out-of process targeting help needed

[rafalsk]

Hi,

I've beed searching a lot for information about how to reselve this problem,
this is the code I use for targeting:

Code:

Threads.suspendMainThread(id);
uint codeCave = Memory.AllocateMemory(0x108);
 Memory.WriteUInt64(codeCave + 0x100, Guid);
Memory.Asm.Clear();
                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x4).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("CALL 0x004C4940", mem_target.ToString("X"));
                    Memory.Asm.AddLine("ADD ESP, 0x8");
                    Memory.Asm.AddLine("RETN");
 Memory.Asm.InjectAndExecute(codeCave);
Memory.FreeMemory(codeCave);

                    Threads.resumeMainThread(id);

it works but after couple (10-100) tries it kills wow. any ideas? It's the only place in my code where I inject anything.
I know it has been mentioned before, I've seen all the other posts, but the thread is suspended and resumed, there are no sleeps inside.

[DamonT]

Hi,

I've beed searching a lot for information about how to reselve this problem,
this is the code I use for targeting:

Code:

Threads.suspendMainThread(id);
uint codeCave = Memory.AllocateMemory(0x108);
 Memory.WriteUInt64(codeCave + 0x100, Guid);
Memory.Asm.Clear();
                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x4).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("CALL 0x004C4940", mem_target.ToString("X"));
                    Memory.Asm.AddLine("ADD ESP, 0x8");
                    Memory.Asm.AddLine("RETN");
 Memory.Asm.InjectAndExecute(codeCave);
Memory.FreeMemory(codeCave);

                    Threads.resumeMainThread(id);

it works but after couple (10-100) tries it kills wow. any ideas? It's the only place in my code where I inject anything.
I know it has been mentioned before, I've seen all the other posts, but the thread is suspended and resumed, there are no sleeps inside.

That's definitely not out-of-process as cypher will confirm

[nitrogrlie]

From memory, I believe the SelectUnit function (0x004C4940) does its own internal stack clean-up being that it terminates with a "retn 8", so your "add esp, 0x8" is redundant and screwing up the stack. But check on this by looking at the function you call in IDA and make sure I remember correctly and it is the callee that performs stack clean-up and not the caller.

Secondly, depending on what compiler you use, the above code should fail on Visual Studio mainly because of a bug they have with dereferencing memory addresses. To clarify, MS VS has a bug where:
mov eax, [0x12345678]
does not actually put the dereference value of whatever is at 0x12345678 into eax, but rather puts 0x12345678 into eax completely dropping the [ ] as if they were never there. The work around for that is to use two asm lines:
mov eax, 0x12345679
mov eax, [eax]
That works.

Either way, one of those hopefully solves your problem.

[Nesox]

That's definitely not out-of-process as cypher will confirm

i disagree i still think that's out of process;
When you can use delegates,
typeddefs for function pointers or easily hook functions without a lot of shizzle then i will consider it as beingn inprocess but otherwise i still think ure out of process;

you could label it as passivley out of process or active imo.

[naa]

The problem you got is probably related to you just resuming the thread when you think the code has been executed - not when you know it has been executed.

A solution would be sending a message to the bot and then resume the thread when you receive it.

Code:

/// <summary>
/// Send a message to the bot to know when to resume the thread
/// </summary>
private void SendResumeMessage()
{
            var sendmessage = (uint) GetProcAddress(LoadLibrary("User32.dll"), "SendMessageA");
            var hwnd = (uint) AppHelper.BotHandle;

            Memory.Asm.AddLine("push eax");
            Memory.Asm.AddLine("push {0}", 0x10);
            Memory.Asm.AddLine("push {0}", 0x10);
            Memory.Asm.AddLine("push {0}", 0xADDF);
            Memory.Asm.AddLine("push {0}", mainForm.Handle);
            Memory.Asm.AddLine("mov eax, {0}", sendmessage);
            Memory.Asm.AddLine("call eax");
            Memory.Asm.AddLine("pop eax");
}

So something like:

Code:

                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x4).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("CALL 0x004C4940", mem_target.ToString("X"));
                    Memory.Asm.AddLine("ADD ESP, 0x8");
                    SendResumeMessage();
                    Memory.Asm.AddLine("RETN");

Then you just have to "listen" for the message in the you mainform (The window that the handle belongs to) and resume to wow thread when you get the message.

Code:

          protected override void WndProc(ref Message message)
         {
             if (message.Msg == 0xADDF)
             {
                 Log("Resuming WoW thread!"); 
                 ResumeMainWowThread();
             }
             base.WndProc(ref message);
         }

[nitrogrlie]

That's definitely not out-of-process as cypher will confirm

Of course it isn't, he suspends the main thread and then sends execution control to his own codecave calling WoW API functions which means he is inside the process-space of WoW.

