Question about ShellCode inject menu

User Tag List

Results 1 to 10 of 10
  1. #1
    yezack's Avatar Member
    Reputation
    13
    Join Date
    Oct 2021
    Posts
    38
    Thanks G/R
    1/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question about ShellCode inject

    Code:
    import pymem
    from keystone import *
    
    
    def assemble_asm(asm_code):
        ks = Ks(KS_ARCH_X86, KS_MODE_64)
        return ks.asm(asm_code, as_bytes=True)[0]
    
    
    if __name__ == '__main__':
        game_pm = pymem.Pymem("wowclassic.exe")
        fun_addr = 0x15B2BD0  # logout
        shell_code = assemble_asm(f'''
            mov     edi, 1
            mov     esi, 1
            mov     edx, 0
            mov  rax, {fun_addr}
            call    rax
        ''')
    
        remote_shell_code_addr = game_pm.allocate(len(shell_code))
        game_pm.write_bytes(remote_shell_code_addr, shell_code, len(shell_code))
        shell_thread_handle = game_pm.start_thread(remote_shell_code_addr)
        game_pm.free(remote_shell_code_addr)
    
        game_pm.inject_python_interpreter()
        game_pm.inject_python_shellcode(f'''
    import ctypes
    ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, ctypes.c_int)({fun_addr})(1,1,0)
    ''')
    i call "logout" by two ways:remote shellcode and Injected python.dll
    shellcode don't work and after run, shellcode's first byte change to 0x3C, injected python.dll works well
    my asm code is not right?

    Question about ShellCode inject
  2. #2
    Hazzbazzy's Avatar wannabe hackerlol Authenticator enabled
    Reputation
    1334
    Join Date
    Aug 2011
    Posts
    1,206
    Thanks G/R
    243/483
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by yezack View Post
    Code:
    import pymem
    from keystone import *
    
    
    def assemble_asm(asm_code):
        ks = Ks(KS_ARCH_X86, KS_MODE_64)
        return ks.asm(asm_code, as_bytes=True)[0]
    
    
    if __name__ == '__main__':
        game_pm = pymem.Pymem("wowclassic.exe")
        fun_addr = 0x15B2BD0  # logout
        shell_code = assemble_asm(f'''
            mov     edi, 1
            mov     esi, 1
            mov     edx, 0
            mov  rax, {fun_addr}
            call    rax
        ''')
    
        remote_shell_code_addr = game_pm.allocate(len(shell_code))
        game_pm.write_bytes(remote_shell_code_addr, shell_code, len(shell_code))
        shell_thread_handle = game_pm.start_thread(remote_shell_code_addr)
        game_pm.free(remote_shell_code_addr)
    
        game_pm.inject_python_interpreter()
        game_pm.inject_python_shellcode(f'''
    import ctypes
    ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, ctypes.c_int)({fun_addr})(1,1,0)
    ''')
    i call "logout" by two ways:remote shellcode and Injected python.dll
    shellcode don't work and after run, shellcode's first byte change to 0x3C, injected python.dll works well
    my asm code is not right?
    There's a lot of missing context here, so it's difficult to help you, but I can tell you that 0x3C on its own is typically the byte for return, which means your function would instantly return on call.
    "HOLY TIME MACHINE BATMAN! it's 1973!"
    https://youtube.com/Hazzbazzy

  3. #3
    yezack's Avatar Member
    Reputation
    13
    Join Date
    Oct 2021
    Posts
    38
    Thanks G/R
    1/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    that's full code.
    game_pm.start_thread(remote_shell_code_addr) is pymem's function,create a remote thread in game process
    game_pm.inject_python_shellcode Run python code by remote python.dll(another way to remote call)

  4. #4
    yezack's Avatar Member
    Reputation
    13
    Join Date
    Oct 2021
    Posts
    38
    Thanks G/R
    1/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Code:
    import pymem
    game_pm = pymem.Pymem("wowclassic.exe")
    game_pm.inject_python_interpreter()
    game_pm.inject_python_shellcode(f'''
    import ctypes
    ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, ctypes.c_int)(0x15B2BD0)(1,1,0)
    ''')
    Minimalist code to call a function(logout) by python

  5. #5
    scizzydo's Avatar Active Member
    Reputation
    78
    Join Date
    Oct 2019
    Posts
    81
    Thanks G/R
    4/34
    Trade Feedback
    0 (0%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by yezack View Post
    Code:
    import pymem
    from keystone import *
    
    
    def assemble_asm(asm_code):
        ks = Ks(KS_ARCH_X86, KS_MODE_64)
        return ks.asm(asm_code, as_bytes=True)[0]
    
    
    if __name__ == '__main__':
        game_pm = pymem.Pymem("wowclassic.exe")
        fun_addr = 0x15B2BD0  # logout
        shell_code = assemble_asm(f'''
            mov     edi, 1
            mov     esi, 1
            mov     edx, 0
            mov  rax, {fun_addr}
            call    rax
        ''')
    
        remote_shell_code_addr = game_pm.allocate(len(shell_code))
        game_pm.write_bytes(remote_shell_code_addr, shell_code, len(shell_code))
        shell_thread_handle = game_pm.start_thread(remote_shell_code_addr)
        game_pm.free(remote_shell_code_addr)
    
        game_pm.inject_python_interpreter()
        game_pm.inject_python_shellcode(f'''
    import ctypes
    ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int, ctypes.c_int)({fun_addr})(1,1,0)
    ''')
    i call "logout" by two ways:remote shellcode and Injected python.dll
    shellcode don't work and after run, shellcode's first byte change to 0x3C, injected python.dll works well
    my asm code is not right?
    When a thread is created and executed, and doesn't have a backing module the first byte is replaced to 0x3C. That's why it worked from the python.dll, as it is a mapped in module that exists in the space. You can create a proxy to call from. Somewhere in another module pointing to the outside, which you then put your shellcode in to execute. That, or create the thread with the shellcode accounting for the first byte being 0x3C and then modifying rcx to be +1 on the context

  6. Thanks Hazzbazzy (1 members gave Thanks to scizzydo for this useful post)
  7. #6
    darheroc's Avatar Member
    Reputation
    12
    Join Date
    Oct 2021
    Posts
    19
    Thanks G/R
    9/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's the TLS callback that is checking the start address of your thread and instantly setting it to ret when you are not starting it within the .text section of the game. If you want to execute your jit assembly shell code you either have to hook something or hijack a thread or start the thread at some jump instruction in the .text section and change the thread context to jump to your shell code.

