stable injection!

Author: Thorioum

.github/workflows/cmake-single-platform.yml

@@ -0,0 +1,44 @@
+# This starter workflow is for a CMake project running on a single platform. There is a different starter workflow if you need cross-platform coverage.
+# See: https://github.com/actions/starter-workflows/blob/main/ci/cmake-multi-platform.yml
+name: CMake on a single platform
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+
+env:
+  # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
+  BUILD_TYPE: Release
+
+jobs:
+  build:
+    # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
+    # You can convert this to a matrix build if you need cross-platform coverage.
+    # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Configure CMake
+      # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
+      # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
+      run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+
+    - name: Build
+      # Build your program with the given configuration
+      run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
+
+    - name: Test
+      working-directory: ${{github.workspace}}/build
+      # Execute tests defined by the CMake configuration.
+      # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
+      run: ctest -C ${{env.BUILD_TYPE}}
+      
+    - name: Upload build
+      uses: actions/upload-artifact@v4
+      with:
+        name: Charon-dev
+        path: build/Charon/Release/Charon.exe

Charon/CMakeLists.txt

@@ -19,3 +19,11 @@ FetchContent_Declare (
 )
 FetchContent_MakeAvailable (spdlog)
 target_link_libraries(Charon PRIVATE spdlog::spdlog)	
+
+FetchContent_Declare (
+	argparse 
+	URL https://github.com/p-ranav/argparse/archive/refs/tags/v3.1.zip
+	DOWNLOAD_EXTRACT_TIMESTAMP TRUE
+)
+FetchContent_MakeAvailable (argparse)
+target_link_libraries(Charon PRIVATE argparse)

Charon/include/globals.hpp

@@ -1,15 +1,9 @@
 #pragma once
 #include <string>
 
-const std::string robloxVersion = "version-3c1b78b767674c66";
-using Stk_t = void**;
+#define END_MARKER goto __scf_skip_end;__debugbreak();__debugbreak();__scf_skip_end:{};
+constexpr ULONG END_MARKER_SIG = 0x02EB04EB; //jmprel+4,jmprel+2 //^^ the above instructions translate to this
+constexpr ULONGLONG STACK_PLACEHOLDER = 0x1493028DEAD;
 
-#define SCF_WRAP_START _Pragma("optimize(\"\", off)")
-#define SCF_WRAP_END _Pragma("optimize(\"\", on)")
-
-#define SCF_END goto __scf_skip_end;__debugbreak();__debugbreak();__scf_skip_end:{};
-constexpr ULONG SCF_END_MARKER = 0x02EB04EB; //^^ the above instructions translate to this
-constexpr ULONGLONG SCF_STACK_PLACEHOLDER = 0x1493028DEAD;
-
-#define SCF_STACK *const_cast<Stk_t*>(&__scf_ptr_stk);
-#define SCF_START const Stk_t __scf_ptr_stk = reinterpret_cast<const Stk_t>(SCF_STACK_PLACEHOLDER); Stk_t Stack = SCF_STACK;
+#define SCF_STACK *const_cast<void***>(&__scf_ptr_stk);
+#define DEFINE_STACK const void** __scf_ptr_stk = reinterpret_cast<const void**>(STACK_PLACEHOLDER); void** Stack = SCF_STACK;

Charon/include/manualmapper.hpp

@@ -2,14 +2,23 @@
 #include <spdlog/spdlog.h>
 #include "memory.hpp"
 #include "globals.hpp"
+
 namespace ManualMapper {
 	struct Detour {
-		ULONGLONG stubAddr;
-		ULONGLONG stubSize;
-		ULONGLONG targetAddr;
+		ULONGLONG allocAddr;
+		ULONGLONG size;
+		ULONGLONG originalJmp;
+	};
+	struct Allocation {
+		ULONGLONG base;
+		ULONGLONG size;
+	};
+	struct FunctionResult {
+		std::vector<UCHAR> funcBytes;
+		ULONGLONG base;
 	};
 	enum Status {
-		STATUS_BUSY,
+		STATUS_UNSET,
 		STATUS_1,
 		STATUS_2,
 		STATUS_3,
@@ -18,156 +27,27 @@ namespace ManualMapper {
 	};
 
