[2.4.3] TLS Memory Reading Framework in C#

[hypnodok]

With the 3.0 patch around the corner I might as well just release this, it's probably inferior to wowbasic but maybe someone can still put this code to some use.

For the most part I used flobot and this forum for reference, kudos to you guys.

The code is open source and GPLed, because I can.

RapidShare: Easy Filehosting

Example usage (untested):

Code:

        static void Main(string[] args)
        {
            memReader = new WowMemoryReader();
            memReader.GetBaseOffset();
            //get current map id
            uint currentMapID = memReader.GetMapID();
            //get player object
            WowStructs.WowUnitObject playerunitobject = memReader.GetPlayerUnitObject();
            WowStructs.WowUnitObjectData playerunitobjectdata = memReader.GetUnitObjectData(playerunitobject);
            Console.WriteLine("Player GUID: " + playerunitobject.GUID + " X: " + playerunitobject.X + " Y: " + playerunitobject.Y + " Z: " + playerunitobject.Z);
            Console.WriteLine("Faction: "+WowEnum.FactionToString(playerunitobjectdata.Faction)+" Level: "+playerunitobjectdata.Level+" MapID: "+currentMapID);
            //etcetc    
            //if you zone call getbaseoffset again

            //get all objects
            Hashtable allobjects = memReader.GetAllWowObjects();
            foreach (IntPtr key in allobjects.Keys)
            {
                uint objecttype = (uint)allobjects[key];
                switch (objecttype)
                {
                    case (uint)WowEnum.ObjectType.NPC:
                    case (uint)WowEnum.ObjectType.Player:
                        WowStructs.WowUnitObject wowUnitObject = memReader.GetWowUnitObject(key);
                        Console.WriteLine("Player or NPC: "+wowUnitObject.GUID);
                        break;
                    case (uint)WowEnum.ObjectType.GameObject:
                        WowStructs.WowObject wowGameObject = memReader.GetWowObject(key);
                        WowStructs.WowGameObjectData gameObjectData = memReader.GetGameObjectData(wowGameObject);
                        Console.WriteLine("GameObject: " + wowGameObject.GUID + " X: " + gameObjectData.X); //etc etc
                        break;
                }
            }
            Console.ReadKey();
        }

[kynox]

Hi, i noticed you used thread enumeration to get to the TLS. An alternative, and imo superior solution is to use to g_clientConnection pointer. [[0x00D43318 + 0x2218]

[dalgreens]

Thanks for the framework Hypno, I was able to understand it except for one part.

For the code block:

Code:

        public void GetBaseOffset()
        {
            Program.Log("GetBaseOffset()");
            IntPtr threadHandle, TEBHandle;
            ThreadEntry32 threadStruct = Kernel32.CreateThreadEntry32();
            ThreadBasicInformation threadbasicinfo = new ThreadBasicInformation();

            UInt32 TLSSlotNumer = Kernel32.ReadUInt32(WowProcessHandle, TLSIndex,true);// gets the number of the tls-slot (usually 0) - 0 means the first tls entry points to the struct
            IntPtr threadSnapshotHandle = Kernel32.CreateToolhelp32Snapshot(Kernel32.SnapshotFlags.Thread, 0); // makes a snapshot of all !! open threads#
            Kernel32.Thread32First(threadSnapshotHandle, ref threadStruct);//now contains information about the first ! thread
            do
            {
                if (threadStruct.the32OwnerProcessID == processID)//thread belongs to wow
                {
                    threadHandle = Kernel32.OpenThread(Kernel32.ThreadAccess.QUERY_INFORMATION, false, threadStruct.th32ThreadID);//open the thread
                    UInt32 threadQueryResult = ntdlll.NtQueryInformationThread(threadHandle , 0, ref threadbasicinfo, (uint)Marshal.SizeOf(threadbasicinfo), IntPtr.Zero);//check for the operation's result
                    if (threadQueryResult == 0)//STATUS_SUCCESS                   
                    {
                        TEBHandle = threadbasicinfo.TebBaseAdress;// Thread Environment Block
                        UInt32 TLSOffset = Kernel32.ReadUInt32(WowProcessHandle, (IntPtr)((UInt32)TEBHandle + 0x2c),true);//gets the TLS_OFFSET from (teb + offset 2C)
                        if (TLSOffset != 0)
                        {
                            IntPtr TLSSlot = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)(TLSOffset + TLSSlotNumer * 4), true); // gets the tls-slot - multiplied by 4 bcaseu each tls_slot is 4 bytes long
                            IntPtr WowObjectPointer = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)((Int32)TLSSlot + 8), true);  //add 8 to get the wow object pointer (this is int, not hex !)
                            Program.Log("Wowobject Pointer: " + WowObjectPointer);
                            if (WowObjectPointer != IntPtr.Zero)//discard nullpointers
                            {
                                WowFirstObjectPointer = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)((Int32)WowObjectPointer + 0xC), true);
                                Program.Log("First Object Pointer: " + WowFirstObjectPointer);
                                WowPlayerGUID = Kernel32.ReadUInt64(WowProcessHandle, (IntPtr)((Int32)TLSSlot + 16), true);
                                Program.Log("Player GUID: " + WowPlayerGUID);
                                WowFirstUnitPointer = GetFirstUnitPointer();
                                WowPlayerPointer = GetPlayerPointer();

                                if (!Kernel32.CloseHandle(threadHandle))
                                    Program.Log("Failed to close thread handle. " + threadHandle);
                                if (!Kernel32.CloseHandle(threadSnapshotHandle))
                                    Program.Log("Failed to close thread snapshop handle. " + threadSnapshotHandle); 
                            }
                        }
                        else
                            Program.Log("TLS Offset was null");

Specifically this line:

Code:

                                WowFirstObjectPointer = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)((Int32)WowObjectPointer + 0xC), true);

Where / How did you figure out the 0xC offset from?

[hypnodok]

Hi, i noticed you used thread enumeration to get to the TLS. An alternative, and imo superior solution is to use to g_clientConnection pointer. [[0x00D43318 + 0x2218]

I believe you're right about this, thread enumeration has lead to some problems if it gets called too early or at the wrong time. Maybe I'll update this for Wotlk (if the TLS method still works for the addon that is), for now I dont feel like touching the code again.

Where / How did you figure out the 0xC offset from?

Honestly I don't know, it's not like I invented this. I merely looked at the various sources that were availible and ported the code to C#.

[Xarg0]

Nice work hypnodok and it's in a C style language, may the source be with you young padawan.

[Nesox]

niceley done

[hypnodok]

I dont know if Im allowed to say this but I would appriciate some rep to get rid of that silly leecher title
Edit: Thanks