finished(i think) ai injector

1. #include <Windows.h>
2. #include <TlHelp32.h>
3. #include <Psapi.h>
4. #include <iostream>
5. #include <string>
6. #include <memory>
7.  
8. // For direct syscalls
9. typedef NTSTATUS(NTAPI* pNtCreateThreadEx)(
10. OUT PHANDLE hThread,
11. IN ACCESS_MASK DesiredAccess,
12. IN PVOID ObjectAttributes,
13. IN HANDLE ProcessHandle,
14. IN PVOID lpStartAddress,
15. IN PVOID lpParameter,
16. IN ULONG Flags,
17. IN SIZE_T StackZeroBits,
18. IN SIZE_T SizeOfStackCommit,
19. IN SIZE_T SizeOfStackReserve,
20. OUT PVOID lpBytesBuffer
21. );
22.  
23. typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)(
24. IN HANDLE ProcessHandle,
25. IN PVOID BaseAddress,
26. IN PVOID Buffer,
27. IN SIZE_T NumberOfBytesToWrite,
28. OUT PSIZE_T NumberOfBytesWritten OPTIONAL
29. );
30.  
31. // Structure for storing syscall function pointers
32. struct SYSCALLS {
33. pNtCreateThreadEx NtCreateThreadEx;
34. pNtWriteVirtualMemory NtWriteVirtualMemory;
35. };
36.  
37. SYSCALLS syscalls;
38.  
39. // Initialize syscall pointers
40. bool InitializeSyscalls() {
41. HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
42. if (!hNtdll) return false;
43.  
44. syscalls.NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
45. syscalls.NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory");
46.  
47. return (syscalls.NtCreateThreadEx && syscalls.NtWriteVirtualMemory);
48. }
49.  
50. // Structure for injection parameters
51. struct INJECTION_DATA {
52. HANDLE hProcess;
53. wchar_t dllPath[MAX_PATH];
54. bool completed;
55. };
56.  
57. // Function to detect the Roblox process ID
58. DWORD GetRobloxProcessId() {
59. DWORD processId = 0;
60. HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
61. if (hSnap == INVALID_HANDLE_VALUE) {
62. return 0;
63. }
64.  
65. PROCESSENTRY32 pe32 = { 0 };
66. pe32.dwSize = sizeof(PROCESSENTRY32);
67. if (Process32First(hSnap, &pe32)) {
68. do {
69. if (_wcsicmp(pe32.szExeFile, L"RobloxPlayerBeta.exe") == 0) {
70. processId = pe32.th32ProcessID;
71. break;
72. }
73. } while (Process32Next(hSnap, &pe32));
74. }
75.  
76. CloseHandle(hSnap);
77. return processId;
78. }
79.  
80. // Function to suspend threads using ntdll.dll (and spoof its state)
81. void SuspendAndSpoofThreads(HANDLE hProcess) {
82. DWORD processId = GetProcessId(hProcess);
83. HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
84. if (hSnap == INVALID_HANDLE_VALUE) return;
85.  
86. THREADENTRY32 te32 = { 0 };
87. te32.dwSize = sizeof(THREADENTRY32);
88.  
89. if (Thread32First(hSnap, &te32)) {
90. do {
91. // Check if the thread belongs to the target process
92. if (te32.th32OwnerProcessID == processId) {
93. HANDLE hThread = OpenThread(THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION, FALSE, te32.th32ThreadID);
94. if (hThread) {
95. SuspendThread(hThread);
96. CloseHandle(hThread);
97. }
98. }
99. } while (Thread32Next(hSnap, &te32));
100. }
101.  
102. CloseHandle(hSnap);
103. }
104.  
105. // Remove NTDLL but spoof its presence
106. void SpoofNtDll(HANDLE hProcess) {
107. HMODULE hNtDll = GetModuleHandleW(L"ntdll.dll");
108. if (!hNtDll) return;
109.  
110. // Get the base address of ntdll
111. MODULEINFO modInfo;
112. GetModuleInformation(GetCurrentProcess(), hNtDll, &modInfo, sizeof(modInfo));
113. LPVOID ntdllBase = modInfo.lpBaseOfDll;
114.  
115. // Get the ntdll base address in the target process
116. LPVOID remoteNtdllBase = NULL;
117. HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, GetProcessId(hProcess));
118. if (hSnap != INVALID_HANDLE_VALUE) {
119. MODULEENTRY32W me32 = { 0 };
120. me32.dwSize = sizeof(MODULEENTRY32W);
121. if (Module32FirstW(hSnap, &me32)) {
122. do {
123. if (_wcsicmp(me32.szModule, L"ntdll.dll") == 0) {
124. remoteNtdllBase = me32.modBaseAddr;
125. break;
126. }
127. } while (Module32NextW(hSnap, &me32));
128. }
129. CloseHandle(hSnap);
130. }
131.  
132. if (remoteNtdllBase) {
133. // Zero out NTDLL memory in the target process
134. SIZE_T bytesWritten;
135. BYTE zeroBuffer[4096] = { 0 };
136. for (SIZE_T i = 0; i < modInfo.SizeOfImage; i += sizeof(zeroBuffer)) {
137. syscalls.NtWriteVirtualMemory(hProcess, (LPVOID)((BYTE*)remoteNtdllBase + i),
138. zeroBuffer, sizeof(zeroBuffer), &bytesWritten);
139. }
140. }
141. }
142.  
143. // Manual mapping function
144. LPVOID ManualMap(HANDLE hProcess, const wchar_t* dllPath) {
145. // Read DLL file
146. HANDLE hFile = CreateFileW(dllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
147. if (hFile == INVALID_HANDLE_VALUE) {
148. printf("Failed to open DLL file: %d\n", GetLastError());
149. return NULL;
150. }
151.  
152. DWORD fileSize = GetFileSize(hFile, NULL);
153. if (fileSize == INVALID_FILE_SIZE) {
154. CloseHandle(hFile);
155. printf("Failed to get file size: %d\n", GetLastError());
156. return NULL;
157. }
158.  
159. LPVOID fileBuffer = VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
160. if (!fileBuffer) {
161. CloseHandle(hFile);
162. printf("Failed to allocate memory for DLL: %d\n", GetLastError());
163. return NULL;
164. }
165.  
166. DWORD bytesRead;
167. if (!ReadFile(hFile, fileBuffer, fileSize, &bytesRead, NULL) || bytesRead != fileSize) {
168. VirtualFree(fileBuffer, 0, MEM_RELEASE);
169. CloseHandle(hFile);
170. printf("Failed to read DLL file: %d\n", GetLastError());
171. return NULL;
172. }
173. CloseHandle(hFile);
174.  
175. // Parse PE headers
176. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
177. if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
178. VirtualFree(fileBuffer, 0, MEM_RELEASE);
179. printf("Invalid DOS signature\n");
180. return NULL;
181. }
182.  
183. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
184. if (ntHeader->Signature != IMAGE_NT_SIGNATURE) {
185. VirtualFree(fileBuffer, 0, MEM_RELEASE);
186. printf("Invalid NT signature\n");
187. return NULL;
188. }
189.  
190. // Allocate memory in the target process
191. LPVOID remoteImage = VirtualAllocEx(hProcess, NULL, ntHeader->OptionalHeader.SizeOfImage,
192. MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
193. if (!remoteImage) {
194. VirtualFree(fileBuffer, 0, MEM_RELEASE);
195. printf("Failed to allocate memory in target process: %d\n", GetLastError());
196. return NULL;
197. }
198.  
199. // Copy headers
200. SIZE_T bytesWritten;
201. syscalls.NtWriteVirtualMemory(hProcess, remoteImage, fileBuffer,
202. ntHeader->OptionalHeader.SizeOfHeaders, &bytesWritten);
203.  
