Thanks for the framework Hypno, I was able to understand it except for one part.
For the code block:
Code:
public void GetBaseOffset()
{
Program.Log("GetBaseOffset()");
IntPtr threadHandle, TEBHandle;
ThreadEntry32 threadStruct = Kernel32.CreateThreadEntry32();
ThreadBasicInformation threadbasicinfo = new ThreadBasicInformation();
UInt32 TLSSlotNumer = Kernel32.ReadUInt32(WowProcessHandle, TLSIndex,true);// gets the number of the tls-slot (usually 0) - 0 means the first tls entry points to the struct
IntPtr threadSnapshotHandle = Kernel32.CreateToolhelp32Snapshot(Kernel32.SnapshotFlags.Thread, 0); // makes a snapshot of all !! open threads#
Kernel32.Thread32First(threadSnapshotHandle, ref threadStruct);//now contains information about the first ! thread
do
{
if (threadStruct.the32OwnerProcessID == processID)//thread belongs to wow
{
threadHandle = Kernel32.OpenThread(Kernel32.ThreadAccess.QUERY_INFORMATION, false, threadStruct.th32ThreadID);//open the thread
UInt32 threadQueryResult = ntdlll.NtQueryInformationThread(threadHandle , 0, ref threadbasicinfo, (uint)Marshal.SizeOf(threadbasicinfo), IntPtr.Zero);//check for the operation's result
if (threadQueryResult == 0)//STATUS_SUCCESS
{
TEBHandle = threadbasicinfo.TebBaseAdress;// Thread Environment Block
UInt32 TLSOffset = Kernel32.ReadUInt32(WowProcessHandle, (IntPtr)((UInt32)TEBHandle + 0x2c),true);//gets the TLS_OFFSET from (teb + offset 2C)
if (TLSOffset != 0)
{
IntPtr TLSSlot = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)(TLSOffset + TLSSlotNumer * 4), true); // gets the tls-slot - multiplied by 4 bcaseu each tls_slot is 4 bytes long
IntPtr WowObjectPointer = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)((Int32)TLSSlot + 8), true); //add 8 to get the wow object pointer (this is int, not hex !)
Program.Log("Wowobject Pointer: " + WowObjectPointer);
if (WowObjectPointer != IntPtr.Zero)//discard nullpointers
{
WowFirstObjectPointer = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)((Int32)WowObjectPointer + 0xC), true);
Program.Log("First Object Pointer: " + WowFirstObjectPointer);
WowPlayerGUID = Kernel32.ReadUInt64(WowProcessHandle, (IntPtr)((Int32)TLSSlot + 16), true);
Program.Log("Player GUID: " + WowPlayerGUID);
WowFirstUnitPointer = GetFirstUnitPointer();
WowPlayerPointer = GetPlayerPointer();
if (!Kernel32.CloseHandle(threadHandle))
Program.Log("Failed to close thread handle. " + threadHandle);
if (!Kernel32.CloseHandle(threadSnapshotHandle))
Program.Log("Failed to close thread snapshop handle. " + threadSnapshotHandle);
}
}
else
Program.Log("TLS Offset was null");
Specifically this line:
Code:
WowFirstObjectPointer = (IntPtr)Kernel32.ReadInt32(WowProcessHandle, (IntPtr)((Int32)WowObjectPointer + 0xC), true);
Where / How did you figure out the 0xC offset from?