nukedbart/EFTCheatPVE
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

injector refactoring

Browse source
This commit is contained in:
NukedBart 2025-12-10 23:07:02 +08:00
parent b8971674ed
commit 444ccad844
14 changed files with 845 additions and 514 deletions
Download patch file Download diff file Expand all files Collapse all files

94
operator/system/DllInjector.h Normal file
View file

@ -0,0 +1,94 @@
// system/DllInjector.h
#pragma once
#ifdef CURRENT_MODULE
#undef CURRENT_MODULE
#endif
#define CURRENT_MODULE "DllInjector"
#include "core/FilePath.h"
#include "core/Logger.h"
#include <windows.h>
#include <string>
#include <iostream>
namespace DllInjector
{
struct HandleCloser { void operator()(HANDLE h) const noexcept { if (h && h != INVALID_HANDLE_VALUE) CloseHandle(h); } };
using UniqueHandle = std::unique_ptr<void, HandleCloser>;
/// @brief Inject a specific DLL to a given process identified by PID using LoadLibraryA
/// @param processId Target process PID
/// @param dllPath Full DLL path in ANSI
/// @return true = Injected successfully with a non-zero handle
inline bool Inject(DWORD processId, const std::string& dllPath)
{
UniqueHandle hProcess{ OpenProcess(
PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,
FALSE, processId) };
if (!hProcess)
{
LOG_E("OpenProcess failed, PID=" + std::to_string(processId) + ", Error=" + std::to_string(GetLastError()));
return false;
}
SIZE_T pathBytes = dllPath.size() + 1;
LPVOID remoteMem = VirtualAllocEx(hProcess.get(), nullptr, pathBytes, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!remoteMem)
{
LOG_E("VirtualAllocEx failed, Error=" + std::to_string(GetLastError()));
return false;
}
if (!WriteProcessMemory(hProcess.get(), remoteMem, dllPath.c_str(), pathBytes, nullptr))
{
LOG_E("WriteProcessMemory failed, Error=" + std::to_string(GetLastError()));
VirtualFreeEx(hProcess.get(), remoteMem, 0, MEM_RELEASE);
return false;
}
HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
if (!hKernel32)
{
VirtualFreeEx(hProcess.get(), remoteMem, 0, MEM_RELEASE);
LOG_E("GetModuleHandleW(kernel32.dll) failed");
return false;
}
auto pLoadLibraryA = reinterpret_cast<LPTHREAD_START_ROUTINE>(GetProcAddress(hKernel32, "LoadLibraryA"));
UniqueHandle hThread{ CreateRemoteThread(hProcess.get(), nullptr, 0, pLoadLibraryA, remoteMem, 0, nullptr) };
if (!hThread)
{
LOG_E("CreateRemoteThread failed, Error=" + std::to_string(GetLastError()));
VirtualFreeEx(hProcess.get(), remoteMem, 0, MEM_RELEASE);
return false;
}
WaitForSingleObject(hThread.get(), 8000);
DWORD exitCode = 0;
GetExitCodeThread(hThread.get(), &exitCode);
VirtualFreeEx(hProcess.get(), remoteMem, 0, MEM_RELEASE);
if (exitCode == 0)
{
LOG_E("LoadLibraryA returned NULL in target process");
return false;
}
LOG_I("Injected successfully! hModule=0x" + std::to_string(exitCode));
return true;
}
/// @brief Injects a DLL next to the current process's executable into a given process identified by PID
/// @param processId Target process PID
/// @param dllFileName Just the file name e.g. "iOperator.dll"
inline bool InjectLocalDll(DWORD processId, const std::string& dllFileName)
{
std::string fullPath = FilePath::GetExecutableDirectory() + dllFileName;
return Inject(processId, fullPath);
}
}

51
operator/system/PrivilegeManager.h Normal file
View file

@ -0,0 +1,51 @@
// system/PrivilegeMgr.h
#pragma once
#include <windows.h>
#include <shellapi.h>
namespace PrivilegeManager
{
inline bool IsRunAsAdministrator()
{
BOOL isAdmin = FALSE;
PSID adminGroup = nullptr;
SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
BOOL success = AllocateAndInitializeSid(
&ntAuthority, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&adminGroup);
if (success)
{
if (!CheckTokenMembership(nullptr, adminGroup, &isAdmin))
isAdmin = FALSE;
FreeSid(adminGroup);
}
return isAdmin == TRUE;
}
inline bool ElevateNow()
{
if (IsRunAsAdministrator())
return true;
wchar_t exePath[MAX_PATH] = { 0 };
if (!GetModuleFileNameW(nullptr, exePath, MAX_PATH))
return false;
SHELLEXECUTEINFOW sei{ sizeof(sei) };
sei.lpVerb = L"runas";
sei.lpFile = exePath;
sei.nShow = SW_NORMAL;
sei.fMask = SEE_MASK_NOCLOSEPROCESS;
if (ShellExecuteExW(&sei))
exit(0);
return false;
}
}