204. // Copy sections
205. PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeader);
206. for (int i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) {
207. LPVOID destination = (LPVOID)((BYTE*)remoteImage + sectionHeader[i].VirtualAddress);
208. LPVOID source = (LPVOID)((BYTE*)fileBuffer + sectionHeader[i].PointerToRawData);
209.  
210. syscalls.NtWriteVirtualMemory(hProcess, destination, source,
211. sectionHeader[i].SizeOfRawData, &bytesWritten);
212. }
213.  
214. VirtualFree(fileBuffer, 0, MEM_RELEASE);
215. return remoteImage;
216. }
217.  
218. // Helper function for NtCreateThreadEx
219. HANDLE CreateRemoteThreadEx(HANDLE hProcess, LPVOID lpStartAddress, LPVOID lpParameter) {
220. HANDLE hThread = NULL;
221. NTSTATUS status = syscalls.NtCreateThreadEx(
222. &hThread,
223. THREAD_ALL_ACCESS,
224. NULL,
225. hProcess,
226. lpStartAddress,
227. lpParameter,
228. 0,
229. 0,
230. 0,
231. 0,
232. NULL
233. );
234.  
235. if (status != 0) {
236. return NULL;
237. }
238.  
239. return hThread;
240. }
241.  
242. // Thread pool callback
243. VOID CALLBACK InjectionCallback(PTP_CALLBACK_INSTANCE Instance, PVOID Parameter, PTP_WORK Work) {
244. INJECTION_DATA* data = (INJECTION_DATA*)Parameter;
245.  
246. SpoofNtDll(data->hProcess); // Hide ntdll
247. SuspendAndSpoofThreads(data->hProcess); // Suspend and spoof ntdll-related threads
248.  
249. LPVOID remoteBase = ManualMap(data->hProcess, data->dllPath);
250. if (remoteBase) {
251. HMODULE hLocalModule = LoadLibraryW(data->dllPath);
252. if (hLocalModule) {
253. FARPROC localDllMain = GetProcAddress(hLocalModule, "DllMain");
254. if (localDllMain) {
255. DWORD dllMainOffset = (DWORD)((BYTE*)localDllMain - (BYTE*)hLocalModule);
256. LPVOID remoteDllMain = (LPVOID)((BYTE*)remoteBase + dllMainOffset);
257.  
258. // Create remote thread to execute DllMain
259. HANDLE hThread = CreateRemoteThreadEx(data->hProcess, remoteDllMain, remoteBase);
260. if (hThread) {
261. WaitForSingleObject(hThread, INFINITE);
262. CloseHandle(hThread);
263. printf("DLL entry point executed\n");
264. }
265. else {
266. printf("Failed to create remote thread: %d\n", GetLastError());
267. }
268. }
269. FreeLibrary(hLocalModule);
270. }
271. else {
272. printf("Failed to load local DLL: %d\n", GetLastError());
273. }
274. }
275. else {
276. printf("Manual mapping failed\n");
277. }
278.  
279. data->completed = true;
280. }
281.  
282. // Main injection function
283. bool InjectDLL(DWORD processId, const wchar_t* dllPath) {
284. if (!InitializeSyscalls()) {
285. printf("Failed to initialize syscalls\n");
286. return false;
287. }
288.  
289. HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
290. if (!hProcess) {
291. printf("Failed to open process: %d\n", GetLastError());
292. return false;
293. }
294.  
295. INJECTION_DATA data = { 0 };
296. data.hProcess = hProcess;
297. wcscpy_s(data.dllPath, dllPath);
298. data.completed = false;
299.  
300. PTP_WORK work = CreateThreadpoolWork(InjectionCallback, &data, NULL);
301. if (!work) {
302. CloseHandle(hProcess);
303. printf("Failed to create thread pool work: %d\n", GetLastError());
304. return false;
305. }
306.  
307. SubmitThreadpoolWork(work);
308.  
309. // Wait for injection to complete
310. while (!data.completed) {
311. Sleep(100);
312. }
313.  
314. CloseThreadpoolWork(work);
315. CloseHandle(hProcess);
316. return true;
317. }
318.  
319. int main() {
320. SetConsoleTitle(L"DLL Injector");
321. printf("DLL Injector - Starting...\n");
322.  
323. DWORD processId = GetRobloxProcessId(); // Automatically get Roblox process ID
324. if (processId == 0) {
325. printf("Roblox process not found! Please make sure Roblox is running.\n");
326. printf("Press any key to exit...");
327. getchar();
328. return 1;
329. }
330.  
331. printf("Found Roblox process with ID: %d\n", processId);
332.  
333. wchar_t dllPath[MAX_PATH] = L"";
334.  
335. // Ask for DLL path
336. printf("Enter path to DLL (or press Enter for default path): ");
337. char tempPath[MAX_PATH] = "";
338. fgets(tempPath, MAX_PATH, stdin);
339.  
340. // Remove newline character
341. tempPath[strcspn(tempPath, "\n")] = 0;
342.  
343. if (strlen(tempPath) > 0) {
344. // Convert to wide string
345. MultiByteToWideChar(CP_ACP, 0, tempPath, -1, dllPath, MAX_PATH);
346. }
347. else {
348. // Use default path
349. wcscpy_s(dllPath, L"C:\\path\\to\\your\\dll.dll");
350. }
351.  
352. printf("Starting injection...\n");
353. if (InjectDLL(processId, dllPath)) {
354. printf("Injection successful!\n");
355. }
356. else {
357. printf("Injection failed!\n");
358. }
359.  
360. printf("Press any key to exit...");
361. getchar();
362. return 0;
363. }
364. // Additional helper functions for manual mapping
365.  
366. // Process relocations for the remote DLL
367. bool ProcessRelocations(HANDLE hProcess, LPVOID remoteBase, LPVOID fileBuffer) {
368. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
369. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
370.  
371. // Calculate the delta between preferred base and actual base
372. DWORD_PTR deltaBase = (DWORD_PTR)remoteBase - ntHeader->OptionalHeader.ImageBase;
373.  
374. // No need for relocations if we're at the preferred base
375. if (deltaBase == 0) {
376. return true;
377. }
378.  
379. // Get the relocation directory
380. PIMAGE_DATA_DIRECTORY relocDir = &ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
381. if (relocDir->Size == 0) {
382. // No relocations
383. return true;
384. }
385.  
386. // Process each relocation block
387. DWORD_PTR relocBase = (DWORD_PTR)fileBuffer + relocDir->VirtualAddress;
388. DWORD relocSize = relocDir->Size;
389. DWORD relocProcessed = 0;
390.  
391. while (relocProcessed < relocSize) {
392. PIMAGE_BASE_RELOCATION relocBlock = (PIMAGE_BASE_RELOCATION)(relocBase + relocProcessed);
393. if (relocBlock->SizeOfBlock == 0) {
394. break;
395. }
396.  
397. // Calculate number of entries in this block
398. DWORD numEntries = (relocBlock->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
399. WORD* relocEntries = (WORD*)((BYTE*)relocBlock + sizeof(IMAGE_BASE_RELOCATION));
400.  
401. // Process each entry
402. for (DWORD i = 0; i < numEntries; i++) {
403. WORD relocData = relocEntries[i];
404. DWORD relocType = relocData >> 12;
405. DWORD offset = relocData & 0xFFF;
406.  
407. // We only care about IMAGE_REL_BASED_HIGHLOW (x86) or IMAGE_REL_BASED_DIR64 (x64)
408. if (relocType == IMAGE_REL_BASED_HIGHLOW || relocType == IMAGE_REL_BASED_DIR64) {
409. // Calculate address that needs to be adjusted
410. DWORD_PTR relocAddress = (DWORD_PTR)fileBuffer + relocBlock->VirtualAddress + offset;
411.  
412. // Read the value
413. DWORD_PTR valueToFix = 0;
414. if (relocType == IMAGE_REL_BASED_HIGHLOW) {
415. valueToFix = *(DWORD*)relocAddress;
416. }
417. else {
418. valueToFix = *(DWORD_PTR*)relocAddress;
419. }
420.  
