DirectX/CEGUI hooking?

[Xarg0]

Writing the ASM for the codecave will be just as difficult =/ I'll just work on my C++, and look into what you suggested. I think i ran my eyes over a post about the WoW console on gamedeception.net... I'll go look for that again. Thanks again Shynd.

I've seen a very intersting method of writing ASM code into a Code Cave, you'll declare a naked function and put your code as Inlane ASM in ther, after this lines of code you add another function to calculate the lenght of your naked function. Then You allocate enough memory to store your function change the Page Protection stuff for your function so you can read it's memory and write the hole function into the code cave with WriteProcessMemory (or what it's named didn't use it for ages inprocess ftw :>), if you want to call WoW Functions you should add the update current manager function if you don't want to highjack a wow thread.

Credit's for this Idea go to a guy named Yesar from ***********.de GuildWars section ^^

[Cypher]

Even with that naked function you'd still need to call CreateRemoteThread or something on it to get it to execute, unless you inject it over top of something that pulses regularly in a loop.

[Xarg0]

yeah didn't mention that cause I thought it was common knowlegde

[lanman92]

Yeah, that's what I was planning to do... Lol. I thought that's how everyone did it.

[Cypher]

Yeah, that's what I was planning to do... Lol. I thought that's how everyone did it.

With WriteProcessMemory?? Hell no. Memcpy or direct access via casting ftw.

[lanman92]

Well, I was planning on using pointers to the Mem locations inside my DLL. I think i misunderstood or something lol. I'm going to just write a DLL, no matter how bad my C++ is... I thought he meant using WriteProcessMemory() to insert the codecave and createremotethread() it. Oh well.

[Xarg0]

Well I missunderstood what you said ^^, didn't realize you want to do a dll :>
So I posted a way to copy functions from your programm to code caves via WriteProcessMemory() :>
But If you do a DLL in inject it it's way easier to do your stuff *fg, you can directly access everthing with pointers and memcpy (for opcode changes), and you can create your own Threads with the CreateThread Api and do all you want to do in there, no need to code cave from a injected dll :>

[lanman92]

What's the best, least detectable injection method for DLLs? Or i could just remove it from the PEB list, thats an option i guess.

[Greyman]

The "least detectable" way would probably involve ring0 or hypervisor privileges. However, if you want to stick to user mode then Darawk's manualmap is quite decent: Evading Hack Detection Mechanisms In Online Games

[Cypher]

The "least detectable" way would probably involve ring0 or hypervisor privileges. However, if you want to stick to user mode then Darawk's manualmap is quite decent: Evading Hack Detection Mechanisms In Online Games

Hypervisor ftw!

[lanman92]

Okay, I've made a few test DLLs... They seem to work on all processes except for WoW. It's just a blank dll that opens up a msgbox. If i try to inject into WoW, it fails miserably. What method can i use to inject dlls into wow?

[Shynd]

You must grant your process access by changing your SE_DEBUG privilege token. Look in Kynox's out of process object dumper for an example of doing so in C, or in C#/.NET you can just call System.Diagnostics.Process.EnterDebugMode();

[lanman92]

That privilege is for injecting to WoW only? That's a bit of a hassle... It injected into any other process just fine.

[Cypher]

You must grant your process access by changing your SE_DEBUG privilege token. Look in Kynox's out of process object dumper for an example of doing so in C, or in C#/.NET you can just call System.Diagnostics.Process.EnterDebugMode();

An easier way is to spawn the process yourself and give yourself the required security token at that point.

[lanman92]

I'm gonna have to say that Cypher's method is a lot easier. I'll go that way...