DirectX/CEGUI hooking?

[Cypher]

Thank you so much shynd. This is just what I needed, some spoon feeding :P

The reason i needed help was there's not very much documentation on this library.

Its pretty easy to work out if you look at the header files. And theres heaps of information if you just google it.

[lanman92]

What method do i have to use to inject a dll in to a running WoW window? It looks like the WPM+LoadLibrary() is hooked... so i need help. I've tried using the setwindowshookex() method, but it doesnt seem to work.

[galpha]

What method do i have to use to inject a dll in to a running WoW window? It looks like the WPM+LoadLibrary() is hooked... so i need help. I've tried using the setwindowshookex() method, but it doesnt seem to work.

Lanman, I think people did give you great hints on how to get started, but after seing this reply, I don't think you have the knowledge to do this kind of work. I'm not flamming you or anything, just that it takes a lot of coding experience before humping straight into dll injection.

However, if I'm mistaken, please forget about my comment. Either way, here's 3 methods for doing it:

Dll Injection

[lanman92]

I have read that many times... I have the knowledge, just curious if there was a way to do it in an easier manner. I guess I'll just use the codecave method.

[Cypher]

Here's a source code version of Forcelib (thank you Google Code for caching this <3) preconfigured for VS2008 and modified to work as a static library.

http://dl-client.getdropbox.com/u/74..._Preconfig.zip

From one of my internal projects, should hopefully work for you but if I left out a dependency let me know and I'll upload it or modify the original project.

Just #include the header(s) you need and add add the lib to your link list.

[lanman92]

What?!?! Forcelib has a funtion that works on WoW? Ugh, I'm retarded. Time to go through that beautiful header file and find these amazing functions...

[Cypher]

What?!?! Forcelib has a funtion that works on WoW? Ugh, I'm retarded. Time to go through that beautiful header file and find these amazing functions...

Huh? It can inject a DLL into pretty much any process.

Some code for you:

Code:

    // Try and create the process from the current directory
    if (!CreateProcess(NULL,const_cast<char*>(WoWCurrentDir.c_str()),NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&WoWSi,&WoWPi))
    {
        // Try and create the process from the install directory
        if (!CreateProcess(NULL,const_cast<char*>(WoWPath.c_str()),NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&WoWSi,&WoWPi))
        {
            // Process creation failed, notify the user and return
            SendMessage(hStatusText,WM_SETTEXT,0,reinterpret_cast<LPARAM>(TEXT("Process creation failed!")));
            return;
        }
    }

    // Setup Forcelib for use
    InitForceLib();

    // Attempt injection
    if (!ForceLibrary(_tfullpath(NULL, DllName.c_str(), MAX_PATH),&WoWPi))
    {
        // Injection failed so notify the user and terminate the process
        SendMessage(hStatusText,WM_SETTEXT,0,reinterpret_cast<LPARAM>(TEXT("Injection failed!")));
        TerminateProcess(WoWPi.hProcess,0);
        return;
    }

Also, you don't want to do what I'm doing and const_cast a string. You're better off using a char* that you manually allocated. The only reason I'm const_casting it is because I know that for the particular character set I'm compiling with CreateProcess doesn't modify the char* it's passed, although on Unicode I think it does. So yea, don't do what I'm doing, I just got lazy when I was testing. Speaking of which I'll fix that now.

EDIT: Forgot to mention originally, because ForceLib was originally designed as a DLL and it had its initialization in DLL_PROCESS_ATTACH I had to move that into its own function which you MUST CALL BEFORE USING ANY OTHER FUNCTIONS. Do what I did in the snippet above and be sure to call that before using ForceLib for the first time (you only need to call it once, from that point on it's fine, although it will work if you recall it without any adverse effect - or at least it should).

EDIT2: Forgot the accompanying else for the injection.

Code:

    else
    {
        // Injection succeeded (hopefully)! Resume WoW's primary thread and notify the user 
        ResumeThread(WoWPi.hThread);
        SendMessage(hStatusText,WM_SETTEXT,0,reinterpret_cast<LPARAM>(TEXT("Injection succeeded!")));

        // Clean up the handles we used
        CloseHandle(WoWPi.hProcess);
        CloseHandle(WoWPi.hThread);
    }

[lanman92]

Can ForceLib inject into a running WoW though? I've never been able to, and the method that is left is a pain in the ass. I mean inject into a non-suspended window.

EDIT: Heh, why not mod the ForceLib.cpp file to automatically call Init....() when you try to inject?

[Xarg0]

I inject a LoadLibary Struct into some allocated memory of WoW with all the data it needs to load my dll, then I just create a Remote Thread starting at the BaseAdress of the allocated memory, It works pretty good with WoW I'm injecting my nofalldmg patch dll at runtime, I'm even able to register my own console functions by patching the IsFunctionPointerInRange function (just 2bytes), You don't need to start WoW with your Launcher unless you want to install certain D3DHooks that need WoW to load a Wrapper D3D9.dll or some other stuff that needs to be done before WoW starts.

[kynox]

Why don't you just write your string to a new section, CreateRemoteThread on load library, with the parameter of your allocated string? Simpler imo.

[lanman92]

I've never been able to inject a DLL using the standard WPM, Createremotethread() method. I guess I'm doing something wrong, time to write a new injector and make sure everything is correct.

[Shynd]

The following was written, from memory, in this browser, so I apologize for errors. Also, please add some sort of error-checking, if you're going to employ this method.

Code:

DWORD InjectDll(DWORD dwProcessId, char *szDllPath)
{
	HANDLE hProcess, hThread;
	LPVOID lpLoadLibraryA, lpDllPath;
	DWORD dwBaseAddress;
	
	//open process for read/write
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessId);
	
	//allocate memory to which we'll write the full path to our dll
	lpDllPath = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
	
	//write the dll path to memory
	WriteProcessMemory(hProcess, lpDllPath, szDllPath, strlen(szDllPath), NULL);
	
	//find out the address of LoadLibraryA in our context, knowing that it is mapped into the same address in all processes
	lpLoadLibraryA = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	
	//create a thread on the LoadLibraryA, passing the dll path we wrote to memory as the parameter
	hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpLoadLibraryA, lpDllPath, NULL, 0);
	
	//wait for the remote thread to exit
	WaitForSingleObject(hThread, INFINITE);
	//the exit code will be the return value of LoadLibraryA, or the base address of the dll that was injected
	//we use this base address to uninject the dll, if we ever want to
	GetExitCodeThread(hThread, &dwBaseAddress);
	
	//clean up the mess we've made
	CloseHandle(hThread);
	CloseHandle(hProcess);
	
	//return the base address to whomever needs it
	return dwBaseAddress;
}

[lanman92]

I thought WoW hooked VirtualAllocEx() and CreateRemoteThread() or something...?

[kynox]

Uh.. WoW hooks nothing.

[Cypher]

Can ForceLib inject into a running WoW though? I've never been able to, and the method that is left is a pain in the ass. I mean inject into a non-suspended window.

EDIT: Heh, why not mod the ForceLib.cpp file to automatically call Init....() when you try to inject?

Yes yes and for the last time yes. >_>

Stop asking the same damn question.

And re: your edit. Because I'm lazy and it really doesn't bother me.

I thought WoW hooked VirtualAllocEx() and CreateRemoteThread() or something...?

Lolno.

Uh.. WoW hooks nothing.

Made me lol, dunno why.