421. // Apply delta
422. valueToFix += deltaBase;
423.  
424. // Write adjusted value back to memory
425. SIZE_T bytesWritten;
426. DWORD_PTR remoteRelocAddress = (DWORD_PTR)remoteBase + relocBlock->VirtualAddress + offset;
427.  
428. if (relocType == IMAGE_REL_BASED_HIGHLOW) {
429. // 32-bit adjustment
430. DWORD value32 = (DWORD)valueToFix;
431. syscalls.NtWriteVirtualMemory(hProcess, (PVOID)remoteRelocAddress, &value32, sizeof(DWORD), &bytesWritten);
432. }
433. else {
434. // 64-bit adjustment
435. syscalls.NtWriteVirtualMemory(hProcess, (PVOID)remoteRelocAddress, &valueToFix, sizeof(DWORD_PTR), &bytesWritten);
436. }
437. }
438. }
439.  
440. // Move to next block
441. relocProcessed += relocBlock->SizeOfBlock;
442. }
443.  
444. return true;
445. }
446.  
447. // Fix import table of the remote DLL
448. bool ProcessImports(HANDLE hProcess, LPVOID remoteBase, LPVOID fileBuffer) {
449. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
450. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
451.  
452. // Get the import directory
453. PIMAGE_DATA_DIRECTORY importDir = &ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
454. if (importDir->Size == 0) {
455. // No imports
456. return true;
457. }
458.  
459. // Process each imported DLL
460. PIMAGE_IMPORT_DESCRIPTOR importDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)fileBuffer + importDir->VirtualAddress);
461. for (; importDesc->Name != 0; importDesc++) {
462. // Get the name of the DLL
463. const char* dllName = (const char*)((BYTE*)fileBuffer + importDesc->Name);
464.  
465. // Load the DLL
466. HMODULE hModule = LoadLibraryA(dllName);
467. if (!hModule) {
468. printf("Failed to load library: %s\n", dllName);
469. continue;
470. }
471.  
472. // Process the IAT (Import Address Table)
473. PIMAGE_THUNK_DATA thunk = NULL;
474. PIMAGE_THUNK_DATA origThunk = NULL;
475.  
476. if (importDesc->OriginalFirstThunk) {
477. origThunk = (PIMAGE_THUNK_DATA)((BYTE*)fileBuffer + importDesc->OriginalFirstThunk);
478. thunk = (PIMAGE_THUNK_DATA)((BYTE*)fileBuffer + importDesc->FirstThunk);
479. }
480. else {
481. // No OriginalFirstThunk? Use FirstThunk for both
482. origThunk = (PIMAGE_THUNK_DATA)((BYTE*)fileBuffer + importDesc->FirstThunk);
483. thunk = (PIMAGE_THUNK_DATA)((BYTE*)fileBuffer + importDesc->FirstThunk);
484. }
485.  
486. // Process each function
487. for (; origThunk->u1.AddressOfData != 0; origThunk++, thunk++) {
488. FARPROC functionAddress = NULL;
489.  
490. // Check if import by ordinal
491. if (IMAGE_SNAP_BY_ORDINAL(origThunk->u1.Ordinal)) {
492. functionAddress = GetProcAddress(hModule, (LPCSTR)IMAGE_ORDINAL(origThunk->u1.Ordinal));
493. }
494. else {
495. // Import by name
496. PIMAGE_IMPORT_BY_NAME importByName = (PIMAGE_IMPORT_BY_NAME)((BYTE*)fileBuffer + origThunk->u1.AddressOfData);
497. functionAddress = GetProcAddress(hModule, (LPCSTR)importByName->Name);
498. }
499.  
500. if (!functionAddress) {
501. printf("Failed to get function address\n");
502. continue;
503. }
504.  
505. // Calculate the address in the remote process
506. DWORD_PTR remoteAddress = (DWORD_PTR)remoteBase + importDesc->FirstThunk +
507. ((BYTE*)thunk - (BYTE*)((BYTE*)fileBuffer + importDesc->FirstThunk));
508.  
509. // Write the function address to the remote IAT
510. SIZE_T bytesWritten;
511. syscalls.NtWriteVirtualMemory(hProcess, (PVOID)remoteAddress, &functionAddress, sizeof(FARPROC), &bytesWritten);
512. }
513. }
514.  
515. return true;
516. }
517.  
518. // Enhanced manual mapping function
519. LPVOID EnhancedManualMap(HANDLE hProcess, const wchar_t* dllPath) {
520. // Read DLL file
521. HANDLE hFile = CreateFileW(dllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
522. if (hFile == INVALID_HANDLE_VALUE) {
523. printf("Failed to open DLL file: %d\n", GetLastError());
524. return NULL;
525. }
526.  
527. DWORD fileSize = GetFileSize(hFile, NULL);
528. if (fileSize == INVALID_FILE_SIZE) {
529. CloseHandle(hFile);
530. printf("Failed to get file size: %d\n", GetLastError());
531. return NULL;
532. }
533.  
534. LPVOID fileBuffer = VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
535. if (!fileBuffer) {
536. CloseHandle(hFile);
537. printf("Failed to allocate memory for DLL: %d\n", GetLastError());
538. return NULL;
539. }
540.  
541. DWORD bytesRead;
542. if (!ReadFile(hFile, fileBuffer, fileSize, &bytesRead, NULL) || bytesRead != fileSize) {
543. VirtualFree(fileBuffer, 0, MEM_RELEASE);
544. CloseHandle(hFile);
545. printf("Failed to read DLL file: %d\n", GetLastError());
546. return NULL;
547. }
548. CloseHandle(hFile);
549.  
550. // Parse PE headers
551. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
552. if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
553. VirtualFree(fileBuffer, 0, MEM_RELEASE);
554. printf("Invalid DOS signature\n");
555. return NULL;
556. }
557.  
558. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
559. if (ntHeader->Signature != IMAGE_NT_SIGNATURE) {
560. VirtualFree(fileBuffer, 0, MEM_RELEASE);
561. printf("Invalid NT signature\n");
562. return NULL;
563. }
564.  
565. // Allocate memory in the target process
566. LPVOID remoteImage = VirtualAllocEx(hProcess, NULL, ntHeader->OptionalHeader.SizeOfImage,
567. MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
568. if (!remoteImage) {
569. VirtualFree(fileBuffer, 0, MEM_RELEASE);
570. printf("Failed to allocate memory in target process: %d\n", GetLastError());
571. return NULL;
572. }
573.  
574. printf("Remote image base: 0x%p\n", remoteImage);
575.  
576. // Create a local copy of the image sections
577. LPVOID localImage = VirtualAlloc(NULL, ntHeader->OptionalHeader.SizeOfImage,
578. MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
579. if (!localImage) {
580. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
581. VirtualFree(fileBuffer, 0, MEM_RELEASE);
582. printf("Failed to allocate local memory for image sections\n");
583. return NULL;
584. }
585.  
586. // Copy headers to local image
587. memcpy(localImage, fileBuffer, ntHeader->OptionalHeader.SizeOfHeaders);
588.  
589. // Copy sections to local image
590. PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeader);
591. for (int i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) {
592. if (sectionHeader[i].SizeOfRawData > 0) {
593. memcpy(
594. (BYTE*)localImage + sectionHeader[i].VirtualAddress,
595. (BYTE*)fileBuffer + sectionHeader[i].PointerToRawData,
596. sectionHeader[i].SizeOfRawData
597. );
598. }
599. }
600.  
601. // Process relocations
602. if (!ProcessRelocations(hProcess, remoteImage, localImage)) {
603. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
604. VirtualFree(localImage, 0, MEM_RELEASE);
605. VirtualFree(fileBuffer, 0, MEM_RELEASE);
606. printf("Failed to process relocations\n");
607. return NULL;
608. }
609.  
