[Help me]Problem with using function pointer in Debug builds

[wanyancan]

I've got a weird problem using CreateRemoteThread... When built in "Release", the dummy codes are copied correctly to remote process and invoked properly, however for "debug" build, some non-sense bytes are copied from a wrong function address, not the actual "mySnubber" address.. Is there any options should be changed when building debug binaries? I think these are caused by the compiler to help to debug. Any solutions? I still need to debug it anyway.

Codes as below

Code:

#define INJECTSIZE 4096
DWORD __stdcall mySnubber( DWORD c )
{
		/*
		0   float float float 
		0xC float float float 
		0x18 float float float
		0x24 float
		0x28 float (flag)
		0x2C float float float
		*/
	typedef bool (__cdecl *tTraceLine)(int*, int*, int*, int*, int*, int*);
	tTraceLine pTraceLine = (tTraceLine)0x506060;
	return pTraceLine((int*)c, (int*)(c+0xC), (int*)(c+0x18), (int*)(c+0x24) ,(int*)(c+0x28) , (int*)0);	
}
void testRemoteCall(){
	DWORD RmThdId;
	LPVOID procAdd, paraAdd;
	procAdd = VirtualAllocEx(wowprohnd,NULL, INJECTSIZE,  MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if(!procAdd){
		printf("can't allocate proc Memory\n");
		goto cleanup;
	}
	paraAdd = VirtualAllocEx(wowprohnd,NULL, INJECTSIZE,  MEM_COMMIT, PAGE_READWRITE );
	if(!paraAdd){
		printf("can't allocate parameters Memory\n");
		goto cleanup;
	}
	DWORD szWritten;
	if(!WriteProcessMemory(wowprohnd, procAdd, &mySnubber, INJECTSIZE, &szWritten)){
		printf("can't write procedure into proc memory\n");
		goto cleanup;
	}
	char testbuff[INJECTSIZE+4];
	ReadStr(procAdd, testbuff, INJECTSIZE); // for test

	// Setting [in]paraAddress as well , omitted

	HANDLE hRmThd = CreateRemoteThread(wowprohnd, NULL, NULL,(DWORD (__stdcall *)( void *))procAdd, paraAdd, NULL, &RmThdId);
	if(!hRmThd){
		printf("can't create thread \n");
		goto cleanup;
	}
	RmThdId = WaitForSingleObject(hRmThd, 3000);
	CloseHandle(hRmThd);
cleanup:
	
	if(procAdd)
		if(!VirtualFreeEx(wowprohnd, procAdd, 0, MEM_RELEASE))
			printf("Can't free allocated proc memory\n");
	if(paraAdd)
		if(!VirtualFreeEx(wowprohnd, paraAdd, 0, MEM_RELEASE))
			printf("Can't free allocated proc memory\n");
}

This line

Code:

WriteProcessMemory(wowprohnd, procAdd, &mySnubber, INJECTSIZE, &szWritten)

works correctly for "Release" build, but not in "Debug" build. The address for "mySnubber" is wrong...

Another thing I'm concerning is about the WriteProcessMemory.. Is it currently being checked/detected by warden when reading/writing in the newly allocated memory space (I'm avoiding the word 'safe' )?

[kynox]

Debug builds generally have incremental linking enabled by default. Turn that off.

[wanyancan]

AHa it works!
The traceline is indeed amazing! When it hit obstacles, it returns the hitting point! Thank you kynox for your information!

Here's my codes. I used big memory size as in debug build, there's additional codes when mySnubber returns... very annoying.

