LoadLibraryW (LPCWSTR)": Cannot convert argument 1 from "char *" to "LPCWSTR" ConsoleApplication1 C: \ Users \ Alexander \ Desktop \ Kernelmode-manual-mapping-through-IAT-master \ mmap \ mmap.cpp 256
Error C2664 "HMODULE GetModuleHandleW (LPCWSTR)": Cannot convert argument 1 from "const char *" to "LPCWSTR" ConsoleApplication1 C: \ Users \ Alexander \ Desktop \ Kernelmode-manual-mapping-through-IAT-master \ mmap \ mmap. cpp 320
Error C2664 "int _stricmp (const char *, const char *)": it is not possible to convert argument 1 from "WCHAR [256]" to "const char *" ConsoleApplication1 C: \ Users \ Alexander \ Desktop \ Kernelmode-manual-mapping-through -IAT-master \ mmap \ usermode_proc_handler.cpp 27
Thank you

anyone managed to find a Swapchain pointer in DiscordHook64?

Test dll is x64, injector is built as x64 and nothing changed in the source code.

It says injection successful and then target application freezes and crashes. In this case notepad.

i use Direct3DCreate9/GetAdaptersInfo/IsWindow instead TranslateMessage, because r6s dont have this import. why it may not work, although it writes "inject successfully"?

Sup, how to find VMT for pubg lite (GameOverlayRenderer64.dll not used in this game) ? IAT not found coz .exe packed with Themida :C

I'm attempting to inject my dll into a test application, but upon injection it almost instantly crashes.

Console log:

Attached to process GFXTest64.exe successfully...
Image base: 0x0000000016A80000
Stub base: 0x0000000016AA0000
Solving imports...
Solving relocations...
IAT function pointer: 0x00007FF744F89270
Mapping PE sections...
Entry point: 0x0000000016A8C50C
Injected successfully!

In my c++ code I'm simply just creating a new thread then calling the MessageBox macro, when doing this the application crashes:

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		MessageBox(0, "Done.", "Injected", MB_OK | MB_ICONERROR);
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

video of issue:
video url

I also tested mmap with the USERMODE instead of KERNEL, with the same result.

Only changes i have made to mmap source is basic command line support so variables aren't hardcoded:

int main(int argc, char** argv)
{
	if (argc != 3) {
		std::cout << "[!] Incorrect usage. ( mmap.exe {process.exe} {path.dll} )" << std::endl;
		return 0;
	}

	mmap mapper(INJECTION_TYPE::KERNEL);

	if (!mapper.attach_to_process(argv[1]))
		return 1;

	if (!mapper.load_dll(argv[2]))
		return 1;

	if (!mapper.inject())
		return 1;

	return 0;
}

How can i convert x86 on source ?

EceptionInformation[00]: 0000000000000001 Write
ExceptionInformation[01]: 0000000000000000 Inaccessible Address
First chance exception on 00000243068F00CC (C0000005, EXCEPTION_ACCESS_VIOLATION)!
Breakpoint at 00000243068E699F set!
Breakpoint disabled!
paused!

Getting the above error when attempting to use IAT function ptr out of Box -- even with simple notepad example. If you look the actual instruction it's trying to call is

add byte ptr ds:[rax],al at address 00000243068F00CC. But rax is 0x0, me thinks something is wrong with the stub? Or possibly my setup?

Note, all x64, windows 10 here. And everything compiled to x64.

I know it sounds stupid but i need help with this like everything, pls help :D