610. // Process imports
611. if (!ProcessImports(hProcess, remoteImage, localImage)) {
612. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
613. VirtualFree(localImage, 0, MEM_RELEASE);
614. VirtualFree(fileBuffer, 0, MEM_RELEASE);
615. printf("Failed to process imports\n");
616. return NULL;
617. }
618.  
619. // Write the entire image to the remote process
620. SIZE_T bytesWritten;
621. if (!WriteProcessMemory(hProcess, remoteImage, localImage, ntHeader->OptionalHeader.SizeOfImage, &bytesWritten)) {
622. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
623. VirtualFree(localImage, 0, MEM_RELEASE);
624. VirtualFree(fileBuffer, 0, MEM_RELEASE);
625. printf("Failed to write final image to remote process: %d\n", GetLastError());
626. return NULL;
627. }
628.  
629. // Clean up local memory
630. VirtualFree(localImage, 0, MEM_RELEASE);
631. VirtualFree(fileBuffer, 0, MEM_RELEASE);
632.  
633. return remoteImage;
634. }
635.  
636. // Updated thread pool callback using enhanced manual mapping
637. VOID CALLBACK EnhancedInjectionCallback(PTP_CALLBACK_INSTANCE Instance, PVOID Parameter, PTP_WORK Work) {
638. INJECTION_DATA* data = (INJECTION_DATA*)Parameter;
639.  
640. printf("Starting injection process...\n");
641.  
642. // Spoof NTDLL and suspend threads first
643. printf("Applying anti-detection measures...\n");
644. SpoofNtDll(data->hProcess);
645. SuspendAndSpoofThreads(data->hProcess);
646.  
647. printf("Performing manual mapping...\n");
648. LPVOID remoteBase = EnhancedManualMap(data->hProcess, data->dllPath);
649.  
650. if (remoteBase) {
651. HMODULE hLocalModule = LoadLibraryW(data->dllPath);
652. if (hLocalModule) {
653. FARPROC localDllMain = GetProcAddress(hLocalModule, "DllMain");
654. if (localDllMain) {
655. DWORD dllMainOffset = (DWORD)((BYTE*)localDllMain - (BYTE*)hLocalModule);
656. LPVOID remoteDllMain = (LPVOID)((BYTE*)remoteBase + dllMainOffset);
657.  
658. printf("Executing remote DllMain at 0x%p...\n", remoteDllMain);
659.  
660. // Create remote thread to execute DllMain with proper parameters
661. HANDLE hThread = CreateRemoteThreadEx(
662. data->hProcess,
663. remoteDllMain,
664. remoteBase
665. );
666.  
667. if (hThread) {
668. printf("Waiting for DllMain execution...\n");
669. WaitForSingleObject(hThread, INFINITE);
670.  
671. DWORD exitCode = 0;
672. GetExitCodeThread(hThread, &exitCode);
673. printf("DllMain execution completed with exit code: %d\n", exitCode);
674.  
675. CloseHandle(hThread);
676. }
677. else {
678. printf("Failed to create remote thread: %d\n", GetLastError());
679. }
680. }
681. else {
682. printf("Warning: DllMain not found in the DLL\n");
683. }
684. FreeLibrary(hLocalModule);
685. }
686. else {
687. printf("Failed to load local DLL: %d\n", GetLastError());
688. }
689. }
690. else {
691. printf("Manual mapping failed\n");
692. }
693.  
694. data->completed = true;
695. }
696.  
697. // Update
698. // Advanced protection feature: Detect debuggers and anti-cheat systems
699. bool IsBeingDebugged(HANDLE hProcess) {
700. BOOL isDebuggerPresent = FALSE;
701.  
702. // Check for user-mode debugger
703. if (CheckRemoteDebuggerPresent(hProcess, &isDebuggerPresent) && isDebuggerPresent) {
704. return true;
705. }
706.  
707. // Check for system debugger flags in PEB
708. PROCESS_BASIC_INFORMATION pbi;
709. ULONG returnLength;
710.  
711. typedef NTSTATUS(NTAPI* pNtQueryInformationProcess)(
712. IN HANDLE ProcessHandle,
713. IN PROCESSINFOCLASS ProcessInformationClass,
714. OUT PVOID ProcessInformation,
715. IN ULONG ProcessInformationLength,
716. OUT PULONG ReturnLength OPTIONAL
717. );
718.  
719. pNtQueryInformationProcess NtQueryInformationProcess = (pNtQueryInformationProcess)
720. GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
721.  
722. if (NtQueryInformationProcess &&
723. NT_SUCCESS(NtQueryInformationProcess(
724. hProcess,
725. ProcessBasicInformation,
726. &pbi,
727. sizeof(PROCESS_BASIC_INFORMATION),
728. &returnLength))) {
729.  
730. // Get PEB address
731. PEB peb;
732. SIZE_T bytesRead;
733.  
734. if (ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(PEB), &bytesRead)) {
735. // Check BeingDebugged flag
736. if (peb.BeingDebugged) {
737. return true;
738. }
739.  
740. // Check NtGlobalFlag (0x70 is the debug flag combination)
741. DWORD ntGlobalFlag = 0;
742. if (ReadProcessMemory(hProcess,
743. (PVOID)((PBYTE)pbi.PebBaseAddress + offsetof(PEB, NtGlobalFlag)),
744. &ntGlobalFlag, sizeof(DWORD), &bytesRead)) {
745. if (ntGlobalFlag & 0x70) {
746. return true;
747. }
748. }
749. }
750. }
751.  
752. return false;
753. }
754.  
755. // Check for common anti-cheat processes
756. bool DetectAntiCheat() {
757. const wchar_t* antiCheatProcesses[] = {
758. L"BEService.exe", // BattlEye
759. L"EasyAntiCheat.exe", // EAC
760. L"vanguard.exe", // Riot Vanguard
761. L"faceit-ac-client.exe", // FACEIT
762. L"mhyprot2.sys", // miHoYo
763. L"xigncode3.exe", // XIGNCODE3
764. L"GameGuard.des", // NProtect GameGuard
765. NULL
766. };
767.  
768. HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
769. if (snapshot == INVALID_HANDLE_VALUE) {
770. return false;
771. }
772.  
773. PROCESSENTRY32W entry;
774. entry.dwSize = sizeof(PROCESSENTRY32W);
775.  
776. bool found = false;
777. if (Process32FirstW(snapshot, &entry)) {
778. do {
779. // Check against our list of known anti-cheat processes
780. for (int i = 0; antiCheatProcesses[i] != NULL; i++) {
781. if (_wcsicmp(entry.szExeFile, antiCheatProcesses[i]) == 0) {
782. printf("Detected anti-cheat: %ws\n", entry.szExeFile);
783. found = true;
784. break;
785. }
786. }
787. if (found) break;
788. } while (Process32NextW(snapshot, &entry));
789. }
790.  
791. CloseHandle(snapshot);
792. return found;
793. }
794.  
795. // Enhanced injection function with anti-cheat detection and safety features
796. bool EnhancedInjectDLL(DWORD processId, const wchar_t* dllPath) {
797. if (!InitializeSyscalls()) {
798. printf("Failed to initialize syscalls\n");
799. return false;
800. }
801.  
802. // Check for anti-cheat systems
803. if (DetectAntiCheat()) {
804. printf("WARNING: Anti-cheat software detected! Injection may be detected.\nContinue? (y/n): ");
805. char response;
806. scanf_s(" %c", &response, 1);
807. if (response != 'y' && response != 'Y') {
808. printf("Injection aborted by user.\n");
809. return false;
810. }
811. }
812.  
813. HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
814. if (!hProcess) {
815. printf("Failed to open process: %d\n", GetLastError());
816. return false;
817. }
818.  
819. // Check if process is being debugged
820. if (IsBeingDebugged(hProcess)) {
821. printf("WARNING: Target process appears to be debugged! This may affect injection.\n");
822. printf("Continue? (y/n): ");
823. char response;
824. scanf_s(" %c", &response, 1);
825. if (response != 'y' && response != 'Y') {
826. CloseHandle(hProcess);
827. printf("Injection aborted by user.\n");
828. return false;
829. }
830. }
831.  