 	//allocates and writes the dll to the target process
-	HMODULE _allocDll(HANDLE handle, const std::string& dllPath);
-
+	Allocation _allocDll(HANDLE handle, const std::string& dllPath);
 	//alloctes a piece of memory to hold the status of the hook, for communication internal and external
 	LPVOID _createStatus(HANDLE handle);
 
 	//this detour will be jmped to by our hooked function which will then jmp to our dll :D
 	//this function writes the function bytes of the detour and allocates valuable data with it
 	//return statement exclusive
+	FunctionResult _parseFunction(ULONGLONG funcBase, ULONGLONG size);
 	ULONGLONG _calculateLocalFuncSize(ULONGLONG funcBase);
 
-	template<typename RetType, typename ...Args>
-	ULONGLONG _createDetour(HANDLE handle, RetType(*targetFunction)(Args...), ULONGLONG dllAddr, ULONGLONG stub, ULONGLONG f) {
-
-		MemExternal::suspendByfronThreads(handle);
-		ULONGLONG targetFuncSize = _calculateLocalFuncSize((ULONGLONG)targetFunction);
-		ULONGLONG statusAddr = (ULONGLONG)_createStatus(handle);
-		ULONGLONG originalJmp = MemExternal::readJmpAbs(handle, stub);
-
-		//get func bytes
-		UCHAR* funcBytes = new UCHAR[targetFuncSize+200];
-		//restore the original jump
-		//mov rax, stub
-		*(UCHAR*)funcBytes = 0x48;
-		*(UCHAR*)(funcBytes + 1) = 0xB8;
-		*(ULONGLONG*)(funcBytes + 2) = stub + 6;
-
-		//mov rcx, original
-		*(UCHAR*)(funcBytes + 10) = 0x48;
-		*(UCHAR*)(funcBytes + 11) = 0xB9;
-		*(ULONGLONG*)(funcBytes + 12) = originalJmp;
-
-		//mov [rax], rcx
-		*(UCHAR*)(funcBytes + 20) = 0x48;
-		*(UCHAR*)(funcBytes + 21) = 0x89;
-		*(UCHAR*)(funcBytes + 22) = 0x08;
-
-		UCHAR* targetFunctionBytes = funcBytes + 23;
-
-		//set the status to the hook was ran
-		*(UCHAR*)targetFunctionBytes = 0x48;
-		*(UCHAR*)(targetFunctionBytes + 1) = 0xB8;
-		*(ULONGLONG*)(targetFunctionBytes + 2) = statusAddr;
-		*(UCHAR*)(targetFunctionBytes + 10) = 0xC7;
-		*(UCHAR*)(targetFunctionBytes + 11) = 0x00;
-		*(ULONG*)(targetFunctionBytes + 12) = Status::STATUS_1;
-
-		targetFunctionBytes += 16;
-		//copy the detour function bytes
-		memcpy(targetFunctionBytes, (LPVOID)((ULONGLONG)targetFunction), targetFuncSize);
-
-		//allocate memory for entire detour
-		LPVOID detourFunctionAlloc = VirtualAllocEx(handle, nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-
-		//replace its stack placeholders with the real addr were going to use
-		//stack is located in the allocation right after the function
-
-		ULONGLONG stackAddr = (ULONGLONG)detourFunctionAlloc + targetFuncSize+200;
-
-		for (ULONGLONG offset = 0; offset < targetFuncSize; offset++) {
-			UCHAR* currentBytes = targetFunctionBytes + offset;
-			if (*(ULONGLONG*)(currentBytes) == SCF_STACK_PLACEHOLDER) {
-				*(ULONGLONG*)(currentBytes) = stackAddr;
-				offset += sizeof(ULONGLONG);
-				continue;
-			}
-		}
-
-
-		{
-			//right at the end
-			UCHAR* currentBytes = targetFunctionBytes + targetFuncSize;
-
-			//set the status
-			*(UCHAR*)currentBytes = 0x48;
-			*(UCHAR*)(currentBytes + 1) = 0xB8;
-			*(ULONGLONG*)(currentBytes + 2) = statusAddr;
-			*(UCHAR*)(currentBytes + 10) = 0xC7;
-			*(UCHAR*)(currentBytes + 11) = 0x00;
-			*(ULONG*)(currentBytes + 12) = Status::STATUS_SUCCESS;
-
-			UCHAR* currentBytes1 = currentBytes + 16;