  8. Thanks Hazzbazzy (1 members gave Thanks to darheroc for this useful post)
  9. #7
    scizzydo's Avatar Active Member
    Reputation
    78
    Join Date
    Oct 2019
    Posts
    81
    Thanks G/R
    4/34
    Trade Feedback
    0 (0%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by darheroc View Post
    It's the TLS callback that is checking the start address of your thread and instantly setting it to ret when you are not starting it within the .text section of the game. If you want to execute your jit assembly shell code you either have to hook something or hijack a thread or start the thread at some jump instruction in the .text section and change the thread context to jump to your shell code.
    Not necessarily true for the only options I did state 2 other methods too.

    It's also for more than just the games .text, as you can successfully call LoadLibrary for example, and that's not in the games .text
    Last edited by scizzydo; 01-31-2024 at 05:43 PM.

  10. #8
    darheroc's Avatar Member
    Reputation
    12
    Join Date
    Oct 2021
    Posts
    19
    Thanks G/R
    9/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by scizzydo View Post
    Not necessarily true for the only options I did state 2 other methods too.

    It's also for more than just the games .text, as you can successfully call LoadLibrary for example, and that's not in the games .text
    Your first method is to inject a dll to call your injected shell code. Yea or you just run the code within the dll when you are already injecting a dll? I don't see the point of this method, why would you even compile assembly during runtime then.
    I haven't tried your second method, only thing i tried is having a nop at the start of the shell code and starting the thread at +1. This resulted in Wow crashing. Have you actually tried this method or is it just theory, because I would assume that the TLS callback kills the thread before you can suspend it.

  11. #9
    scizzydo's Avatar Active Member
    Reputation
    78
    Join Date
    Oct 2019
    Posts
    81
    Thanks G/R
    4/34
    Trade Feedback
    0 (0%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by darheroc View Post
    Your first method is to inject a dll to call your injected shell code. Yea or you just run the code within the dll when you are already injecting a dll? I don't see the point of this method, why would you even compile assembly during runtime then.
    I haven't tried your second method, only thing i tried is having a nop at the start of the shell code and starting the thread at +1. This resulted in Wow crashing. Have you actually tried this method or is it just theory, because I would assume that the TLS callback kills the thread before you can suspend it.
    I'm going to take part of your response as a lack of understanding being why you're narrow minded on it... However. I never once said anything about injecting a DLL... I will requote it again... maybe this time read it fully
    You can create a proxy to call from. Somewhere in another module pointing to the outside, which you then put your shellcode in to execute.
    I'm not here to feed answers, but inspire ideas to get people thinking outside the box. In regards to the second method listed.... If only there was a flag or something to creating a thread that would create a thread suspended... hmmmmmmm...

    Both methods do work. There are others I have in theory, which I can test, and hint on, however I personally do the method #1 with a proxy, as after injection I reuse it for many other things too. These are less invasive methods also and don't require hooking things, or modifying the binary outside of a memory allocation for the code to be written.

  12. Thanks Razzue (1 members gave Thanks to scizzydo for this useful post)
  13. #10
    darheroc's Avatar Member
    Reputation
    12
    Join Date
    Oct 2021
    Posts
    19
    Thanks G/R
    9/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by scizzydo View Post
    I'm going to take part of your response as a lack of understanding being why you're narrow minded on it... However. I never once said anything about injecting a DLL... I will requote it again... maybe this time read it fully


    I'm not here to feed answers, but inspire ideas to get people thinking outside the box. In regards to the second method listed.... If only there was a flag or something to creating a thread that would create a thread suspended... hmmmmmmm...

    Both methods do work. There are others I have in theory, which I can test, and hint on, however I personally do the method #1 with a proxy, as after injection I reuse it for many other things too. These are less invasive methods also and don't require hooking things, or modifying the binary outside of a memory allocation for the code to be written.
    Your response could be more precise, as it currently leaves room for multiple interpretations, including my own, which I believe is also valid based on your quote.
    I'm aware that a thread can be created in a suspended state, but my assumption was that the TLS callback terminates it, hence why I asked if you have tried it.
    However, I think we should conclude this discussion here. It seems challenging to engage in a constructive conversation with you, as it feels like the focus shifts towards proving superiority rather than exchanging ideas.

Similar Threads

  1. Replies: 5
    Last Post: 02-05-2024, 12:32 PM
  2. A question about GW2 remote inject
    By oraclex in forum GW2 Memory Editing
    Replies: 3
    Last Post: 12-09-2013, 10:33 PM
  3. A basic question about dll injection
    By wanyancan in forum WoW Memory Editing
    Replies: 3
    Last Post: 01-27-2010, 10:21 PM
  4. Question about MCing - Frostwolf
    By Hydrox in forum World of Warcraft General
    Replies: 0
    Last Post: 07-21-2006, 02:53 AM
  5. questions about model editing
    By Avianar47 in forum World of Warcraft General
    Replies: 2
    Last Post: 07-08-2006, 09:41 PM
All times are GMT -5. The time now is 05:06 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search