x/gtav-src
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6770644bb24d2fc66a35fb9db6d70df5d108b1c
gtav-src/tools_ng/script/coding/mod/binStar/dumpIt/VictimProcess.h
T
x a6770644bb init gta
2025-09-29 00:52:08 +02:00

276 lines
8.6 KiB
C++
Executable File
Raw Blame History

#ifdef _MSC_VER
#define _CRT_SECURE_NO_WARNINGS
#endif
#include <Windows.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include <iostream>
#include <stdlib.h>
#define DUMP "C:\\temp\\dump.bin"
class VictimProcess
{
public:
PROCESSENTRY32 __gameProcess;
DWORD64 __dwordProcess;
HANDLE __HandleProcess;
HWND __HWNDCsgo;
HMODULE __HModuleTarget;
LPVOID __dwordTarget;
LPSTR __sBinary;
LPSTR __sCmdLine;
LPSTR __sProcess;
LPSTR __sDumpPath;
LPSTR __sDumpFile;
void RunProcess()
{
PROCESS_INFORMATION lpi;
STARTUPINFO si;
memset(&lpi,0,sizeof(PROCESS_INFORMATION));
memset(&si,0,sizeof(STARTUPINFO));
std::cout<<"Running target binary"<<std::endl;
if(!CreateProcess(NULL,__sCmdLine,NULL,NULL,FALSE,(CREATE_NO_WINDOW),NULL,NULL,&si,&lpi)) //Runs victim process
{
quit("Couldn't start process, press something to quit");
}
__HandleProcess = lpi.hProcess; //Handle to victim process
runSetDebugPrivs(); //Sets debug privs on victim process, allows for dumping of memory
}
void dumpModule(LPSTR sTarget)
{
while(__dwordTarget == 0x0) __dwordTarget = GetModuleNamePointer(sTarget, __gameProcess.th32ProcessID); //Walks through processes modules until name match
memset(&__HModuleTarget,0,sizeof(HMODULE));
__HModuleTarget = (HMODULE)__dwordTarget;
MODULEINFO modInfo = getModInfo(__HModuleTarget); //Grabs module info for target module
printf("Address of %s: %X \n",sTarget,__dwordTarget);
printf("Size of %s: %d \n",sTarget,modInfo.SizeOfImage);
initDump(sTarget); //Sets up dump file
walkMod(modInfo.lpBaseOfDll,modInfo.SizeOfImage); //Walks and dumps module to disk
}
void findProcess(LPCSTR sTarget)
{
while(!FindProcessName(sTarget,&__gameProcess)) Sleep(10); //Finds process by name
while(!getThreadByProcess(__gameProcess.th32ProcessID)) Sleep(10); //Grabs main threadId
__HandleProcess = OpenProcess(PROCESS_ALL_ACCESS, false, __gameProcess.th32ProcessID); //Grabs handle to process
}
void killPProcess() //Kills handle of parent calling process
{
if(__HandleProcess == NULL)
{
quit("Can't get process name, exiting...");
}
if(!TerminateProcess(__HandleProcess,0))
quit("Unable to terminate process");
quit("Things seem to have gone smoothly...");
}
VictimProcess(LPSTR sBinary, LPSTR sCmd, LPSTR sDumpPath)
{
__sBinary = sBinary;
char buff[_MAX_PATH+100];
memset(buff,0,_MAX_PATH+100);
strcpy_s(buff,_MAX_PATH+100,sBinary); //Copies binary path, and cmd args to the same buffer
strcat_s(buff,_MAX_PATH+100," ");
strcat_s(buff,_MAX_PATH+100,sCmd);
size_t len = strlen(buff)+1;
__sCmdLine = new char[len];
memset(__sCmdLine, 0, len);
strcpy_s(__sCmdLine,len, buff); //Copies cmd line call to __sCmdLine
char drive[_MAX_DRIVE];
char dir[_MAX_DIR];
char fname[_MAX_FNAME];
char ext[_MAX_EXT];
_splitpath_s(sBinary,drive,_MAX_DRIVE,dir,_MAX_DIR,fname,_MAX_FNAME,ext,_MAX_EXT); //Splits the file path into different portions
memset(buff,0,_MAX_PATH+100);
strcpy_s(buff,_MAX_PATH+100,fname);
strcat_s(buff,_MAX_PATH+100,ext);
len = strlen(buff)+1;
__sProcess = new char[len]; //Gets filename of binary, which is name of process
memset(__sProcess, 0, len);
strcpy_s(__sProcess,len, buff);
len = strlen(sDumpPath)+2;
__sDumpPath = new char[len]; //Sets dump path
memset(__sDumpPath,0,len);
strcpy_s(__sDumpPath,len,sDumpPath);
CreateDirectory(sDumpPath,NULL);
}
private:
MODULEINFO getModInfo(HMODULE hModule)
{
MODULEINFO modInfo;
memset(&modInfo,0,sizeof(MODULEINFO));
if(!GetModuleInformation(__HandleProcess,hModule,&modInfo,sizeof(MODULEINFO))) //Grabs module info
{
DWORD x = GetLastError();
char msg[50];
sprintf(msg,"GetModuleInformation failed.... Error: %X\n",x);
quit(msg);
