Hello fellow skids. This will be a post regarding available injection method which Roblox was supposed to patch, but unfortunately its still in work since then and now. The method called “SetWindowsHookEx” which most of you may noticed already who had tried to figure out how it works using opensource injectors supporting this kind of injection.
I will be giving you an example of it with code below.
(Another note, that it may inject itself into injector process to create hook with RobloxPlayerBeta.exe after).
bool SetWindowsHookEx(DWORD processId, LPCSTR dllPath) {
HMODULE hModDll = LoadLibrary(dllPath);
HOOKPROC procAddress = (HOOKPROC)GetProcAddress(hModDll, "HookProcedure");
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32;
// Take snaphsot of all running threads
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
// Set structure size
te32.dwSize = sizeof(THREADENTRY32);
DWORD threadId = 0
do {
if (te32.th32OwnerProcessID == processId) {
threadId = te32.th32ThreadID;
HANDLE hThread = OpenThread(READ_CONTROL, FALSE, te32.th32ThreadID);
if (hThread) {
HHOOK hookHandle = SetWindowsHookExA(WH_KEYBOARD, procAddress, hModDll, (DWORD)threadId);
}
}
} while (Thread32Next(hThreadSnap, &te32));
}
As you can see, we use WH_KEYBOARD method at this point which works like calling function whenever you press or interact with dll window you hooked with your process.
You can modify code that i’ve given to whatever you want and try out, but be sure that the dll you will inject into RobloxPlayerBeta.exe will be x64 and will have window creation upon injecting (i recommend using CMake to create a form).
You can take a look at the POC (Proof Of working Concept) below.
Resource Leak: The code loads the DLL with LoadLibrary but does not free it with FreeLibrary after setting the hook.After setting the hook, you should free the library using FreeLibrary:
cCopy code
FreeLibrary(hModDll);
Error Handling: It’s a good practice to check for errors and handle them appropriately. For example, you should check if LoadLibrary and GetProcAddress return NULL, and if CreateToolhelp32Snapshot and OpenThread return INVALID_HANDLE_VALUE.
Here’s an updated version of your code with these changes:
Remember to add appropriate error handling based on your specific requirements. Also, note that setting a global hook might have security implications, so use it responsibly and be aware of the potential impact on system performance and behavior.
I haven’t looked to much into it but rune CE ( rune cheat engine ) possibly could’ve used this method and as a tiny part of the community knows. it is definitely something exploitable but I also do believe this is detected after some time.
Also anything I’m saying could be incorrect I have a very small amount of knowledge about rune’s injection method so don’t quote me!