832. // Set up injection data
833. INJECTION_DATA data = { 0 };
834. data.hProcess = hProcess;
835. wcscpy_s(data.dllPath, dllPath);
836. data.completed = false;
837.  
838. // Create thread pool work
839. PTP_WORK work = CreateThreadpoolWork(EnhancedInjectionCallback, &data, NULL);
840. if (!work) {
841. CloseHandle(hProcess);
842. printf("Failed to create thread pool work: %d\n", GetLastError());
843. return false;
844. }
845.  
846. printf("Submitting injection task to thread pool...\n");
847. SubmitThreadpoolWork(work);
848.  
849. // Wait for injection to complete with progress indicator
850. int dots = 0;
851. while (!data.completed) {
852. printf("\rWaiting for injection completion%.*s ", dots, "...");
853. dots = (dots + 1) % 4;
854. Sleep(250);
855. }
856. printf("\rInjection process completed \n");
857.  
858. CloseThreadpoolWork(work);
859. CloseHandle(hProcess);
860. return true;
861. }
862.  
863. // File system validation
864. bool ValidateDllFile(const wchar_t* dllPath) {
865. // Check if file exists
866. if (GetFileAttributesW(dllPath) == INVALID_FILE_ATTRIBUTES) {
867. printf("Error: DLL file does not exist.\n");
868. return false;
869. }
870.  
871. // Verify it's a DLL file (check PE header)
872. HANDLE hFile = CreateFileW(dllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
873. if (hFile == INVALID_HANDLE_VALUE) {
874. printf("Error: Could not open DLL file.\n");
875. return false;
876. }
877.  
878. bool valid = false;
879.  
880. // Read DOS header
881. IMAGE_DOS_HEADER dosHeader = { 0 };
882. DWORD bytesRead = 0;
883. if (ReadFile(hFile, &dosHeader, sizeof(IMAGE_DOS_HEADER), &bytesRead, NULL) &&
884. bytesRead == sizeof(IMAGE_DOS_HEADER)) {
885.  
886. // Check DOS signature
887. if (dosHeader.e_magic == IMAGE_DOS_SIGNATURE) {
888. // Seek to PE header
889. SetFilePointer(hFile, dosHeader.e_lfanew, NULL, FILE_BEGIN);
890.  
891. // Read NT header signature
892. DWORD ntSignature = 0;
893. if (ReadFile(hFile, &ntSignature, sizeof(DWORD), &bytesRead, NULL) &&
894. bytesRead == sizeof(DWORD)) {
895.  
896. // Check NT signature
897. if (ntSignature == IMAGE_NT_SIGNATURE) {
898. valid = true;
899. }
900. else {
901. printf("Error: Not a valid PE file (invalid NT signature).\n");
902. }
903. }
904. }
905. else {
906. printf("Error: Not a valid PE file (invalid DOS signature).\n");
907. }
908. }
909.  
910. CloseHandle(hFile);
911. return valid;
912. }
913.  
914. // Main function with improved UI
915. int main() {
916. SetConsoleTitle(L"Advanced DLL Injector");
917.  
918. // Console UI enhancements
919. HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
920. CONSOLE_SCREEN_BUFFER_INFO csbi;
921. GetConsoleScreenBufferInfo(hConsole, &csbi);
922.  
923. // Set console text colors
924. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_INTENSITY);
925.  
926. printf("===========================================\n");
927. printf(" ADVANCED DLL INJECTOR v1.0 \n");
928. printf("===========================================\n\n");
929.  
930. // Reset colors
931. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
932.  
933. // Process selection
934. DWORD processId = 0;
935. int choice = 0;
936.  
937. printf("Select target process:\n");
938. printf("1. Automatic (Roblox)\n");
939. printf("2. Manual (Enter PID)\n");
940. printf("Choice: ");
941. scanf_s("%d", &choice);
942.  
943. // Clear input buffer
944. while (getchar() != '\n');
945.  
946. if (choice == 1) {
947. // Automatic (Roblox)
948. processId = GetRobloxProcessId();
949. if (processId == 0) {
950. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
951. printf("\nRoblox process not found! Please make sure Roblox is running.\n");
952. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
953. printf("\nPress Enter to exit...");
954. getchar();
955. return 1;
956. }
957.  
958. SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
959. printf("\nFound Roblox process with ID: %d\n", processId);
960. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
961. }
962. else if (choice == 2) {
963. // Manual (Enter PID)
964. printf("\nEnter process ID (PID): ");
965. scanf_s("%d", &processId);
966.  
967. // Clear input buffer
968. while (getchar() != '\n');
969.  
970. // Verify the process exists
971. HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processId);
972. if (!hProcess) {
973. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
974. printf("\nError: Process with ID %d not found or access denied.\n", processId);
975. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
976. printf("\nPress Enter to exit...");
977. getchar();
978. return 1;
979. }
980. CloseHandle(hProcess);
981. }
982. else {
983. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
984. printf("\nInvalid choice!\n");
985. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
986. printf("\nPress Enter to exit...");
987. getchar();
988. return 1;
989. }
990.  
991. // DLL selection
992. wchar_t dllPath[MAX_PATH] = L"";
993. printf("\nEnter path to DLL (or press Enter for default path): ");
994.  
995. // Get input (support spaces in path)
996. char tempPath[MAX_PATH] = "";
997. fgets(tempPath, MAX_PATH, stdin);
998.  
999. // Remove newline character
1000. tempPath[strcspn(tempPath, "\n")] = 0;
1001.  
1002. if (strlen(tempPath) > 0) {
1003. // Convert to wide string
1004. MultiByteToWideChar(CP_ACP, 0, tempPath, -1, dllPath, MAX_PATH);
1005. }
1006. else {
1007. // Use default path
1008. wcscpy_s(dllPath, L"C:\\path\\to\\your\\dll.dll");
1009. }
1010.  
1011. // Validate DLL file
1012. if (!ValidateDllFile(dllPath)) {
1013. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1014. printf("\nPress Enter to exit...");
1015. getchar();
1016. return 1;
1017. }
1018.  
1019. // Start injection process
1020. SetConsoleTextAttribute(hConsole, FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
1021. printf("\nStarting injection process...\n");
1022. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1023.  
1024. if (EnhancedInjectDLL(processId, dllPath)) {
1025. SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
1026. printf("\nInjection successful!\n");
1027. }
1028. else {
1029. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1030. printf("\nInjection failed!\n");
1031. }
1032.  
1033. // Reset colors
1034. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1035. printf("\nPress Enter to exit...");
1036. getchar();
1037.  
1038. return 0;
1039. }
1040.  
1041. // Add definition for PEB structure
1042. typedef struct _PEB {
1043. BYTE Reserved1[2];
1044. BYTE BeingDebugged;
1045. BYTE Reserved2[1];
1046. PVOID Reserved3[2];
1047. PVOID Ldr;
1048. PVOID ProcessParameters;
1049. PVOID Reserved4[3];
1050. PVOID AtlThunkSListPtr;
1051. PVOID Reserved5;
1052. ULONG Reserved6;
1053. PVOID Reserved7;
1054. ULONG Reserved8;
1055. ULONG AtlThunkSListPtr32;
1056. PVOID Reserved9[45];
1057. BYTE Reserved10[96];
1058. PVOID PostProcessInitRoutine;
1059. BYTE Reserved11[128];
1060. PVOID Reserved12[1];
1061. ULONG SessionId;
1062. } PEB, * PPEB;
1063.  
1064. // Define ProcessInformationClass enum
1065. typedef enum _PROCESSINFOCLASS {
1066. ProcessBasicInformation = 0,
1067. // Other values omitted for brevity
1068. } PROCESSINFOCLASS;
1069.  
