Thread Synchronization

[qwjqwj]

I have also found CastSpellById and DoLuaString unstable while using Injection method to create new thread. WOW will crash randomly at random address when executing new thread, or crash at main thread after executing new thread.
After heavy debugging, I found a good way to keep thread synchronization. I want to share my method here.

[0x12ea330] - Addon Name String (if null, it is running in blizzard protected mode)
[0x12ea334] - Addon Lock
[0x12ea338] - Unknown

The injection is executed as follows:

1. suspend the main thread
2. check [0x12ea334], if nonzero, resume main thread, sleep a while, and suspend again
3. until [0x12ea334] == 0
4. do the injection
5. resume the main thread

With this method, I can do castspellbyid 100 times per second and don't crash wow for a long time. Still, there is small possibility to crash WOW. I haven't find a better way to do synchronization now. Maybe the best way is to execute the injection wholly on main thread.

Only the injection interfering with UI need this method to synchronize. Some other methods are completely safe, and don't need synchronization.

If there is a better way, please tell me. Thanks

[Nesox]

how would you go about suspending wow's main thread?

[lanman92]

Uhm, SuspendThread()...?

[Nesox]

ok <3
<fillah />

[testout]

Instead of creating a new thread could you do the following:

Find a function thats called on the main thread (maybe like presenting the render for example)
When you want to inject, patch this to make it jump to your injected code
(which will run your code, undo the patch and jump back)

You might have some problems with DEP or something, and I guess warden could detect it easy (but if you arent making your code public thats not a problem)

[Cypher]

Just use DirectX hooks, the game is rendered in the main thread.

You have two advantages then:
1. No need to create new threads.
2. No need to fear Warden, because legitimate tools already hook DirectX so they can't ban you just based off a DirectX.
3. Warden currently doesn't check for any API hooks anyway.

[qwjqwj]

Thank you very much for your advice. CreateRemoteThread is implemented in many bots but is really unreliable when interacting with UI. Is there any successful implementation with DirectX hooks already?

[hypnodok]

You could take a look at the WowX Basehack over at the GD forums (WoW Hack(base) - Game Deception - Forums).

[qwjqwj]

hi, hypnodok, I have seen this source already, but can't download. Anonymous user don't have the right. I registered an account, but also don't have right to download. Can anybody here do me a favor to share that source for me? Thank you very much

[qwjqwj]

I have been debugging in Ollydbg for a couple of weeks for this thread issue. Everytime I logged on gamedeception, it says:

"You have been banned for the following reason:
No reason was specified.

Date the ban will be lifted: Never
"

[Nesox]

I tried to suspend wow's main thread but it was a little bitchy and still is here's how i enumerate the threads ripped some of it from wowdev.dk

Code:

[DllImport("kernel32.dll", SetLastError = true)]
        static extern uint SuspendThread(IntPtr hThread);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern uint ResumeThread(IntPtr hThread);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern IntPtr CreateToolhelp32Snapshot(uint dwFlags, uint th32ProcessID);

        [DllImport("kernel32.dll")]
        private static extern bool Thread32First(IntPtr hSnapshot, ref THREADENTRY32 lppe);

        [DllImport("kernel32.dll")]
        private static extern bool Thread32Next(IntPtr hSnapshot, ref THREADENTRY32 lppe);

        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenThread(uint dwDesiredAccess, bool bInheritHandle, uint dwThreadId);

        [DllImport("ntdll.dll")]
        private static extern uint NtQueryInformationThread(IntPtr handle, uint infclass, ref THREAD_BASIC_INFORMATION info, uint length, IntPtr bytesread);

        [DllImport("kernel32.dll")]
        private static extern bool CloseHandle(IntPtr handle);

        [DllImport("advapi32.dll", SetLastError = true)]
        static extern uint GetSecurityInfo(
        IntPtr handle,
        _SE_OBJECT_TYPE ObjectType,
        SECURITY_INFORMATION SecurityInfo,
        out IntPtr pSidOwner,
        out IntPtr pSidGroup,
        out IntPtr pDacl,
        out IntPtr pSacl,
        out IntPtr pSecurityDescriptor);

        [DllImport("advapi32.dll", SetLastError = true)]
        static extern uint SetSecurityInfo(
        IntPtr handle,
        _SE_OBJECT_TYPE ObjectType,
        SECURITY_INFORMATION SecurityInfo,
        out IntPtr pSidOwner,
        out IntPtr pSidGroup,
        out IntPtr pDacl,
        out IntPtr pSacl,
        out IntPtr pSecurityDescriptor);

        enum SECURITY_INFORMATION
        {
            DACL_SECURITY_INFORMATION,
            LABEL_SECURITY_INFORMATION,
            GROUP_SECURITY_INFORMATION,
            OWNER_SECURITY_INFORMATION,
            PROTECTED_DACL_SECURITY_INFORMATION,
            PROTECTED_SACL_SECURITY_INFORMATION,
            SACL_SECURITY_INFORMATION,
            UNPROTECTED_DACL_SECURITY_INFORMATION,
            UNPROTECTED_SACL_SECURITY_INFORMATION
        };