Code:

#define INJECTSIZE 65536
DWORD __stdcall mySnubber( DWORD c )
{
		/*
		0   float float float 
		0xC float float float 
		0x18 float float float
		0x24 float
		0x28 int (flag)
		0x2C int
		*/
	typedef bool (__cdecl *tTraceLine)(int*, int*, int*, int*, int, int*);
	tTraceLine pTraceLine = (tTraceLine)0x506060;  // changed to your version
	*(int*)(c+0x28) =  pTraceLine((int*)c, (int*)(c+0xC), (int*)(c+0x18), (int*)(c+0x24) ,*(int*)(c+0x28) , (int*)0);	// use flag as return value
	return 1;
}
typedef struct TraceArg{
	float startY;
	float startX;
	float startZ;
	float endY;
	float endX;
	float endZ;
	float outY;
	float outX;
	float outZ;
	float distance;
	DWORD flag;
	DWORD option;
}TRACEARG, *PTRACEARG;
void testRemoteCall(){
	DWORD RmThdId;
	LPVOID procAdd, paraAdd;
	TRACEARG localarg = {player.y,player.x,player.z+1.0f,player.y+cosf(player.facing)*1.0f,player.x+sinf(player.facing)*1.0f, player.z+1.0f, 0.0f,0.0f,0.0f,1.0f, 0x1000124, 0}; // I use flag value 0x1000124, not sure about other possible values like 0x20000, 0x120171
	procAdd = VirtualAllocEx(wowprohnd,NULL, INJECTSIZE,  MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if(!procAdd){
		printf("can't allocate proc Memory\n");
		goto cleanup;
	}
	paraAdd = VirtualAllocEx(wowprohnd,NULL, INJECTSIZE,  MEM_COMMIT, PAGE_READWRITE );
	if(!paraAdd){
		printf("can't allocate parameters Memory\n");
		goto cleanup;
	}
	DWORD szWritten;
	if(!WriteProcessMemory(wowprohnd, procAdd, mySnubber, INJECTSIZE, &szWritten)){
		printf("can't write procedure into proc memory\n");
		goto cleanup;
	}
	if(!WriteProcessMemory(wowprohnd, paraAdd, &localarg, sizeof(TRACEARG), &szWritten)){
		printf("can't write procedure into proc memory\n");
		goto cleanup;
	}

	char testbuff[INJECTSIZE+4];
	ReadStr(procAdd, testbuff, INJECTSIZE);

	HANDLE hRmThd = CreateRemoteThread(wowprohnd, NULL, NULL,(DWORD (__stdcall *)( void *))procAdd, paraAdd, NULL, &RmThdId);
	if(!hRmThd){
		printf("can't create thread \n");
		goto cleanup;
	}
	RmThdId = WaitForSingleObject(hRmThd, 3000);
	CloseHandle(hRmThd);
	ReadStr(LPCVOID((int*)paraAdd+0), &localarg, sizeof(TRACEARG));
	printf("traceline returned: %08X %.2f %.2f %.2f\n", localarg.flag, localarg.outY, localarg.outX, localarg.outZ);
	//POINT pt;
	//if(localarg.flag){
	//	scrPos(localarg.outX, localarg.outY, localarg.outZ, &pt);
	//	MouseClick(wowhwnd, pt.x,pt.y, FALSE);
	//}
	
cleanup:
	
	if(procAdd)
		if(!VirtualFreeEx(wowprohnd, procAdd, 0, MEM_RELEASE))
			printf("Can't free allocated proc memory\n");
	if(paraAdd)
		if(!VirtualFreeEx(wowprohnd, paraAdd, 0, MEM_RELEASE))
			printf("Can't free allocated proc memory\n");
}

[lanman92]

That's quite an interesting method to call a function in another process

[wanyancan]

Theoretically it can call any thread safe function with any arguments in another process.
Enjoy!

[Cypher]

Personally I'd suggest using AsmJit if you're going to be doing shit like this.

Actually, personally I'd just inject a DLL, but if you're set on remote threads and injecting code stubs, use AsmJit. Seriously, it's awesome.

asmjit - Project Hosting on Google Code

[wanyancan]

There's an interesting problem when calling TraceLine in another thread.
Normally, I pass 0x1000124 or 0x120171 as the fifth argument (flag value), and it can run for about 5 minutes, then suddenly I can walk through certain wall or into a tree (in only, can't get out)... Even after I quit the bot, it's still the same.
Cypher, do you have any more details about this TraceLine functions?