New Injection Method 11.2.0

[Van152]

So, till the new patch i could not inject into wow.exe process.
I use a kernel mode manual map injector with new thread creation. I also tried thread hijacking in usermode but somehow the new thread got suspended (on the kernel injector) or the dll just didnt run.
does someone have similiar problems and found a fix for it? or can give me some hints to fix that problem?
I usually hide the created thread directly using VAD from the kernel.

[Sdelp]

Eidolon is hooking NtCreateThread

[Van152]

Eidolon is hooking NtCreateThread

yeah well, this does not explain why even the thread hijack does not work

[numerbo]

yeah well, this does not explain why even the thread hijack does not work

it does.

even load library injector works.

[Van152]

I tried SetWindowHookEx, LoadLib, Kernel ManualMap with threadhijacking, and it doesnt worked, i saw in a different thread here, that i t xould be the dependemcies probably of the DLL i want to inject, these have to be preloaded from the targetproc/Wow.exe 🤔

Could this be a thing? If so, I probably have to recode my whole unlocker i guess 😭

[Van152]

finally i got it working!
thanks for your help guys!

[DELETED]

[luzifix.]

By proxying DLLs that are loaded before wow_loader.dll, such as version.dll, you can create a thread which wait until the game is fully loaded.

POC:

Code:

#pragma once
#pragma comment(linker,"/export:GetFileVersionInfoA=C:\\Windows\\System32\\version.GetFileVersionInfoA,@1")
#pragma comment(linker,"/export:GetFileVersionInfoByHandle=C:\\Windows\\System32\\version.GetFileVersionInfoByHandle,@2")
#pragma comment(linker,"/export:GetFileVersionInfoExA=C:\\Windows\\System32\\version.GetFileVersionInfoExA,@3")
#pragma comment(linker,"/export:GetFileVersionInfoExW=C:\\Windows\\System32\\version.GetFileVersionInfoExW,@4")
#pragma comment(linker,"/export:GetFileVersionInfoSizeA=C:\\Windows\\System32\\version.GetFileVersionInfoSizeA,@5")
#pragma comment(linker,"/export:GetFileVersionInfoSizeExA=C:\\Windows\\System32\\version.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker,"/export:GetFileVersionInfoSizeExW=C:\\Windows\\System32\\version.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker,"/export:GetFileVersionInfoSizeW=C:\\Windows\\System32\\version.GetFileVersionInfoSizeW,@8")
#pragma comment(linker,"/export:GetFileVersionInfoW=C:\\Windows\\System32\\version.GetFileVersionInfoW,@9")
#pragma comment(linker,"/export:VerFindFileA=C:\\Windows\\System32\\version.VerFindFileA,@10")
#pragma comment(linker,"/export:VerFindFileW=C:\\Windows\\System32\\version.VerFindFileW,@11")
#pragma comment(linker,"/export:VerInstallFileA=C:\\Windows\\System32\\version.VerInstallFileA,@12")
#pragma comment(linker,"/export:VerInstallFileW=C:\\Windows\\System32\\version.VerInstallFileW,@13")
#pragma comment(linker,"/export:VerLanguageNameA=C:\\Windows\\System32\\version.VerLanguageNameA,@14")
#pragma comment(linker,"/export:VerLanguageNameW=C:\\Windows\\System32\\version.VerLanguageNameW,@15")
#pragma comment(linker,"/export:VerQueryValueA=C:\\Windows\\System32\\version.VerQueryValueA,@16")
#pragma comment(linker,"/export:VerQueryValueW=C:\\Windows\\System32\\version.VerQueryValueW,@17")

#include "windows.h"
#include <cstdio>
HMODULE hModule = LoadLibrary(L"C:\\Windows\\System32\\version.dll");

DWORD WINAPI WaitForProcessInit(LPVOID lpParam)
{
    int i = 1;
    while (true)
    {
        printf("Wait%i\n", i++);
        Sleep(1000);
    }

    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        AllocConsole();
#pragma warning(push)
#pragma warning(disable:4996)
        freopen("CONIN$", "r", stdin);
        freopen("CONOUT$", "w", stdout);
#pragma warning(pop)
        SetConsoleTitleW(L"[Version] Console");
        SetConsoleOutputCP(65001);


        printf("Create Attach!\n");
        CreateThread(NULL, 0, WaitForProcessInit, NULL, 0, NULL);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        printf("Process Detach!\n");
        break;
    }
    return TRUE;
}

[imnothonorbuddy]

Why dont you just manual map without thread creation ? You can just hook something

[luzifix.]

Why dont you just manual map without thread creation ? You can just hook something

If you want to remap the memory and suspend all Wow threads beforehand, it is useful to create a new thread.