        enum _SE_OBJECT_TYPE 
        {
              SE_UNKNOWN_OBJECT_TYPE = 0,
              SE_FILE_OBJECT,
              SE_SERVICE,
              SE_PRINTER,
              SE_REGISTRY_KEY,
              SE_LMSHARE,
              SE_KERNEL_OBJECT,
              SE_WINDOW_OBJECT,
              SE_DS_OBJECT,
              SE_DS_OBJECT_ALL,
              SE_PROVIDER_DEFINED_OBJECT,
              SE_WMIGUID_OBJECT,
              SE_REGISTRY_WOW64_32KEY ,
              SE_OBJECT_TYPE,
        };

        [StructLayout(LayoutKind.Sequential)]
        private struct THREADENTRY32
        {
            public UInt32 dwSize;
            public UInt32 cntUsage;
            public UInt32 th32ThreadID;
            public UInt32 th32OwnerProcessID;
            public Int32 tpBasePri;
            public Int32 tpDeltaPri;
            public UInt32 dwFlags;
        }

        [StructLayout(LayoutKind.Sequential)]
        private struct THREAD_BASIC_INFORMATION
        {
            public bool ExitStatus;
            public IntPtr TebBaseAddress;
            public uint processid;
            public uint threadid;
            public uint AffinityMask;
            public uint Priority;
            public uint BasePriority;
        }

        private const uint TH32CS_SNAPTHREAD = 0x00000004;
        private const uint THREAD_SUSPEND_RESUME = 0x0002;

        private IntPtr GetWowsMainThread(Process process)
        {
            uint THREAD_QUERY_INFORMATION = 0x40;
            IntPtr snaphandle = IntPtr.Zero;
            IntPtr threadhandle = IntPtr.Zero;

            snaphandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
            if (snaphandle != null)
            {
                THREADENTRY32 info = new THREADENTRY32();
                info.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREADENTRY32));
                bool morethreads = true;
                bool found = false;
                if (Thread32First(snaphandle, ref info))
                {
                    while (morethreads && !found)
                    {
                        if (info.th32OwnerProcessID == process.Id)
                        {
                            threadhandle = OpenThread(THREAD_QUERY_INFORMATION, false, info.th32ThreadID);
                            if (threadhandle != null)
                            {
                                THREAD_BASIC_INFORMATION tbi = new THREAD_BASIC_INFORMATION();
                                NtQueryInformationThread(threadhandle, 0, ref tbi, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREAD_BASIC_INFORMATION)), IntPtr.Zero);

                                if (tbi.processid == process.Id)
                                {
                                    SetSecurityInfo(
                                        threadhandle,


                                    Console.WriteLine("TBI");
                                    Console.WriteLine("0x{0:X08}", tbi.threadid);
                                    Console.WriteLine("hThread:0x{0:X04}", threadhandle);
                                    Console.WriteLine("Trying to suspend");

                                    Console.WriteLine("Result:0x{0:X08}", SuspendThread(threadhandle) );
                                    CloseHandle(threadhandle);
                                    break;
                                }
                            }
                        }

                        info.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREADENTRY32));
                        morethreads = Thread32Next(snaphandle, ref info);
                    }
                }

                CloseHandle(snaphandle);
            }

            return threadhandle;
        }

I figured you need to set the Security Information on wow's main thread to

Code:

private const uint THREAD_SUSPEND_RESUME = 0x0002;

but i cant figure out how to use SetSecurityInfo, anyone of you ever used it for something cunny?

[testout]

Sign up again?

[qwjqwj]

I have signed many accounts there. All been banned immediately after registered.

[qwjqwj]

Yes, first use GetSecurityInfo,
then SetSecurityInfo, and OpenThread with the arg 0x1F03FF
After that, you can SuspendThread or ResumeThread easily.
There is no need to enum all threads in WOW. Just main thread is ok

I tried to suspend wow's main thread but it was a little bitchy and still is here's how i enumerate the threads ripped some of it from wowdev.dk

Code:

[DllImport("kernel32.dll", SetLastError = true)]
        static extern uint SuspendThread(IntPtr hThread);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern uint ResumeThread(IntPtr hThread);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern IntPtr CreateToolhelp32Snapshot(uint dwFlags, uint th32ProcessID);

        [DllImport("kernel32.dll")]
        private static extern bool Thread32First(IntPtr hSnapshot, ref THREADENTRY32 lppe);

        [DllImport("kernel32.dll")]
        private static extern bool Thread32Next(IntPtr hSnapshot, ref THREADENTRY32 lppe);

        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenThread(uint dwDesiredAccess, bool bInheritHandle, uint dwThreadId);

        [DllImport("ntdll.dll")]
        private static extern uint NtQueryInformationThread(IntPtr handle, uint infclass, ref THREAD_BASIC_INFORMATION info, uint length, IntPtr bytesread);

        [DllImport("kernel32.dll")]
        private static extern bool CloseHandle(IntPtr handle);