-
-			//redirect control flow back to where it was supposed to go
-			*(UCHAR*)(currentBytes1) = 0xFF;
-			*(UCHAR*)(currentBytes1 + 1) = 0x25;
-			*(ULONG*)(currentBytes1 + 2) = 0x00000000;
-			*(ULONGLONG*)(currentBytes1 + 6) = ((ULONGLONG)originalJmp);
-
-		}
-
-
-		//fill the stack with actual data
-		std::vector<ULONGLONG> stack = {};
-		stack.push_back(dllAddr);
-		stack.push_back(statusAddr);
-
-		HMODULE kernelBase = MemExternal::getLoadedModule(handle,"KERNELBASE.dll");
-		ULONGLONG pLoadLibraryA = (ULONGLONG)GetProcAddress(kernelBase, "LoadLibraryA");
-		stack.push_back(pLoadLibraryA);
-		ULONGLONG pGetProcAddress = (ULONGLONG)GetProcAddress(kernelBase, "GetProcAddress");
-		stack.push_back(pGetProcAddress);
-		ULONGLONG pGetModuleHandleA = (ULONGLONG)GetProcAddress(kernelBase, "GetModuleHandleA");
-		stack.push_back(pGetModuleHandleA);
-
-		//write the stack
-		ULONGLONG stackAddrEnum = stackAddr;
-		for (ULONGLONG each : stack) {
-			if (!WriteProcessMemory(handle, (LPVOID)stackAddrEnum, &each, sizeof(ULONGLONG), 0)) {
-				spdlog::error("Failed to write stack data! Err: {}", GetLastError());
-				break;
-			}
-			stackAddrEnum += sizeof(ULONGLONG);
-		}
-
-		if (!WriteProcessMemory(handle, detourFunctionAlloc, funcBytes, targetFuncSize + 200, 0)) {
-			spdlog::error("Failed to write target func byte data! Err: {}", GetLastError());
-		}
-
-		MemExternal::writeJmpAbs(handle, stub, (ULONGLONG)detourFunctionAlloc);
-		FlushInstructionCache(handle, (LPVOID)stub, 12);
-
-		//we have to make the piece of memory that had our original jump writable so that our detour code and restore it
-		ULONG oldProt;
-		VirtualProtectEx(handle, (LPVOID)(stub + 6), sizeof(ULONGLONG), PAGE_EXECUTE_READWRITE, &oldProt);
-
-		ULONG lastStatus = -1;
-		while (true) {
-			ULONG status = 0;
-			if (!ReadProcessMemory(handle, (LPVOID)statusAddr, &status, sizeof(status), 0)) {
-				spdlog::error("Failed to read status! Err: {}", GetLastError());
-				break;
-			}
-			if (lastStatus != status) {
-				spdlog::info("Status: {}", status);
-			}
-			if (status == Status::STATUS_SUCCESS) {
-				spdlog::info("successfully reached the end of the hook");
-				MemExternal::resumeByfronThreads(handle);
-
-				//VirtualFreeEx(handle, detourFunctionAlloc, targetFuncSize + 200, MEM_RELEASE);
-				//VirtualProtectEx(handle, (LPVOID)(stub + 6), sizeof(ULONGLONG), PAGE_EXECUTE, &oldProt);
-
-				break;
-			}
-			lastStatus = status;
-		}
-
-		delete[] funcBytes;
-		return (ULONGLONG)detourFunctionAlloc;
-	}
+	Detour _createDetour(
+		Allocation optPreAllocatedData, //if you already allocated memory in the target process you can pass it in here
+		HANDLE handle, 
+		LPVOID detourLocal, //the base address of the local detour function
+		ULONGLONG stub, //the place where the absolute jmp were overriding is
+		std::vector<ULONGLONG> stack, //the variables that the detour can use
+		ULONGLONG statusAddr = 0 //during the hook, will move numbers into this address to signal the step in the hook its in
+		//if status addr is set, it will also automatically restore the hook when its run once
+	);
+
+	Detour _createDllDetour(HANDLE handle, LPVOID detourLocal, ULONGLONG stub, ULONGLONG dllAddr);
 