119
operator/system/ProcessHandler.h Normal file
View file

@ -0,0 +1,119 @@
// system/ProcessHandler.h
#pragma once
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#ifndef NOMINMAX
#define NOMINMAX
#endif
#include "core/Types.h"
#include <windows.h>
#include <tlhelp32.h>
#include <string>
#include <memory>
#include <vector>
#include <iostream>
template<typename F>
struct scope_exit
{
F f;
explicit scope_exit(F&& func) : f(std::forward<F>(func)) {}
~scope_exit() { f(); }
};
namespace ProcessHandler
{
// RAII Handles
struct HandleCloser
{
void operator()(HANDLE h) const noexcept
{
if (h && h != INVALID_HANDLE_VALUE)
CloseHandle(h);
}
};
using UniqueHandle = std::unique_ptr<void, HandleCloser>;
// Process detail structures
namespace detail
{
inline std::wstring GetCommandLineFromPid(DWORD pid)
{
std::wstring result;
HANDLE hProc = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (!hProc) return result;
auto closeProc = scope_exit([&] { CloseHandle(hProc); });
HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
if (!ntdll) return result;
// 修复:使用我们自己定义的类型
NtQueryInformationProcess_t NtQuery =
(NtQueryInformationProcess_t)GetProcAddress(ntdll, "NtQueryInformationProcess");
if (!NtQuery) return result;
PROCESS_BASIC_INFORMATION pbi{};
if (NtQuery(hProc, ProcessBasicInformation, &pbi, sizeof(pbi), nullptr) != 0)
return result;
PEB peb{};
if (!ReadProcessMemory(hProc, pbi.PebBaseAddress, &peb, sizeof(peb), nullptr))
return result;
RTL_USER_PROCESS_PARAMETERS upp{};
if (!ReadProcessMemory(hProc, peb.ProcessParameters, &upp, sizeof(upp), nullptr))
return result;
if (upp.CommandLine.Length == 0 || !upp.CommandLine.Buffer)
return result;
std::unique_ptr<wchar_t[]> buffer(new wchar_t[upp.CommandLine.Length / 2 + 1]);
if (!ReadProcessMemory(hProc, upp.CommandLine.Buffer, buffer.get(), upp.CommandLine.Length, nullptr))
return result;
result.assign(buffer.get(), upp.CommandLine.Length / 2);
return result;
}
}
/// @brief Find all pids with given process name and return them in a list.
inline std::vector<DWORD> FindProcessesByName(const std::wstring& exeName)
{
std::vector<DWORD> pids;
UniqueHandle hSnap{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) };
if (!hSnap || hSnap.get() == INVALID_HANDLE_VALUE)
return pids;
PROCESSENTRY32W pe{ sizeof(pe) };
if (!Process32FirstW(hSnap.get(), &pe))
return pids;
do {
if (_wcsicmp(pe.szExeFile, exeName.c_str()) == 0)
pids.push_back(pe.th32ProcessID);
} while (Process32NextW(hSnap.get(), &pe));
return pids;
}
/// @brief Kill specific process by its PID
inline bool TerminateProcessByPid(DWORD pid)
{
UniqueHandle hProc{ OpenProcess(PROCESS_TERMINATE, FALSE, pid) };
if (!hProc)
return false;
bool ok = ::TerminateProcess(hProc.get(), 0) == TRUE;
return ok;
}
/// @brief Check if a process with the given executable name is running
inline bool IsProcessRunning(const std::string& exeName)
{
return !FindProcessesByName(FilePath::Utf8ToWide(exeName)).empty();
}
}