1070. // Define PROCESS_BASIC_INFORMATION structure
1071. typedef struct _PROCESS_BASIC_INFORMATION {
1072. PVOID Reserved1;
1073. PPEB PebBaseAddress;
1074. PVOID Reserved2[2];
1075. ULONG_PTR UniqueProcessId;
1076. PVOID Reserved3;
1077. } PROCESS_BASIC_INFORMATION;
1078.  
1079. // Define NT_SUCCESS macro
1080. #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
1081. // Advanced feature: Handling TLS callbacks
1082. bool ProcessTlsCallbacks(HANDLE hProcess, LPVOID remoteBase, LPVOID fileBuffer) {
1083. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
1084. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
1085.  
1086. // Get the TLS directory
1087. PIMAGE_DATA_DIRECTORY tlsDir = &ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];
1088. if (tlsDir->Size == 0) {
1089. // No TLS callbacks
1090. return true;
1091. }
1092.  
1093. // Get the TLS directory
1094. PIMAGE_TLS_DIRECTORY tlsDirectory = (PIMAGE_TLS_DIRECTORY)((BYTE*)fileBuffer + tlsDir->VirtualAddress);
1095.  
1096. // Check if there are callbacks
1097. if (tlsDirectory->AddressOfCallBacks == 0) {
1098. return true;
1099. }
1100.  
1101. // Calculate the remote address of the TLS callbacks
1102. DWORD_PTR localCallbacksAddr = tlsDirectory->AddressOfCallBacks;
1103. DWORD_PTR remoteCallbacksAddr = (DWORD_PTR)remoteBase +
1104. (localCallbacksAddr - (DWORD_PTR)fileBuffer);
1105.  
1106. // Execute each TLS callback
1107. PIMAGE_TLS_CALLBACK* callbacks = (PIMAGE_TLS_CALLBACK*)localCallbacksAddr;
1108. for (int i = 0; callbacks[i] != NULL; i++) {
1109. DWORD_PTR callbackRVA = (DWORD_PTR)callbacks[i] - (DWORD_PTR)fileBuffer;
1110. LPVOID remoteCallback = (LPVOID)((BYTE*)remoteBase + callbackRVA);
1111.  
1112. // Create a thread to execute the TLS callback
1113. HANDLE hThread = CreateRemoteThreadEx(
1114. hProcess,
1115. remoteCallback,
1116. remoteBase
1117. );
1118.  
1119. if (hThread) {
1120. WaitForSingleObject(hThread, INFINITE);
1121. CloseHandle(hThread);
1122. }
1123. else {
1124. printf("Warning: Failed to execute TLS callback at 0x%p\n", remoteCallback);
1125. }
1126. }
1127.  
1128. return true;
1129. }
1130.  
1131. // Add memory protection features
1132. bool SetProperMemoryProtections(HANDLE hProcess, LPVOID remoteBase, LPVOID fileBuffer) {
1133. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
1134. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
1135.  
1136. // Set proper memory protection for each section
1137. PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeader);
1138.  
1139. for (int i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) {
1140. DWORD protection = PAGE_NOACCESS; // Default
1141. DWORD characteristics = sectionHeader[i].Characteristics;
1142.  
1143. // Determine protection based on section characteristics
1144. if (characteristics & IMAGE_SCN_MEM_EXECUTE) {
1145. if (characteristics & IMAGE_SCN_MEM_WRITE) {
1146. protection = PAGE_EXECUTE_READWRITE;
1147. }
1148. else if (characteristics & IMAGE_SCN_MEM_READ) {
1149. protection = PAGE_EXECUTE_READ;
1150. }
1151. else {
1152. protection = PAGE_EXECUTE;
1153. }
1154. }
1155. else if (characteristics & IMAGE_SCN_MEM_WRITE) {
1156. protection = PAGE_READWRITE;
1157. }
1158. else if (characteristics & IMAGE_SCN_MEM_READ) {
1159. protection = PAGE_READONLY;
1160. }
1161.  
1162. // Apply memory protection
1163. LPVOID sectionAddress = (LPVOID)((BYTE*)remoteBase + sectionHeader[i].VirtualAddress);
1164. DWORD oldProtection;
1165.  
1166. if (!VirtualProtectEx(
1167. hProcess,
1168. sectionAddress,
1169. sectionHeader[i].Misc.VirtualSize,
1170. protection,
1171. &oldProtection)) {
1172. printf("Warning: Failed to set proper memory protection for section %d\n", i);
1173. }
1174. }
1175.  
1176. return true;
1177. }
1178.  
1179. // Complete enhanced manual mapping process
1180. LPVOID CompleteManualMap(HANDLE hProcess, const wchar_t* dllPath) {
1181. // Read DLL file
1182. HANDLE hFile = CreateFileW(dllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
1183. if (hFile == INVALID_HANDLE_VALUE) {
1184. printf("Failed to open DLL file: %d\n", GetLastError());
1185. return NULL;
1186. }
1187.  
1188. DWORD fileSize = GetFileSize(hFile, NULL);
1189. if (fileSize == INVALID_FILE_SIZE) {
1190. CloseHandle(hFile);
1191. printf("Failed to get file size: %d\n", GetLastError());
1192. return NULL;
1193. }
1194.  
1195. LPVOID fileBuffer = VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
1196. if (!fileBuffer) {
1197. CloseHandle(hFile);
1198. printf("Failed to allocate memory for DLL: %d\n", GetLastError());
1199. return NULL;
1200. }
1201.  
1202. DWORD bytesRead;
1203. if (!ReadFile(hFile, fileBuffer, fileSize, &bytesRead, NULL) || bytesRead != fileSize) {
1204. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1205. CloseHandle(hFile);
1206. printf("Failed to read DLL file: %d\n", GetLastError());
1207. return NULL;
1208. }
1209. CloseHandle(hFile);
1210.  
1211. // Parse PE headers
1212. PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
1213. if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
1214. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1215. printf("Invalid DOS signature\n");
1216. return NULL;
1217. }
1218.  
1219. PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)fileBuffer + dosHeader->e_lfanew);
1220. if (ntHeader->Signature != IMAGE_NT_SIGNATURE) {
1221. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1222. printf("Invalid NT signature\n");
1223. return NULL;
1224. }
1225.  
1226. // Check architecture compatibility
1227. if (ntHeader->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64 &&
1228. ntHeader->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) {
1229. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1230. printf("Unsupported architecture: 0x%04X\n", ntHeader->FileHeader.Machine);
1231. return NULL;
1232. }
1233.  
1234. printf("DLL architecture: %s\n",
1235. ntHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? "x64" : "x86");
1236.  
1237. // Create local image
1238. LPVOID localImage = VirtualAlloc(NULL, ntHeader->OptionalHeader.SizeOfImage,
1239. MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
1240. if (!localImage) {
1241. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1242. printf("Failed to allocate memory for local image\n");
1243. return NULL;
1244. }
1245.  
1246. // Copy headers to local image
1247. memcpy(localImage, fileBuffer, ntHeader->OptionalHeader.SizeOfHeaders);
1248.  
1249. // Copy sections to local image
1250. PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeader);
1251. for (int i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) {
1252. if (sectionHeader[i].SizeOfRawData > 0) {
1253. memcpy(
1254. (BYTE*)localImage + sectionHeader[i].VirtualAddress,
1255. (BYTE*)fileBuffer + sectionHeader[i].PointerToRawData,
1256. sectionHeader[i].SizeOfRawData
1257. );
1258. }
1259. }
1260.  
1261. // Allocate memory in target process
1262. LPVOID remoteImage = VirtualAllocEx(
1263. hProcess,
1264. NULL,
1265. ntHeader->OptionalHeader.SizeOfImage,
1266. MEM_COMMIT | MEM_RESERVE,
1267. PAGE_EXECUTE_READWRITE
1268. );
1269.  
1270. if (!remoteImage) {
1271. VirtualFree(localImage, 0, MEM_RELEASE);
1272. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1273. printf("Failed to allocate memory in target process: %d\n", GetLastError());
1274. return NULL;
1275. }
1276.  
