-
Corporal
[PoC] Execute code in the main thread without hook/detour using WndProc callback
Hello,
Here is a little proof of concept how to execute code in the main thread without any hook/detour/whatever, copy paste from my github :
Code:
This class allow you to run code in a remote process using SendMessage and WndProc override.
It use MyMemory libary and only support x86 (tho x64 is barely the same).
Feel free to copy paste.
Here is how it work step by step :
It generate a custom message number to handle future request.
A codecave is written in the remote process as a WndProc callback.
When we want to execute code, we call SendMessage from our application with our custom message.
Then the remote process should call our callback.
The callback detect our custom message.
The callback then call the function passed in wParam.
It then store result of the call (EAX) into lParam pointer.
The program read the value stored in lParam pointer.
Done, profit !
GitHub - JuJuBoSc/RemoteWndProc: Example to execute code in a remote process using wndproc trick
Only support x86 because I'm lazy and did that just to test the idea, thought it might be useful to some of you.
-
Post Thanks / Like - 5 Thanks
-
Jadd wrote a tutorial about this before: ntoskrnl | Hooking Threads Without Detours or Patches
Non the less thanks for posting!
Check my blog: https://zzuks.blogspot.com
-
Post Thanks / Like - 2 Thanks
-
Banned
Glad you made a sample app, helped alot to understand Jadd's post, wish more devs realised learning from simple sample code is the best.
@NotJuJuBoSc
One question, I am not familar with your library for memory, how will I get the below to return a value from executed lua?
PHP Code:
static string GetLocalizedText(RemoteProcess process, WndProcExecutor executor, string luaValue)
{
var ClntObjMgrGetActivePlayerObj = process.ModulesManager.MainModule.BaseAddress + 0x8DD5A;
var FrameScript__GetLocalizedText = process.ModulesManager.MainModule.BaseAddress + 0x32A5C0;
var Lua_GetLocalizedText_Space = Encoding.UTF8.GetBytes(luaValue);
using (var RemoteBuffer = process.MemoryManager.AllocateMemory((uint)luaValue.Length + 1))
{
RemoteBuffer.WriteBytes(Lua_GetLocalizedText_Space);
var asm = new[]
{
"call " + ClntObjMgrGetActivePlayerObj,
"mov ecx, eax",
"push -1",
"mov edx, " + Lua_GetLocalizedText_Space + "",
"push edx",
"call " + FrameScript__GetLocalizedText,
"retn"
};
executor.Call(asm);
return ?
}
}
Last edited by WiNiFiX; 04-03-2017 at 07:45 AM.
-
Member
thanks for the example code
Last edited by infotech1; 04-03-2017 at 09:22 AM.
-
Corporal
Originally Posted by
WiNiFiX
Glad you made a sample app, helped alot to understand Jadd's post, wish more devs realised learning from simple sample code is the best.
@
NotJuJuBoSc
One question, I am not familar with your library for memory, how will I get the below to return a value from executed lua?
PHP Code:
static string GetLocalizedText(RemoteProcess process, WndProcExecutor executor, string luaValue)
{
var ClntObjMgrGetActivePlayerObj = process.ModulesManager.MainModule.BaseAddress + 0x8DD5A;
var FrameScript__GetLocalizedText = process.ModulesManager.MainModule.BaseAddress + 0x32A5C0;
var Lua_GetLocalizedText_Space = Encoding.UTF8.GetBytes(luaValue);
using (var RemoteBuffer = process.MemoryManager.AllocateMemory((uint)luaValue.Length + 1))
{
RemoteBuffer.WriteBytes(Lua_GetLocalizedText_Space);
var asm = new[]
{
"call " + ClntObjMgrGetActivePlayerObj,
"mov ecx, eax",
"push -1",
"mov edx, " + Lua_GetLocalizedText_Space + "",
"push edx",
"call " + FrameScript__GetLocalizedText,
"retn"
};
executor.Call(asm);
return ?
}
}
PHP Code:
IntPtr result = executor.Call(asm);
simple as that
also you could push directly instead to move it in edx, kinda unecesserary here
Last edited by NotJuJuBoSc; 04-03-2017 at 10:30 AM.
-
Banned
Figured it out, was silly mistake on my side
PHP Code:
static string GetLocalizedText(RemoteProcess process, WndProcExecutor executor, string luaValue)
{
var ClntObjMgrGetActivePlayerObj = process.ModulesManager.MainModule.BaseAddress + 0x8DD5A;
var FrameScript__GetLocalizedText = process.ModulesManager.MainModule.BaseAddress + 0x32A5C0;
var Lua_GetLocalizedText_Space = Encoding.UTF8.GetBytes(luaValue);
using (var RemoteBuffer = process.MemoryManager.AllocateMemory((uint)luaValue.Length + 1))
{
RemoteBuffer.WriteBytes(Lua_GetLocalizedText_Space);
var asm = new[]
{
"call " + ClntObjMgrGetActivePlayerObj,
"mov ecx, eax",
"push -1",
"mov edx, " + RemoteBuffer.Pointer + "",
"push edx",
"call " + FrameScript__GetLocalizedText,
"retn"
};
var res = executor.Call(asm);
return process.MemoryManager.ReadString(res);
}
}
PHP Code:
DoString(remoteProcess, executor, "zoneData = GetZoneText()");
string result = GetLocalizedText(remoteProcess, executor, "zoneData");
-
Member
So this is the same as just manually mapping a dll with WndProc handler but without proper inter-process communication, gotcha. (and it's still a hook cause you're messing with GWL_WNDPROC)
Last edited by zakkord; 04-09-2017 at 09:21 PM.