[C# DLL] aHook, use ASM through EndScene hook

[JuJuBoSc]

Hello,


Here is a little dll based on BlackMagic for hooking the EndScene using static address.

It allow to run asm code through the EndScene, have fun with it.

I'll post the source once the last "problem" is fixed, under Win 7 / Vista WoW need to be run as admin, i assume cause of some win API used, i need to do something for grant WoW privilege.

Of course it's easier using injected dll with MS Detours, but anyway i'll post it i'm sure it can be usefull for someone.

Here is sample code to use Lua_DoString :

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using aHook;

namespace TestaHook
{
    class Program
    {
        static void Main(string[] args)
        {

            Hook EndScene = new Hook(aProcess.GetProcessIdByName("Wow"));

            UInt32 pDevicePtr = EndScene.BlackMagic.ReadUInt(0x00C76668);
            pDevicePtr = EndScene.BlackMagic.ReadUInt(pDevicePtr + 0x397C);

            UInt32 EndSceneAddr = EndScene.BlackMagic.ReadUInt(pDevicePtr);
            EndSceneAddr = EndScene.BlackMagic.ReadUInt(EndSceneAddr + 0xA8);

            Console.WriteLine(EndScene.Hook_Install(EndSceneAddr).ToString());


                // Command to send using LUA
                String Command = "print(\"EndScene hooked!\");";

                // Allocate memory for command
                uint DoString_space = EndScene.BlackMagic.AllocateMemory(Encoding.UTF8.GetBytes(Command).Length + 1);

                // Write command in the allocated memory
                EndScene.BlackMagic.WriteBytes(DoString_space, Encoding.UTF8.GetBytes(Command));

                // Write the asm stuff for Lua_DoString
                EndScene.Hook_AsmAddLine("mov eax, " + DoString_space);
                EndScene.Hook_AsmAddLine("push 0");
                EndScene.Hook_AsmAddLine("push eax");
                EndScene.Hook_AsmAddLine("push eax");
                EndScene.Hook_AsmAddLine("mov eax, 0x007F1F40"); // Lua_DoString
                EndScene.Hook_AsmAddLine("call eax");
                EndScene.Hook_AsmAddLine("add esp, 0xC");
                EndScene.Hook_AsmAddLine("retn");

                // Inject the shit
                EndScene.Hook_AsmInject();

                // Free memory allocated for command
                EndScene.BlackMagic.FreeMemory(DoString_space);

                // Uninstall the hook
                EndScene.Hook_Remove();

            Console.ReadLine();

        }
    }
}

It's based on ASM detour by Shynd, so credit to Shynd

[Rival-Fr]

Thank you good job as always. I'll try that.

[bolototo]

Code:

0x007F1F40"); // Lua_DoString

is not 0x007F1A50 ?

[JuJuBoSc]

Hmm no from lua_RunScript I got :

Code:

.text:00483BCC                 push    0
.text:00483BCE                 push    eax
.text:00483BCF                 push    eax
.text:00483BD0                 call    sub_7F1F40

[Ellesar1]

You should explain how you get your offset since your code will not be usable anymore when the next patch arrives.

Regarding EndScene hooking, there's a question on stackoverflow, listing several method which are mentioned on this and other sites, so maybe you could take it as some conclusion about what methods are there to achieve an EndScene hook.

[Grape]

Thanks for the tutorial! I'm wondering how you would go about returns such as.

if i used GetPlayerMapPosition("player") is there a way i can get the return from this hook.

[JuJuBoSc]

Use GetLocalizedText, you can use it using Asm as for DoString in the hook.

[Cypher]

Use GetLocalizedText, you can use it using Asm as for DoString in the hook.

GetLocalText pollutes the global lua scope and causes taint (and may well also interfere with any addons the user has installed).

A much better way is to wrap Lua calls in a custom callback and use Lua's 'tostring' function to get all the args.

The best way however is simply to reimplement FrameScript__Execute manually so that you never call Lua's 'settop' function to clear the arguments until you've already pulled them out.

[Nesox]

btw.. can you hook a function with his?

[JuJuBoSc]

GetLocalText pollutes the global lua scope and causes taint (and may well also interfere with any addons the user has installed).

A much better way is to wrap Lua calls in a custom callback and use Lua's 'tostring' function to get all the args.

The best way however is simply to reimplement FrameScript__Execute manually so that you never call Lua's 'settop' function to clear the arguments until you've already pulled them out.

I think it's really hard to implement it using only Asm with BlackMagic.

Btw will test it using MS Detours and LUA lib directly thanks for the hint.

[Nesox]

can you hook a function with this eg. check what the arguments passed to it are each time it's being called?

[JuJuBoSc]

No it only execute Asm code in main thread when function is called using global event.

[Cypher]

I think it's really hard to implement it using only Asm with BlackMagic.

Btw will test it using MS Detours and LUA lib directly thanks for the hint.

Huh?

First off, you don't need detours, you need to write a REPLACEMENT of FrameScript__Execute. Not hook it.

Second, the Lua lib is useless to you. Blizzard use a modified Lua struct, you need to reverse engineer FrameScript__Execute, and find their implementations of the Lua API in the game, then use those.

At any rate, a wrapper shouldn't be too hard to do, yes it's a pain in the ass to do in ASM, but it's not as difficult as you're implying (assuming you have a decent grasp of it).

[-Ryuk-]

Im gonna sound like a total noob, But how easy would this be for warden to detect?

[lanman92]

Didn't someone say that they're scanning for random RWX memory in their process now? Maybe I'm imagining things... You can fix it with a hook on NtQueryVirtualMemory anyways, so it's irrelevant.