V2 Stealth Code for LCC-Win32 (finally!)

[Kimbler]

Thank you for putting a ver free compilers.

Should questions about this go in HELP forum? Not knowing I put it here but if I am wrong let me know and i will post all other questions in the help forum.

I downloaded the Lcc-win32 and followed all the directions to change names to less obvious names with the exception of the file name lccsniffer211.def. I did not see any directions to make this file less noticeable. Did I miss something obvious or is ok to leave this one as is.

I sorta thought ANY file with "sniffer" in it ought to get remaned.


EDIT: I found it in the setting!!!DUH But please coment on WHERE sniffer questions should go please.

[Kimbler]

Well, I changed the sniffer.def file name to some thing less obvious and changed the Addition arguements to be passed to linker" to the full path name of my new sniffer.def and I get a crash to desttop on any key entry. I read through Maggots posts and saw references to the crash but nothing seems to apply.

Also after I changed the linker path I did recompile. Suggestions?

[MisterSpock]

You're calling the correct entry point when using rundll32, right?

There are 3 exports by default --

InstallHook
ReleaseHook
HookProc

Make sure you call InstallHook and not HookProc.

Are you using the latest lcc code?

[Kimbler]

Lcc information:

Wedit Win32 Version 3.3 from Nov 7 2002 so I bet it is not current!!! I will look for most current version.

In my .C file I have

#define EQHOOKPROC Htrigger
#define INSTALLHOOK Itrigger
#define RELEASEHOOK Rtrigger

My DEF file

LIBRARY alcatell
SECTION
.shared READ WRITE SHARED
EXPORTS
Itrigger
Rtrigger
Htrigger

My compiler conf “linker setting” “additional arguments to be passed to the linker is :

D:\lcc\projects\alcatell\alcatell.def

I not to good at this stuff (obvious) but once I followed all the instructions the last thing I did ( it was not explicitly stated in the instructions) was:

From the wedit-alcatell MAIN window I selected ->Complier -> compile alcatell

My run line from Start->RUN

RUNDLL32.EXE D:\lcc\projects\alcatell\lcc\alcatell.dll,Itrigger 192.168.0.7 10000 EQGAME.EXE 0x0078AAD0

Now once I run it everything seems fine except EQ crashes and Other windows programs give me “illegal errors”. I have to reboot to clear everything.

[MisterSpock]

Select REBUILD ALL from the compiler menu and try again.

Compile doesn't do the linking process. Make and rebuild do.

[Kimbler]

Well thanks for trying to help but after 8 hours I have gotten nowhere.

I will list what I have done with hopes it might help someone not repeat what I have done.

1. Using Explorer I created a folder D:\lcc\projects\fresh. I do this so I have the files in one spot to work with later.
2. Downloaded the lccsniffer211.zip to D:\lcc\projects\fresh
3. unzipped them to D:\lcc\projects\fresh
4. started lcc and followed the directions for creating a new project named “fresh” using lccsniffer211.c as file added to project.
5. Since I was having so many problems I left a names “as is” no changing the hooknames and such ( I just wanted to see if I could get it run)
6. In LCC main window with lccsniffer211.c open I select rebuild all. At the bottom I get a successful build message (no errors)
7. I close LCC
8. Go to START->RUN enter RUNDLL32.EXE D:\lcc\projects\fresh\lcc\fresh.dll,InstallHook 192.168.0.7 10000 EQGAME.EXE 0x0078AAD0
9. hourglass comes up a few seconds (like 10)
10. open eq hit a key …..crash
11. open WORD hit a key…..illegal operation error
12. Have to reboot to get back to normal.


MisterSpock, Thanks for the great work others are getting to run but there really are people to stupid to figure out something that should be simple….I am one. Thanks for trying to help me. I will keep reading with hopes the light will come on J

[Bob the builder]

Kimbler,

left a names “as is”

a new project named “fresh” using lccsniffer211.c as file added to project

Try making the .c and .def files the same name as the project

/shrug

[Kimbler]

Well I gave it another shot this morning very meticuously matching project names and file names. I left the hook names untouched within the code and def files. the only thing I alter with the files was in the def file ->LIBRARY <namethatmatched_DLL,project,defname..all the same>. To be more clear . the project name was lex, dll was lex.dll, def file lex.def. In the lex.def I altered only the first line to read:

LIBRARY lex
SECTION
.shared READ WRITE SHARED
EXPORTS
InstallHook
ReleaseHook
HookProc

In LCC I have carefully followed each instruction. After I finish the last Finish (the project setup) on the debugger screen. I am looking at the lex.c raw code still open. I hit Compiler->Rebuild All and get no errors. I close LCC and START->RUN
RUNDLL32.EXE D:\lcc\projects\lex\lcc\lex.dll,InstallHook 192.168.0.7 10000 EQGAME.EXE 0x0078AAD0.