 	//the main function, does all the shit
 	void inject(HANDLE handle, const std::string& dllPath);

Charon/include/memory.hpp

@@ -19,7 +19,6 @@ namespace MemExternal {
 	HMODULE getLoadedModule(HANDLE handle, const char* modName);
 	ULONG getModuleSize(HANDLE handle, HMODULE module);
 
-	//for testing
 	void suspendAllThreads(HANDLE handle);
 	void resumeAllThreads(HANDLE handle);
 	void suspendByfronThreads(HANDLE handle);
@@ -64,11 +63,10 @@ namespace MemInternal {
 	void __forceinline fixImports(ULONGLONG dll, 
 		decltype(&LoadLibraryA) &pLoadLibraryA, 
 		decltype(&GetModuleHandleA) &pGetModuleHandleA, 
-		decltype(&GetProcAddress) &pGetProcAddress ) {
+		decltype(&GetProcAddress) &pGetProcAddress, ULONGLONG* status) {
         auto* dosHeader = (IMAGE_DOS_HEADER*)(dll);
         auto* ntHeaders = (IMAGE_NT_HEADERS*)(dll + dosHeader->e_lfanew);
         auto* optionalHeader = &ntHeaders->OptionalHeader;
-        auto size = optionalHeader->SizeOfImage;
 
         auto& importDir = optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
         if (importDir.Size) {
@@ -101,6 +99,7 @@ namespace MemInternal {
                     thunk++;
                     func++;
                 }
+                
                 importDesc++;
             }
         }

Charon/include/offsets.hpp

@@ -1,6 +1,8 @@
 
 #include <iostream>
 #include <spdlog/spdlog.h>
+#include <argparse/argparse.hpp>
+
 #include "../include/manualmapper.hpp"
 #include "../include/util.hpp"
 int main(int argc, char* argv[]) {
@@ -18,11 +20,34 @@ int main(int argc, char* argv[]) {
 		"`\"Y8888Y\"\'     88       88  `\"8bbdP\"Y8  88           `\"YbbdP\"\'   88       88    \n";
 	Util::resetTextColor();
 
+
+	argparse::ArgumentParser parser("Charon");
+
+	parser.add_description(
+		"A Manual Map DLL Injector for Roblox. Most probably detected. Features absolutely no smart bypasses and your dll threads will probably cease to function after 30 seconds or so");
+	parser.add_epilog("https://thorioum.net");
+	parser.add_argument("-d", "--dll").required().help("the path to the dll to inject");
+	try
+	{
+		parser.parse_args(argc, argv);
+	}
+	catch (const std::exception& ex)
+	{
+		spdlog::error("Error Parsing Args: {}", ex.what());
+		return 1;
+	}
+
+	std::string dllPath = parser.get< std::string >("dll");
 	spdlog::info("Waiting for RobloxPlayerBeta.exe. . .");
+	while (FindWindowW(nullptr, L"Roblox") == NULL)
+	{
+		Sleep(200);
+	}
 	HANDLE robloxHandle = MemExternal::WaitForProcess(PROCESS_ALL_ACCESS, FALSE, "RobloxPlayerBeta.exe").first;
+
 	spdlog::info("Succesfully opened handle to Roblox!");
 
-	ManualMapper::inject(robloxHandle, "testing.dll");
+	ManualMapper::inject(robloxHandle, dllPath);
 
 	CloseHandle(robloxHandle);
 }