Last active
September 27, 2025 02:16
-
-
Save khang06/56e3c221769648132023daab9fd2bc39 to your computer and use it in GitHub Desktop.
Revisions
-
khang06 revised this gist
Nov 24, 2021 . 1 changed file with 5 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +1,13 @@ #include <Windows.h> #include <stdio.h> #define GAME_DIR L"D:\\Games\\Genshin Impact\\Genshin Impact game" #define DLL_PATH "C:\\Users\\Khang\\source\\repos\\mhynot2-rewritten\\x64\\Debug\\mhynot2-rewritten.dll" int main() { printf("hi\n"); SetCurrentDirectoryW(GAME_DIR); SetEnvironmentVariableW(L"__COMPAT_LAYER", L"RunAsInvoker"); // forcefully run as not admin STARTUPINFOW startup_info = {}; @@ -34,7 +37,7 @@ int main() { } auto loadlibrary = LoadLibraryA; // i actually had no idea that the address of kernel32 is the same between all processes const char* dll = DLL_PATH; auto mem = VirtualAllocEx(process_info.hProcess, NULL, strlen(dll) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); printf("LoadLibraryA %p\n", loadlibrary); printf("allocated path addr %p\n", mem); -
Nov 24, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,78 @@ #include <Windows.h> #include <stdio.h> int main() { printf("hi\n"); SetCurrentDirectoryW(L"D:\\Games\\Genshin Impact\\Genshin Impact game"); SetEnvironmentVariableW(L"__COMPAT_LAYER", L"RunAsInvoker"); // forcefully run as not admin STARTUPINFOW startup_info = {}; startup_info.cb = sizeof(startup_info); PROCESS_INFORMATION process_info = {}; SECURITY_ATTRIBUTES attrib = {}; attrib.nLength = sizeof(attrib); SECURITY_DESCRIPTOR desc = {}; auto shit = CreateProcessW( L"GenshinImpact.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &startup_info, &process_info ); if (shit == FALSE) { printf("CreateProcessW epic fail GLE 0x%x\n", GetLastError()); return 1; } auto loadlibrary = LoadLibraryA; // i actually had no idea that the address of kernel32 is the same between all processes const char* dll = "C:\\Users\\Khang\\source\\repos\\mhynot2-rewritten\\x64\\Debug\\mhynot2-rewritten.dll"; auto mem = VirtualAllocEx(process_info.hProcess, NULL, strlen(dll) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); printf("LoadLibraryA %p\n", loadlibrary); printf("allocated path addr %p\n", mem); if (!mem) { printf("VirtualAllocEx epic fail GLE: 0x%x\n", GetLastError()); return 1; } WriteProcessMemory(process_info.hProcess, mem, dll, strlen(dll) + 1, NULL); auto new_thread = CreateRemoteThread( process_info.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)loadlibrary, mem, NULL, NULL ); if (new_thread == NULL) { printf("CreateRemoteThread epic fail GLE: 0x%x\n", GetLastError()); return 1; } printf("waiting for the dll loading thread to exit\n"); WaitForSingleObject(new_thread, INFINITE); printf("looks like the dll injected properly, time to start the process\n"); if (ResumeThread(process_info.hThread) == -1) { printf("ResumeThread epic fail GLE: 0x%x\n", GetLastError()); return 1; } printf("everything seems to be good, cleaning up!\n"); VirtualFreeEx(process_info.hProcess, mem, 0, MEM_RELEASE); CloseHandle(new_thread); CloseHandle(process_info.hProcess); CloseHandle(process_info.hThread); return 0; }