DirectX/CEGUI hooking?

[Cypher]

I use that method because it allows me to hook the functions I need to before WoW launches. (Which is needed to pull off certain functionality, namely hooking certain LUA functions that are registered when WoW first launches)

Heres a code snippet for ya.

Code:

// Launch button handler
std::string DoLaunch(const char*, CButton*)
{
    SetStatus(RGB(0,0,255), "Attempting injection.");

    // Make sure the DLL exists
    TCHAR tszHookPath[MAX_PATH] = {0};
    if(GetFileAttributes(_tfullpath(tszHookPath, DllName.c_str(), MAX_PATH)) == 0xFFFFFFFF)
    {
        SetStatus(RGB(255,0,0), "Couldn't find DLL!");
        return std::string();
    }

    STARTUPINFO WoWSi;
    PROCESS_INFORMATION WoWPi;
    ZeroMemory(&WoWSi, sizeof(WoWSi));
    WoWSi.cb = sizeof(WoWSi);
    ZeroMemory(&WoWPi, sizeof(WoWPi));

    TCHAR Path[MAX_PATH] = {0};
    DWORD BuffSize = MAX_PATH;
    HKEY WoWKey;
    RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\Blizzard Entertainment\World of Warcraft\",0,KEY_READ,&WoWKey);
    RegQueryValueEx(WoWKey,"InstallPath",NULL,NULL,(LPBYTE)Path,&BuffSize);

    std::string WoWPath = Path;
    WoWPath.append("WoW.exe -console");

    std::string WoWCurrentDir = "WoW.exe -console";

    if (!CreateProcess(NULL,(LPSTR)WoWCurrentDir.c_str(),NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&WoWSi,&WoWPi))
    {
        if (!CreateProcess(NULL,(LPSTR)WoWPath.c_str(),NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&WoWSi,&WoWPi))
        {
            SetStatus(RGB(255,0,0), "Process creation failed!");
            return std::string();
        }
    }

    // Inject the dll
    DWORD ForceLibrary(CHAR* szLibraryPath,PROCESS_INFORMATION* pProcInfo);
    DWORD ForceLibRet = ForceLibrary(_tfullpath(NULL, DllName.c_str(), MAX_PATH),&WoWPi);
    if (!ForceLibRet)
    {
        SetStatus(RGB(255,0,0), "Injection failed!");
        TerminateProcess(WoWPi.hProcess,0);
        return std::string();
    }
    else
    {
        ResumeThread(WoWPi.hThread);
    }
    
    // Injection succeeded (hopefully) if we get here
    SetStatus(RGB(0,255,0),"Injection succeeded!");
    return std::string();
}

Code is pretty disgusting at the moment. My apologies. Only because its something I hacked together quickly without care because I'm rewriting the loader from scratch in a few days.

Its a good starting point though and works perfectly for me.

[lanman92]

Hm, is forcelib good? ive never tried it.

P.S.: i broke my thumb at football and typing is quite difficult...

ARGH! Where can i get forcelib??? I can't download from y0da's site, he stopped paying for his domain... Mind linking it?

[Cypher]

http://dl.getdropbox.com/u/74751/forcelib.zip

[lanman92]

Thanks, although I'm thinking about using SetWindowsHookEx(). It looks quite easy and safe to implement.

[Cypher]

Thats unnecessary, caus you're gonna inject yourself into all running processes which is silly. Warden doesn't check for 'extranous' DLL's in the module list, namely because there are many legitimate reasons to inject a DLL into a 3rd party program. IM clients do it for example to monitor the users 'idle' status.

SetWindowsHookEx won't stop Warden from enumerating the module list anyway so its pointless (and besides, its not looking for you in this list so its not a concern to begin with).

[Shynd]

For the record, setting the privilege token necessary to access the WoW process is far easier than creating the process. Copy+paste a function from Kynox's object dumper named GrantAccess() or GrantPermission() or something like that, then call that function. Requires no trouble-shooting or debugging or anything.

But, I certainly agree that creating the process is the better way of doing it. It's how I've been doing it, lately, so I can unload my module before WoW.exe has any time to do anything at all--whereas I know they're not hooking LoadLibrary and keeping track of what modules are loaded now, they may in the future, so why not just get it over and done with and play it safe to begin with.

[lanman92]

What is wrong with this code? My program hangs whenever it gets to this line, I don't even get the message on cout.

Code:

 
if(!CreateProcess(NULL,(LPWSTR)"C:\Users\Public\Documents\World of Warcraft\Wow.exe",NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&WoWSi,&WoWPi))

[Cypher]

For the record, setting the privilege token necessary to access the WoW process is far easier than creating the process. Copy+paste a function from Kynox's object dumper named GrantAccess() or GrantPermission() or something like that, then call that function. Requires no trouble-shooting or debugging or anything.

But, I certainly agree that creating the process is the better way of doing it. It's how I've been doing it, lately, so I can unload my module before WoW.exe has any time to do anything at all--whereas I know they're not hooking LoadLibrary and keeping track of what modules are loaded now, they may in the future, so why not just get it over and done with and play it safe to begin with.

I have to create the process so I can hook the LUA functions and apply a model edit fix. Also, the worse that would happen in the future if they wanted to stop arbitrary DLL injection is they'd stop the CreateRemoteThread call, theres no way they could ban for it, if they did all the XFire users would be banned because I'm sure it would use injection for its ingame UI.

[Cypher]

What is wrong with this code? My program hangs whenever it gets to this line, I don't even get the message on cout.

Code:

 
if(!CreateProcess(NULL,(LPWSTR)"C:UsersPublicDocumentsWorld of WarcraftWow.exe",NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&WoWSi,&WoWPi))

Maybe you've got your program set to ANSI? You're casting a string to a wide string. If you've messed up the encoding that could be the problem. I use Multi-byte encoding for all my code which isn't the default for 99% of compilers.

PS. I'm using the word 'string' to refer to a char/wchar_t array, not the STL string class.

[arigity]

BOOL WINAPI CreateProcess(
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation
);

there is no need to not use lpApplicationName if your not going to add -console

[lanman92]

Okay, I tried both CreateProcessA() and CreateProcessW(), both to no avail. I don't see the issue, I'm casting with the proper type, LPSTR and LPWSTR.

EDIT: If it helps, my GetLastError() returns 87, invalidparam.
EDIT2: Nvm, I got it right now. Now all I need to do is work on my DLL and hiding from warden/bypassing warden...

[Xarg0]

You don't need to bypass warden unless you want to edit stuff that warden is watching ^^

[kynox]

You don't need to bypass warden unless you want to edit stuff that warden is watching ^^

Well, if you release something public you have another story. But yes, you're exactly right.

[lanman92]

You don't need to bypass warden unless you want to edit stuff that warden is watching ^^

lol, what DOESNT warden watch? I'm gonna do a basic wallhack and maybe movementstate hack... kynox posted some very friendly info about it so this shouldnt be too difficult.

[arigity]

two things.

1. your injecting a DLL just for a basic wallhack/movement state hack?

2. warden watches read only memory (mostly) as stated in the wiki which means it's rather useless for very basic memory editing, (*note: wallhack = watched, but their are other ways then the static address) and shouldn't bother you with movement state (now the server, on the other hand. will depending on what you do )