174
operator/system/ServiceManager.h Normal file
View file

@ -0,0 +1,174 @@
// system/ServiceManager.h
#pragma once
#ifdef CURRENT_MODULE
#undef CURRENT_MODULE
#endif
#define CURRENT_MODULE "ServiceManager"
#include "core/Logger.h"
#include <windows.h>
#include <string>
namespace ServiceManager
{
struct ServiceHandleCloser { void operator()(SC_HANDLE h) const noexcept { if (h) CloseServiceHandle(h); } };
using UniqueServiceHandle = std::unique_ptr<std::remove_pointer<SC_HANDLE>::type, ServiceHandleCloser>;
inline bool WaitUntilGone(SC_HANDLE scm, const std::wstring& name, DWORD timeoutMs = 30000)
{
const DWORD step = 2000;
DWORD elapsed = 0;
LOG_I("Waiting for service deletion: " + std::string(name.begin(), name.end()));
while (elapsed < timeoutMs)
{
elapsed += step;
Sleep(step);
system("sc query BEService >nul 2>&1");
UniqueServiceHandle hSvc{ OpenServiceW(scm, name.c_str(), SERVICE_QUERY_STATUS) };
if (hSvc)
{
CloseServiceHandle(hSvc.get());
continue;
}
if (GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST)
{
CloseServiceHandle(hSvc.get());
LOG_I("Service fully deleted from SCM");
return true;
}
}
LOG_W("Timeout waiting for service deletion (ERROR 1072 may occur)");
return false;
}
inline bool StopService(SC_HANDLE hSvc)
{
SERVICE_STATUS status{};
if (!ControlService(hSvc, SERVICE_CONTROL_STOP, &status))
return false;
LOG_I("Sent stop command to service");
for (int i = 0; i < 40; ++i)
{
Sleep(300);
if (!QueryServiceStatus(hSvc, &status))
return false;
if (status.dwCurrentState == SERVICE_STOPPED)
return true;
}
LOG_W("Service did not stop in time");
return false;
}
inline bool Remove(const std::wstring& serviceName)
{
UniqueServiceHandle scm{ OpenSCManagerW(nullptr, nullptr, SC_MANAGER_CONNECT) };
if (!scm)
{
LOG_E("OpenSCManager failed: " + std::to_string(GetLastError()));
return false;
}
UniqueServiceHandle hSvc{ OpenServiceW(scm.get(), serviceName.c_str(),
SERVICE_STOP | SERVICE_QUERY_STATUS | DELETE) };
if (!hSvc)
{
if (GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST)
{
LOG_I("Service does not exist, nothing to delete");
return true;
}
LOG_E("OpenService failed: " + std::to_string(GetLastError()));
return false;
}
system("taskkill /f /im service.exe >nul 2>&1");
StopService(hSvc.get());
if (DeleteService(hSvc.get()))
{
LOG_I("DeleteService command sent");
CloseServiceHandle(hSvc.get());
return WaitUntilGone(scm.get(), serviceName);
}
DWORD err = GetLastError();
if (err != ERROR_SERVICE_MARKED_FOR_DELETE)
{
LOG_E("DeleteService failed: " + std::to_string(err));
return false;
}
LOG_I("Service already marked for delete");
}
inline bool DeployFakeBEService(const std::wstring& fakeExePath)
{
UniqueServiceHandle scm{ OpenSCManagerW(nullptr, nullptr, SC_MANAGER_CREATE_SERVICE) };
if (!scm)
{
LOG_E("OpenSCManager(create) failed: " + std::to_string(GetLastError()));
return false;
}
// Just create and start the service
UniqueServiceHandle hSvc{ CreateServiceW(
scm.get(), L"BEService", L"BattlEye Service",
SERVICE_START | SERVICE_QUERY_STATUS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
fakeExePath.c_str(),
nullptr, nullptr, nullptr, nullptr, nullptr) };
if (hSvc)
return StartServiceW(hSvc.get(), 0, nullptr) ||
GetLastError() == ERROR_SERVICE_ALREADY_RUNNING;
// if failed to create the service, delete the service by force and then create
DWORD err = GetLastError();
if (err != ERROR_SERVICE_EXISTS && err != ERROR_SERVICE_MARKED_FOR_DELETE)
{
LOG_E("CreateService failed: " + std::to_string(err));
return false;
}
LOG_W("Service conflict detected, forcing cleanup...");
if (!Remove(L"BEService"))
return false;
// retry
hSvc.reset(CreateServiceW(scm.get(), L"BEService", L"BattlEye Service",
SERVICE_START | SERVICE_QUERY_STATUS,
SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL, fakeExePath.c_str(),
nullptr, nullptr, nullptr, nullptr, nullptr));
if (!hSvc)
{
LOG_E("Retry CreateService failed: " + std::to_string(GetLastError()));
return false;
}
bool started = StartServiceW(hSvc.get(), 0, nullptr);
if (!started && GetLastError() != ERROR_SERVICE_ALREADY_RUNNING)
{
LOG_W("StartService failed: " + std::to_string(GetLastError()));
return false;
}
LOG_I("Fake BEService is running");
return true;
}
}