}
return modInfo;
}
LPVOID GetModuleNamePointer(LPSTR LPSTRModuleName, DWORD __DwordProcessId)
{
MODULEENTRY32 lpModuleEntry = {0};
HANDLE hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, __DwordProcessId);
if(!hSnapShot)
return NULL;
lpModuleEntry.dwSize = sizeof(lpModuleEntry);
BOOL __RunModule = Module32First( hSnapShot, &lpModuleEntry ); //Grabs first module in process list
do{if(!_strcmpi(lpModuleEntry.szModule, LPSTRModuleName ) ) //Checks if module name matches target
{
CloseHandle( hSnapShot );
return (LPVOID)lpModuleEntry.modBaseAddr; //Returns base address of module
}
}while(Module32Next( hSnapShot, &lpModuleEntry )); //Grabs the next module on the list
CloseHandle( hSnapShot );
return NULL;
}
DWORD FindProcessName(const char *__ProcessName, PROCESSENTRY32 *pEntry)
{
PROCESSENTRY32 __ProcessEntry;
__ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
if (!Process32First(hSnapshot, &__ProcessEntry)) //Grabs first process in OS list
{
CloseHandle(hSnapshot);
return 0;
}
do{if (!_strcmpi(__ProcessEntry.szExeFile, __ProcessName)) //Checks if process name matches target
{
memcpy((void *)pEntry, (void *)&__ProcessEntry, sizeof(PROCESSENTRY32)); //Stores process entry
CloseHandle(hSnapshot);
return __ProcessEntry.th32ProcessID; //Returns target PID
}} while (Process32Next(hSnapshot, &__ProcessEntry)); //Grabs next process in list
CloseHandle(hSnapshot);
return 0;
}
DWORD getThreadByProcess(DWORD __DwordProcess)
{
THREADENTRY32 __ThreadEntry;
__ThreadEntry.dwSize = sizeof(THREADENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
if (!Thread32First(hSnapshot, &__ThreadEntry)) {CloseHandle(hSnapshot); return 0; } //Grabs first threadEntry
do {if (__ThreadEntry.th32OwnerProcessID == __DwordProcess) //Does threadID match PID
{
CloseHandle(hSnapshot);
return __ThreadEntry.th32ThreadID; //Returns Thread ID of process
}} while (Thread32Next(hSnapshot, &__ThreadEntry)); //Grabs next ThreadEntry off list
CloseHandle(hSnapshot);
return 0;
}
//Sets up Debug Privileges for Current Process Token
void runSetDebugPrivs()
{
HANDLE HandleProcess=GetCurrentProcess(), __HandleToken;
TOKEN_PRIVILEGES priv;
LUID __LUID;
OpenProcessToken(HandleProcess, TOKEN_ADJUST_PRIVILEGES, &__HandleToken); //Opens accessor for current process
LookupPrivilegeValue(0, "seDebugPrivilege", &__LUID); //Gets value for Debug Privs
priv.PrivilegeCount = 1;
priv.Privileges[0].Luid = __LUID; //Sets token values for debug privs
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(__HandleToken, false, &priv, 0, 0, 0); //Applies debug token to current process
CloseHandle(__HandleToken);
CloseHandle(HandleProcess);
}
//Walks pages of process space and dumps memory
DWORD64 walkMod(LPVOID baseAddr,DWORD modSz)
{
DWORD64 memoryCount = 0;
BYTE* p = new BYTE[modSz];
SIZE_T read;
ReadProcessMemory(__HandleProcess,(LPCVOID)__dwordTarget,p,(SIZE_T)modSz,&read); //Grabs chunk of memory from module address space
printf_s("Read %X bytes of %X reported\n",read,modSz);
if(!writeDump(p,modSz)) //Write module chunk to disk
{
std::cout<<"Write to disk failed"<<std::endl;
return -1;
}
return read;
}
//Initiates file to be dumped to
DWORD64 initDump(LPSTR sTarget)
{
if(__sDumpFile != NULL)
remove(__sDumpFile);
size_t len = strlen(sTarget)+strlen(__sDumpPath) + 10;
__sDumpFile = new char[len];
strcpy_s(__sDumpFile,len,__sDumpPath); //Builds dump file path
strcat_s(__sDumpFile,len,sTarget);
strcat_s(__sDumpFile,len,".bin");
FILE* fPtr = fopen(__sDumpFile, "wb");
rewind(fPtr);
fclose(fPtr);
return 0;
}
//Appends memory chunk to file
bool writeDump(BYTE* p,SIZE_T sz)
{
FILE* fPtr = fopen(__sDumpFile, "ab");
DWORD64 ret = fwrite(p,sz,1,fPtr);
fclose(fPtr);
if(ret < 1)
return false;
else
return true;
}
void quit(LPSTR s)
{
std::cout<<s<<std::endl;
exit(0);
}
};
extern VictimProcess fProcess;
Reference in New Issue View Git Blame Copy Permalink