Still same crash on first keystroke. Since other folks are getting this to run I am beginning to think it is something about my system. I am running 98SE 4.10.2222 A. LCC is Version 3.3.


EDIT: Something I have discovered I do not understand. Even though I UNCHECK "Debugging Support level:Generate debug info" when i go bac to settings it is always rechecked. I can uncheck it close the setting tab and immediatly reenter and it is rechecked. Still looking.....

[MisterSpock]

Kimbler,

That 'check & uncheck' problem is yet another lcc idiosyncracy. You're not doing anything wrong.

I've not tested the lcc code on Win98SE, so that might very well have something to do with it.

From experience, this code under lcc is *very* touchy. Even small additions and changes can cause it to crash bigtime. If I can get my hands on a win98SE machine, I'll see if I can get the code to work.

[Bob the builder]

How bout the .c ??

/shrug

should be lex.c and lex.def and then choose Compiler/Make (F9)

[dpaschal]

I get the following error when trying to compile with lcc under winxp:

Line 5: Keyword expectedMissing exports. Aborting

I did just as the instruction ssaid. And for the .c file, I used the .zip file supplied in this thread. Any tips?

[Kimbler]

MisterSpock, Thank you! Sorry to cause all the grief.


Bob, Not sure what you are asking. My raw code file is lex.c and I use the REBUILD ALL which I though did everything to make the dll run. If there is some order/combinations like :

Make
compile
rebuild all

I don't know what they should be.

As of right now the only thing I do is Rebuild ALL after I have created the project and adjusted the raw files as the instructions say to do.

[MisterSpock]

dpaschal,

That error looks like either the .def file is incorrect, or you have included it the wrong way.

It should not appear on the list of files in the project list. You need to specify the full path and name of the .def file in the linker settings. (Settings, Linker, additional parameters).


Kimbler:

I'm sorry this thing isn't running for you. When you get a crash message, is there any info you can find regarding the crash conditions?

For example:

Exception: C0000005
Location: 0x0002601e

etc...

[Kimbler]

MisterSpock don't be sorry for it not working. It's the other way around I am grateful someone with your talent took the time to help so many of us.

As far as error: the crash to desktop from EQ produces no error messages but here is what is generated when I open Word and hit a key:

WINWORD caused an invalid page fault in
module OFFICEAV.DLL at 018f:100037bf.
Registers:
EAX=810100f8 CS=018f EIP=100037bf EFLGS=00010246
EBX=81bb966c SS=0197 ESP=0062f87c EBP=0062f8a8
ECX=10005060 DS=0197 ESI=025d0000 FS=4827
EDX=0000005c ES=0197 EDI=1000131f GS=0000
Bytes at CS:EIP:
66 89 17 8b 44 24 08 5f c3 88 17 8b 44 24 08 5f
Stack dump:
00000000 10001327 1000131c 1000505c 025d116e 025d0000 00000001 00000000 00000000 025d0000 81bb966c 0062fa70 bff7ddd6 025d0000 00000001 00000000


Hope that helps.

[MisterSpock]

Kimbler,

Did you point your DLL toward MSWORD, or did it crash Word even when directed at eqgame.exe?

One thing you can try that will help isolate whether the crash happens because of the injected code or due to the hooking procedure is to comment out the following line:

((LPINJECTSTRUCT)pvCode)->hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)((LPBYTE)pvCode + dwOffset + dwFuncOffset), NULL, GetCurrentThreadId());

With this line commented out, the DLL should start, wait for whatever executable you pointed to, and then exit once a key is pressed. However, it will not actually start the injected code and thus won't send a key.

If this eliminates the crashes, then we've effectively isolated it down to the injected code stub.