1277. printf("Remote image allocated at 0x%p\n", remoteImage);
1278.  
1279. // Process relocations
1280. if (!ProcessRelocations(hProcess, remoteImage, localImage)) {
1281. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
1282. VirtualFree(localImage, 0, MEM_RELEASE);
1283. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1284. printf("Failed to process relocations\n");
1285. return NULL;
1286. }
1287.  
1288. // Process imports
1289. if (!ProcessImports(hProcess, remoteImage, localImage)) {
1290. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
1291. VirtualFree(localImage, 0, MEM_RELEASE);
1292. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1293. printf("Failed to process imports\n");
1294. return NULL;
1295. }
1296.  
1297. // Write the processed image to the target process
1298. SIZE_T bytesWritten;
1299. if (!WriteProcessMemory(
1300. hProcess,
1301. remoteImage,
1302. localImage,
1303. ntHeader->OptionalHeader.SizeOfImage,
1304. &bytesWritten)) {
1305.  
1306. VirtualFreeEx(hProcess, remoteImage, 0, MEM_RELEASE);
1307. VirtualFree(localImage, 0, MEM_RELEASE);
1308. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1309. printf("Failed to write image to remote process: %d\n", GetLastError());
1310. return NULL;
1311. }
1312.  
1313. // Process TLS callbacks
1314. ProcessTlsCallbacks(hProcess, remoteImage, localImage);
1315.  
1316. // Set proper memory protections
1317. SetProperMemoryProtections(hProcess, remoteImage, localImage);
1318.  
1319. // Calculate entry point address
1320. LPVOID remoteEntryPoint = (LPVOID)((BYTE*)remoteImage + ntHeader->OptionalHeader.AddressOfEntryPoint);
1321. printf("DLL entry point at 0x%p\n", remoteEntryPoint);
1322.  
1323. // Clean up local memory
1324. VirtualFree(localImage, 0, MEM_RELEASE);
1325. VirtualFree(fileBuffer, 0, MEM_RELEASE);
1326.  
1327. return remoteImage;
1328. }
1329.  
1330. // Complete injection callback
1331. VOID CALLBACK CompleteInjectionCallback(PTP_CALLBACK_INSTANCE Instance, PVOID Parameter, PTP_WORK Work) {
1332. INJECTION_DATA* data = (INJECTION_DATA*)Parameter;
1333.  
1334. printf("Starting enhanced injection process...\n");
1335.  
1336. // Apply anti-detection measures
1337. printf("Applying anti-detection measures...\n");
1338. SpoofNtDll(data->hProcess);
1339. SuspendAndSpoofThreads(data->hProcess);
1340.  
1341. printf("Performing complete manual mapping...\n");
1342. LPVOID remoteBase = CompleteManualMap(data->hProcess, data->dllPath);
1343.  
1344. if (remoteBase) {
1345. // Calculate DllMain offset and address
1346. HMODULE hLocalModule = LoadLibraryW(data->dllPath);
1347. if (hLocalModule) {
1348. FARPROC localDllMain = GetProcAddress(hLocalModule, "DllMain");
1349. if (localDllMain) {
1350. DWORD dllMainOffset = (DWORD)((BYTE*)localDllMain - (BYTE*)hLocalModule);
1351. LPVOID remoteDllMain = (LPVOID)((BYTE*)remoteBase + dllMainOffset);
1352.  
1353. printf("Executing DllMain at 0x%p...\n", remoteDllMain);
1354.  
1355. // Create remote thread to execute DllMain with proper parameters (DLL_PROCESS_ATTACH)
1356. HANDLE hThread = CreateRemoteThreadEx(
1357. data->hProcess,
1358. remoteDllMain,
1359. (LPVOID)((DWORD_PTR)remoteBase | 1) // DLL_PROCESS_ATTACH = 1
1360. );
1361.  
1362. if (hThread) {
1363. printf("Waiting for DllMain execution...\n");
1364. WaitForSingleObject(hThread, INFINITE);
1365.  
1366. DWORD exitCode = 0;
1367. GetExitCodeThread(hThread, &exitCode);
1368. printf("DllMain execution completed with exit code: %d\n", exitCode);
1369.  
1370. CloseHandle(hThread);
1371. }
1372. else {
1373. printf("Failed to create remote thread: %d\n", GetLastError());
1374. }
1375. }
1376. else {
1377. printf("Warning: DllMain not found in the DLL\n");
1378. }
1379. FreeLibrary(hLocalModule);
1380. }
1381. else {
1382. printf("Failed to load local DLL: %d\n", GetLastError());
1383. }
1384. }
1385. else {
1386. printf("Complete manual mapping failed\n");
1387. }
1388.  
1389. data->completed = true;
1390. }
1391.  
1392. // Final injection function that uses the most complete implementation
1393. bool FinalInjectDLL(DWORD processId, const wchar_t* dllPath) {
1394. if (!InitializeSyscalls()) {
1395. printf("Failed to initialize syscalls\n");
1396. return false;
1397. }
1398.  
1399. // Check for anti-cheat systems
1400. if (DetectAntiCheat()) {
1401. printf("WARNING: Anti-cheat software detected! Injection may be detected.\nContinue? (y/n): ");
1402. char response;
1403. scanf_s(" %c", &response, 1);
1404. if (response != 'y' && response != 'Y') {
1405. printf("Injection aborted by user.\n");
1406. return false;
1407. }
1408. }
1409.  
1410. HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
1411. if (!hProcess) {
1412. printf("Failed to open process: %d\n", GetLastError());
1413. return false;
1414. }
1415.  
1416. // Check if process is being debugged
1417. if (IsBeingDebugged(hProcess)) {
1418. printf("WARNING: Target process appears to be debugged! This may affect injection.\n");
1419. printf("Continue? (y/n): ");
1420. char response;
1421. scanf_s(" %c", &response, 1);
1422. if (response != 'y' && response != 'Y') {
1423. CloseHandle(hProcess);
1424. printf("Injection aborted by user.\n");
1425. return false;
1426. }
1427. }
1428.  
1429. // Set up injection data
1430. INJECTION_DATA data = { 0 };
1431. data.hProcess = hProcess;
1432. wcscpy_s(data.dllPath, dllPath);
1433. data.completed = false;
1434.  
1435. // Create thread pool work
1436. PTP_WORK work = CreateThreadpoolWork(CompleteInjectionCallback, &data, NULL);
1437. if (!work) {
1438. CloseHandle(hProcess);
1439. printf("Failed to create thread pool work: %d\n", GetLastError());
1440. return false;
1441. }
1442. // idk if the code below is looping or not but i tried to get claude in another conversation to
1443. // finish it
1444. printf("Submitting final injection task to thread pool...\n");
1445. SubmitThreadpoolWork(work);
1446.  
1447. // Wait for injection to complete with animated progress indicator
1448. int dots = 0;
1449. const char* spinner = "|/-\\";
1450. int spinnerPos = 0;
1451.  
1452. while (!data.completed) {
1453. printf("\rInjection in progress %c %.*s ",
1454. spinner[spinnerPos], dots, "...");
1455. spinnerPos = (spinnerPos + 1) % 4;
1456. dots = (dots + 1) % 4;
1457. Sleep(100);
1458. }
1459. printf("\rInjection process completed \n");
1460.  
1461. CloseThreadpoolWork(work);
1462. CloseHandle(hProcess);
1463. return true;
1464. }
1465.  
1466. // Updated main function with the most robust injection method
1467. int main() {
1468. SetConsoleTitle(L"Ultimate DLL Injector");
1469.  
1470. // Console UI enhancements
1471. HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
1472. CONSOLE_SCREEN_BUFFER_INFO csbi;
1473. GetConsoleScreenBufferInfo(hConsole, &csbi);
1474.  
1475. // Set console text colors - heading
1476. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_INTENSITY);
1477.  
