Code:
/*
* kscan.c - version 2
*
* if you get an error about a missing symbol PlaySound, be sure to link with winmm.lib
* if your missing Process32First, link with th32.lib
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <Mmsystem.h>
#include <tlhelp32.h>
FILE *keydat;
unsigned long addr = 0x773b90;
BOOL enable_debug_privs()
{
HANDLE hToken; /* process token */
TOKEN_PRIVILEGES tp; /* token provileges */
TOKEN_PRIVILEGES oldtp; /* old token privileges */
DWORD dwSize = sizeof (TOKEN_PRIVILEGES);
LUID luid;
if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
return TRUE;
printf ("OpenProcessToken() failed: %d\n", GetLastError());
return FALSE;
}
if (!LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &luid))
{
printf ("LookupPrivilege() failed: %d\n", GetLastError());
CloseHandle (hToken);
return FALSE;
}
ZeroMemory (&tp, sizeof (tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token privileges */
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize))
{
printf ("AdjustTokenPrivileges() failed: %d\n", GetLastError());
CloseHandle (hToken);
return FALSE;
}
return TRUE;
}
void readkey (HANDLE hProcess)
{
ULONGLONG oldkey = 0;
while (1)
{
ULONGLONG key;
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
break;
} else {
if (key == oldkey)
{
Sleep (1000);
continue;
}
#if defined(__CYGWIN__) || defined(__LCC__)
printf ("new key:\t0x%016llx\n", key);
#else
printf ("new key:\t0x%016I64x\n", key);
#endif
oldkey = key;
if ( (keydat = fopen ("keyfile.dat", "wb")) == NULL)
{
printf ("error opening keyfile.dat for writing\n");
exit (-1);
}
fwrite (&key, 8, 1, keydat);
fclose (keydat);
/* try to play the default exclamation sound, if that fails, use beep */
if (!PlaySound ("Exclamation", NULL, SND_ASYNC))
Beep (500, 500);
}
}
CloseHandle (hProcess);
}
void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
/* Take a snapshot of all processes in the system. */
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return;
/* Fill in the size of the structure before using it. */
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;
do
{
LPSTR pCurChar;
char pName[512];
/* strip path and leave exe filename */
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)
strcpy(pName, pCurChar);
strlwr(pName);
if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return;
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
return;
}
int main(int argc, char *argv[])
{
if (argc == 2)
{
addr = strtoul (argv[1], NULL, 16);
printf ("set offset to 0x%08x\n", addr);
} else {
printf ("using default offset 0x%08x (usage is: %s [offset], to use a different one)\n", addr, argv[0]);
}
printf ("enabling debug privs\n");
if (enable_debug_privs() == FALSE)
{
printf ("error enabling privs\n");
return 1;
}
printf ("scanning for eqgame\n");
while (1)
{
scanproclist ();
Sleep (10000); /* pause 10 seconds between checks */
}
return 0;
}
A little keyreader example (updated example)