So yeah, you are not out-of-process, and in reality, no one is. At most people can claim they are outside-the-process-space when they do modifications to a process from an externally attached debugger, but even that is a stretch because you are inserting breakpoints which modify at minimum at least one byte in the process space of that process. Of course you can claim you don't use software breakpoints but rather hardware, but then you are modifying registers in that process's space. So yeah, out-of-process is a stupid misnomer.

[rafalsk]

Thank you all for response helped me a lot. I'll let you know how it works.

[Robske]

Thank you all for response.
I wonder one thing, now I only inject the targeting codecave into WoW, other than that I'm out. How do I put the private void SendResumeMessage() into WoW and make it execute this function? If I were in WoW's process it wouldn't be a problem, I guess I'm missing something

SendResumeMessage just adds more asm to blackmagic's buffer. Read the code first >.>

Also, as soon as you injected that codestub and changed the flow of the process you are as detectable as any other in-process bot.

[lanman92]

Actually registers aren't in the process And isn't warden scanning for externally allocated memory regions now?

[rafalsk]

everything was going fine, I made it C#,thing is the msg is not received by my Form's WndProc.

Here's how I find the HWND for my main form:

Code:

MyGlobalStuff.botwindow = (uint)this.Handle;

here's the Form's WndProc(seems to receive all other Msgs all-right)

Code:

[System.Security.Permissions.PermissionSet(System.Security.Permissions.SecurityAction.Demand, Name = "FullTrust")]
        protected override void WndProc(ref Message m)
        {
            int i = 0;
            if (m.Msg == 0xADDF)
                i = 1; //here I put a break-point just for testing
            else
                base.WndProc(ref m);
        }

Target's asm:

Code:

Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x4).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("MOV EAX,[0x{0}]", (codeCave + 0x100 + 0x0).ToString("X"));
                    Memory.Asm.AddLine("PUSH EAX");
                    Memory.Asm.AddLine("CALL 0x004C4940", mem_target.ToString("X"));
                    Memory.Asm.AddLine("ADD ESP, 0x8");
                    SendResumeMessage();
                    Memory.Asm.AddLine("RETN");

SendMsg:

Code:

 private void SendResumeMessage()
        {
     Memory.Asm.AddLine("push eax");
            Memory.Asm.AddLine("push {0}", 0x10);
            Memory.Asm.AddLine("push {0}", 0x10);
            Memory.Asm.AddLine("push {0}", 0xADDF);
            Memory.Asm.AddLine("push {0}", MyGlobalStuff.botwindow);
            Memory.Asm.AddLine("mov eax, {0}", sendmessage);
            Memory.Asm.AddLine("call eax");
            Memory.Asm.AddLine("pop eax");
        }

[naa]

Where did

Code:

var sendmessage = (uint) GetProcAddress(LoadLibrary("User32.dll"), "SendMessageA");

Goto?

[rafalsk]

I've put

Code:

var sendmessage = (uint)GetProcAddress(LoadLibrary("User32.dll"), "SendMessageA");

back to SendResumeMessage().

this is how I load the Dll's just at the beginning of my class:

Code:

[DllImport("kernel32")]
        public extern static int GetProcAddress(int hwnd, string procedureName);
        [DllImport("kernel32")]
        public extern static int LoadLibrary(string librayName);

info under variables while debuging:
var sendmessageA:1984080605
MyGlobalStuff.botwindow: 592836

I still can't pick up the msg at the bot's side,digging deep in my mind what might be the cause

[garkeinplan]

I have the same problem with receiving the right Msg with WndProc on Windows7... Vista and XP works fine a long time...

[rafalsk]

Ok, I think I've found the reason:

I don't know if you have but I've never heard about 'Integrity Levels' they seem to exist in Windows Vista and Later.

You can download this little program to check the integrity level of each process
http://technet.microsoft.com/en-us/s.../bb896653.aspx

You need to run this program as Admin to be able to see the integrity level of processes higher than your own.

So it seems that as my bot has to and needs to run as Administartor for obvious reasons it gets integrity level HIGH, while WoW's process has integrity only of value MEDIUM nad according to this:

Microsoft Windows Vista and later. Message sending is subject to User Interface Privilege Isolation (UIPI). The thread of a process can send messages only to message queues of threads in processes of lesser or equal integrity level.

Msg can not be send,woah
EDIT: Confirmed that was the reason, when running WoW as Admin Msg is delivered just fine.Such a stupid thing took me so much time arrw

[rafalsk]

Ok, I've learned something but It didn't help much as it seems that the asm targeting code seems to crash WoW by itself from time totime and the SendMsg function is not executed as WoW is already down. any ideas?