1478. printf("===========================================\n");
1479. printf(" ULTIMATE DLL INJECTOR v2.0 \n");
1480. printf("===========================================\n\n");
1481.  
1482. // Reset colors
1483. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1484.  
1485. // Process selection
1486. DWORD processId = 0;
1487. int choice = 0;
1488.  
1489. printf("Select target process:\n");
1490. printf("1. Automatic (Roblox)\n");
1491. printf("2. Manual (Enter PID)\n");
1492. printf("3. Select from process list\n");
1493. printf("Choice: ");
1494. scanf_s("%d", &choice);
1495.  
1496. // Clear input buffer
1497. while (getchar() != '\n');
1498.  
1499. if (choice == 1) {
1500. // Automatic (Roblox)
1501. processId = GetRobloxProcessId();
1502. if (processId == 0) {
1503. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1504. printf("\nRoblox process not found! Please make sure Roblox is running.\n");
1505. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1506. printf("\nPress Enter to exit...");
1507. getchar();
1508. return 1;
1509. }
1510.  
1511. SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
1512. printf("\nFound Roblox process with ID: %d\n", processId);
1513. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1514. }
1515. else if (choice == 2) {
1516. // Manual (Enter PID)
1517. printf("\nEnter process ID (PID): ");
1518. scanf_s("%d", &processId);
1519.  
1520. // Clear input buffer
1521. while (getchar() != '\n');
1522.  
1523. // Verify the process exists
1524. HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processId);
1525. if (!hProcess) {
1526. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1527. printf("\nError: Process with ID %d not found or access denied.\n", processId);
1528. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1529. printf("\nPress Enter to exit...");
1530. getchar();
1531. return 1;
1532. }
1533.  
1534. // Get process name
1535. wchar_t processName[MAX_PATH] = L"<unknown>";
1536. DWORD size = MAX_PATH;
1537. QueryFullProcessImageNameW(hProcess, 0, processName, &size);
1538.  
1539. CloseHandle(hProcess);
1540.  
1541. printf("Selected process: %ls\n", processName);
1542. }
1543. else if (choice == 3) {
1544. // Show process list
1545. printf("\nAvailable processes:\n");
1546. printf("--------------------\n");
1547.  
1548. HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
1549. if (snapshot == INVALID_HANDLE_VALUE) {
1550. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1551. printf("Error: Failed to get process list.\n");
1552. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1553. printf("\nPress Enter to exit...");
1554. getchar();
1555. return 1;
1556. }
1557.  
1558. PROCESSENTRY32W entry;
1559. entry.dwSize = sizeof(PROCESSENTRY32W);
1560.  
1561. int count = 0;
1562. const int MAX_DISPLAY = 20;
1563.  
1564. std::vector<DWORD> processIds;
1565. std::vector<std::wstring> processNames;
1566.  
1567. if (Process32FirstW(snapshot, &entry)) {
1568. do {
1569. // Skip system processes
1570. HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, entry.th32ProcessID);
1571. if (hProcess) {
1572. // Store process info
1573. processIds.push_back(entry.th32ProcessID);
1574. processNames.push_back(entry.szExeFile);
1575.  
1576. printf("%d. %ls (PID: %d)\n", ++count, entry.szExeFile, entry.th32ProcessID);
1577.  
1578. CloseHandle(hProcess);
1579.  
1580. if (count >= MAX_DISPLAY) {
1581. printf("... (More processes not shown)\n");
1582. break;
1583. }
1584. }
1585. } while (Process32NextW(snapshot, &entry));
1586. }
1587.  
1588. CloseHandle(snapshot);
1589.  
1590. int processChoice = 0;
1591. printf("\nSelect process number (1-%d): ", count);
1592. scanf_s("%d", &processChoice);
1593.  
1594. // Clear input buffer
1595. while (getchar() != '\n');
1596.  
1597. if (processChoice < 1 || processChoice > count) {
1598. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1599. printf("Invalid selection!\n");
1600. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1601. printf("\nPress Enter to exit...");
1602. getchar();
1603. return 1;
1604. }
1605.  
1606. processId = processIds[processChoice - 1];
1607. printf("Selected process: %ls (PID: %d)\n", processNames[processChoice - 1].c_str(), processId);
1608. }
1609. else {
1610. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1611. printf("\nInvalid choice!\n");
1612. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1613. printf("\nPress Enter to exit...");
1614. getchar();
1615. return 1;
1616. }
1617.  
1618. // DLL selection
1619. wchar_t dllPath[MAX_PATH] = L"";
1620. printf("\nEnter path to DLL (or press Enter for file browser): ");
1621.  
1622. // Get input (support spaces in path)
1623. char tempPath[MAX_PATH] = "";
1624. fgets(tempPath, MAX_PATH, stdin);
1625.  
1626. // Remove newline character
1627. tempPath[strcspn(tempPath, "\n")] = 0;
1628.  
1629. if (strlen(tempPath) > 0) {
1630. // Convert to wide string
1631. MultiByteToWideChar(CP_ACP, 0, tempPath, -1, dllPath, MAX_PATH);
1632. }
1633. else {
1634. // Use file browser dialog
1635. OPENFILENAMEW ofn = { 0 };
1636. ofn.lStructSize = sizeof(ofn);
1637. ofn.hwndOwner = NULL;
1638. ofn.lpstrFilter = L"DLL Files (*.dll)\0*.dll\0All Files (*.*)\0*.*\0";
1639. ofn.lpstrFile = dllPath;
1640. ofn.nMaxFile = MAX_PATH;
1641. ofn.Flags = OFN_EXPLORER | OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
1642. ofn.lpstrDefExt = L"dll";
1643.  
1644. if (!GetOpenFileNameW(&ofn)) {
1645. // User canceled file dialog
1646. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1647. printf("\nNo DLL selected. Operation canceled.\n");
1648. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1649. printf("\nPress Enter to exit...");
1650. getchar();
1651. return 1;
1652. }
1653. }
1654.  
1655. printf("Selected DLL: %ls\n", dllPath);
1656.  
1657. // Validate DLL file
1658. if (!ValidateDllFile(dllPath)) {
1659. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1660. printf("\nPress Enter to exit...");
1661. getchar();
1662. return 1;
1663. }
1664.  
1665. // Injection method selection
1666. int injectionMethod = 0;
1667. printf("\nSelect injection method:\n");
1668. printf("1. Standard (Faster, less stealthy)\n");
1669. printf("2. Enhanced (Balanced approach)\n");
1670. printf("3. Complete (Most stealthy, more reliable)\n");
1671. printf("Choice: ");
1672. scanf_s("%d", &injectionMethod);
1673.  
1674. // Clear input buffer
1675. while (getchar() != '\n');
1676.  
1677. // Start injection process
1678. SetConsoleTextAttribute(hConsole, FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
1679. printf("\nStarting injection process...\n");
1680. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1681.  
1682. bool success = false;
1683.  
1684. switch (injectionMethod) {
1685. case 1:
1686. success = InjectDLL(processId, dllPath);
1687. break;
1688. case 2:
1689. success = EnhancedInjectDLL(processId, dllPath);
1690. break;
1691. case 3:
1692. success = FinalInjectDLL(processId, dllPath);
1693. break;
1694. default:
1695. // Default to most reliable method
1696. printf("Invalid choice, using Complete injection method...\n");
1697. success = FinalInjectDLL(processId, dllPath);
1698. break;
1699. }
1700.  
1701. if (success) {
1702. SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
1703. printf("\nInjection successful!\n");
1704. }
1705. else {
1706. SetConsoleTextAttribute(hConsole, FOREGROUND_RED | FOREGROUND_INTENSITY);
1707. printf("\nInjection failed!\n");
1708. }
1709.  
1710. // Reset colors
1711. SetConsoleTextAttribute(hConsole, csbi.wAttributes);
1712. printf("\nPress Enter to exit...");
1713. getchar();
1714.  
1715. return 0;
1716. }