        [DllImport("advapi32.dll", SetLastError = true)]
        static extern uint GetSecurityInfo(
        IntPtr handle,
        _SE_OBJECT_TYPE ObjectType,
        SECURITY_INFORMATION SecurityInfo,
        out IntPtr pSidOwner,
        out IntPtr pSidGroup,
        out IntPtr pDacl,
        out IntPtr pSacl,
        out IntPtr pSecurityDescriptor);

        [DllImport("advapi32.dll", SetLastError = true)]
        static extern uint SetSecurityInfo(
        IntPtr handle,
        _SE_OBJECT_TYPE ObjectType,
        SECURITY_INFORMATION SecurityInfo,
        out IntPtr pSidOwner,
        out IntPtr pSidGroup,
        out IntPtr pDacl,
        out IntPtr pSacl,
        out IntPtr pSecurityDescriptor);

        enum SECURITY_INFORMATION
        {
            DACL_SECURITY_INFORMATION,
            LABEL_SECURITY_INFORMATION,
            GROUP_SECURITY_INFORMATION,
            OWNER_SECURITY_INFORMATION,
            PROTECTED_DACL_SECURITY_INFORMATION,
            PROTECTED_SACL_SECURITY_INFORMATION,
            SACL_SECURITY_INFORMATION,
            UNPROTECTED_DACL_SECURITY_INFORMATION,
            UNPROTECTED_SACL_SECURITY_INFORMATION
        };

        enum _SE_OBJECT_TYPE 
        {
              SE_UNKNOWN_OBJECT_TYPE = 0,
              SE_FILE_OBJECT,
              SE_SERVICE,
              SE_PRINTER,
              SE_REGISTRY_KEY,
              SE_LMSHARE,
              SE_KERNEL_OBJECT,
              SE_WINDOW_OBJECT,
              SE_DS_OBJECT,
              SE_DS_OBJECT_ALL,
              SE_PROVIDER_DEFINED_OBJECT,
              SE_WMIGUID_OBJECT,
              SE_REGISTRY_WOW64_32KEY ,
              SE_OBJECT_TYPE,
        };

        [StructLayout(LayoutKind.Sequential)]
        private struct THREADENTRY32
        {
            public UInt32 dwSize;
            public UInt32 cntUsage;
            public UInt32 th32ThreadID;
            public UInt32 th32OwnerProcessID;
            public Int32 tpBasePri;
            public Int32 tpDeltaPri;
            public UInt32 dwFlags;
        }

        [StructLayout(LayoutKind.Sequential)]
        private struct THREAD_BASIC_INFORMATION
        {
            public bool ExitStatus;
            public IntPtr TebBaseAddress;
            public uint processid;
            public uint threadid;
            public uint AffinityMask;
            public uint Priority;
            public uint BasePriority;
        }

        private const uint TH32CS_SNAPTHREAD = 0x00000004;
        private const uint THREAD_SUSPEND_RESUME = 0x0002;

        private IntPtr GetWowsMainThread(Process process)
        {
            uint THREAD_QUERY_INFORMATION = 0x40;
            IntPtr snaphandle = IntPtr.Zero;
            IntPtr threadhandle = IntPtr.Zero;

            snaphandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
            if (snaphandle != null)
            {
                THREADENTRY32 info = new THREADENTRY32();
                info.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREADENTRY32));
                bool morethreads = true;
                bool found = false;
                if (Thread32First(snaphandle, ref info))
                {
                    while (morethreads && !found)
                    {
                        if (info.th32OwnerProcessID == process.Id)
                        {
                            threadhandle = OpenThread(THREAD_QUERY_INFORMATION, false, info.th32ThreadID);
                            if (threadhandle != null)
                            {
                                THREAD_BASIC_INFORMATION tbi = new THREAD_BASIC_INFORMATION();
                                NtQueryInformationThread(threadhandle, 0, ref tbi, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREAD_BASIC_INFORMATION)), IntPtr.Zero);

                                if (tbi.processid == process.Id)
                                {
                                    SetSecurityInfo(
                                        threadhandle,


                                    Console.WriteLine("TBI");
                                    Console.WriteLine("0x{0:X08}", tbi.threadid);
                                    Console.WriteLine("hThread:0x{0:X04}", threadhandle);
                                    Console.WriteLine("Trying to suspend");

                                    Console.WriteLine("Result:0x{0:X08}", SuspendThread(threadhandle) );
                                    CloseHandle(threadhandle);
                                    break;
                                }
                            }
                        }

                        info.dwSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(THREADENTRY32));
                        morethreads = Thread32Next(snaphandle, ref info);
                    }
                }

                CloseHandle(snaphandle);
            }

            return threadhandle;
        }

I figured you need to set the Security Information on wow's main thread to

Code:

private const uint THREAD_SUSPEND_RESUME = 0x0002;

but i cant figure out how to use SetSecurityInfo, anyone of you ever used it for something cunny?

[Nesox]

Ah ok, cheers
EDIT: Works like a charm