[Question] [Retail WoW - 11.5 (Private Server)] Issues injecting C++ DLL

[baseballdude02]

Hi All,

This is my first time working with a game that has anti-cheat protection, so I've set up my own Retail Private Server (Draconic-WoW) as a learning environment to avoid any ban risks while I learn the fundamentals. Doing everything in C++.

I'm running into an issue where I can't successfully inject even a very basic DLL. The injection methods I've used successfully with other games aren't working here. Also, I've noticed that attempting to attach Visual Studio's debugger to WoW crashes the game, which I suspect is related to the game's anti-debugging measures.

I've verified that the process name is "Wow.exe" in Task Manager and searched through the forums but haven't found specific guidance for my situation.

I'm not looking for someone to solve this for me. I genuinely want to understand the underlying concepts. Any pointers on what direction to look in or explanations about why WoW might behave differently from other games would be incredibly helpful. I'm eager to learn and understand the mechanics involved rather than just getting quick fixes.

Thanks in advance for any guidance! Here is the basic code I'm working with (also verified DllPath and have files in the correct directory):

DLL:

Code:

#include  "pch.h"
#include  <iostream>
#include  <Windows.h>


DWORD WINAPI WoWHack(HMODULE hModule) {

    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "Console Loaded\n";

    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"Wow.exe");

    if (moduleBase) {
        std::cout << "WoW Found at " << std::hex << moduleBase << std::endl;
    }

    while (true) {
        if (GetAsyncKeyState(VK_DELETE) & 1)
        {
            break;
        }
    }
    fclose(stdout);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {

        HANDLE hThread = CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)WoWHack, hModule, 0, nullptr);
        if (hThread)
        {
            CloseHandle(hThread);
        }
        break;
    }

    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Injection Code:

Code:

#include  <iostream>
#include  <Windows.H>
#include  <TlHelp32.h>

DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));    
        }
    }
    CloseHandle(hSnap);
    return procId;
 }

int main()
{
    const wchar_t* dllPath = L"C:\\Users\\name\\Desktop\\dll.dll";
    const wchar_t* procName = L"Wow.exe";
    DWORD procId = 0;

    while (!procId)
    {
        procId = GetProcId(procName);
        Sleep(50);
    }

    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, procId);

    if (hProc && hProc != INVALID_HANDLE_VALUE)
    {
        void* loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

        if (loc)
        {
            WriteProcessMemory(hProc, loc, dllPath, (wcslen(dllPath) + 1) * sizeof(wchar_t), 0);
        }

        HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryW, loc, 0, 0);


        if (hThread)
        {
            CloseHandle(hThread);
        }
    }

    if (hProc)
    {
        CloseHandle(hProc);
    }
    return 0;
}

[baseballdude02]

I did make some progress playing around with another way to inject the DLL.

I disabled thread library calls and used _beginthreadex instead of CreateThread. It seems like my injection is working! Below is the code that changed (and had to update the WoWHack to fit with the _beginthreadex parameters. I'm not exactly WHY this works but CreateThread didn't...Maybe user error and redoing it fix something I missed?

Also curious if Warden detects an injection like this or if I need to eventually move to something more complex like manual mapping...For now, that's a bit out of scope for me. I'm going to focus on playing around in my private server.

Just sharing my notes if it helps someone down the road...But also curious if anyone has any insight on the above.

Code:

case DLL_PROCESS_ATTACH:
    {
        DisableThreadLibraryCalls(hModule); 

        unsigned int threadID;
        HANDLE hThread = (HANDLE)_beginthreadex(nullptr, 0, WoWHack, hModule, 0, &threadID);
        if (hThread)
        {
            CloseHandle(hThread);
        }
        break;