Manual Mapping and SEH Handler Validation (aka SafeSEH) menu
Follow us:

User Tag List

Results 1 to 9 of 9
  1. 03-03-2010 #1
    Cypher's Avatar
    Cypher
    Cypher is offline
    Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Manual Mapping and SEH Handler Validation (aka SafeSEH)

    Note: Cross-post from here.

    I'm currently in the process of writing a manual mapper and have hit an interesting problem... I noticed that when trying to use exception handling in my manually mapped module the handler would never get called and the process would be terminated. After a bit of scanning through the PE file format I noticed the section on load configuration data and then it became clear the problem was SafeSEH.

    For anyone who does not know what SafeSEH is:
    /SAFESEH (Image has Safe Exception Handlers)
    Uninformed - vol 9 article 4

    Please note that this is different to SEHOP, described here:
    Security Research & Defense : Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP

    The problem is that SEH does not work in my manually mapped modules because it fails the checks performed by the exception dispatcher (see Ntdll.RtlIsValidHandler for more information).

    To give you an idea of what's happening, here's the pseudocode from the Blackhat 2008 paper 'How to Impress Girls with Browser Memory Protection Bypasses':
    Code:
    BOOL RtlIsValidHandler(handler) 
{ 
    if (handler is in an image) { 
        if (image has the IMAGE_DLLCHARACTERISTICS_NO_SEH flag set) 
            return FALSE; 
 
        if (image has a SafeSEH table) 
            if (handler found in the table) 
                return TRUE; 
            else 
                return FALSE; 
 
        if (image is a .NET assembly with the ILonly flag set) 
            return FALSE; 
 
        // fall through 
    } 
 
    if (handler is on a non-executable page) { 
        if (ExecuteDispatchEnable bit set in the process flags) 
            return TRUE; 
        else 
            raise ACCESS_VIOLATION; // enforce DEP even if we have no hardware NX 
    } 
 
    if (handler is not in an image) { 
        if (ImageDispatchEnable bit set in the process flags) 
            return TRUE; 
        else 
            return FALSE;           // don't allow handlers outside of images 
    } 
 
    // everything else is allowed 
 
    return TRUE; 
}
    Obviously manually mapped modules will fail the first check, as the handler is not inside an 'image' as far as Windows is concerned (from memory it checks to see if the region the handler resides in is marked as MEM_IMAGE), and even if it was, we still wouldn't be in the relevant list (ntdll.LdrpInvertedFunctionTable) so it doesn't matter anyway.

    The second check fails because the manually mapped module's code is marked as executable (obviously). Besides, even if that first check did succeed, the second would fail and an access violation would be raised because ExecuteDispatchEnable is disabled.

    The third check succeeds at first (because the handler is not in an image), but then fails because the ImageDispatchEnable flag is not set.

    So, whilst brainstorming for solutions to this problem with a friend (thanks Greyman!) we came up with a few solutions:
    1. Try to enable the ImageDispatchEnable flag. This failed however as every time I tried to set it I got a STATUS_INVALID_PARAMETER error. I dove into the implementation of ntoskrnl.NtSetInformationProcess and found that the responsible function seems to be ntoskrnl.MmSetExecuteOptions. At first glance it seems that you cannot enable or disable that particular flag from usermode. Unless of course I just plain ****ed something up when calling it, which is also possible, but unlikely.
    2. Hook NtQueryInformationSystem and 'lie' to ntdll.RtlIsValidHandler by simply returning the ImageDispatchEnable flag as always set. I have not yet tested this solution but I assume it should work, however I want to avoid it as it's quite invasive and defeats the purpose of manually mapping to begin with.
    3. Implement your own exception dispatcher via VEH. Vectored exception handlers are called before structured exception handlers, so it should/would be possible to register a VEH and perform the necessary dispatching for the manually mapped module. This solution is imo the best one I know of so far, however from both a reliability and performance standpoint I can see it being a potential issue. Plus, it would be an ******* to do the initial implementation (very tedious).


    Does anyone know of any better solutions? So far number 3 seems to be the best, but I'm still hanging out for a better solution...

    Any ideas/suggestsions/etc would be appreciated. Thanks.
    My Website | HadesMem Project Page

    Reply With Quote Reply With Quote
    Manual Mapping and SEH Handler Validation (aka SafeSEH)
  2. 03-03-2010 #2
    amadmonk's Avatar
    amadmonk
    amadmonk is offline
    Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    With the VEH solution, wouldn't you also have to protect VEH to make sure your VEH stayed "on top?"

    I'm not sure if you're trying to avoid all API hooking with your manual map solution, or just the (extremely invasive) NtQIP.

    Edit: NM, forgot that VEH's are called in order of add, so you'd just have to be sure to be the first VEH in the chain, or custom manipulate the VEH chain.

    Hmm. I guess you could unregister the handler after the map, so it might not be as invasive as I thought.

    I don't have any real insights into this, unfortunately, since the SafeSEH stuff was implemented a fair amount of time after I left the picture, sadly.
    Don't believe everything you think.
    Reply With Quote Reply With Quote
  3. 03-03-2010 #3
    Cypher's Avatar
    Cypher
    Cypher is offline
    Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by amadmonk View Post
    With the VEH solution, wouldn't you also have to protect VEH to make sure your VEH stayed "on top?"

    I'm not sure if you're trying to avoid all API hooking with your manual map solution, or just the (extremely invasive) NtQIP.

    Edit: NM, forgot that VEH's are called in order of add, so you'd just have to be sure to be the first VEH in the chain, or custom manipulate the VEH chain.

    Hmm. I guess you could unregister the handler after the map, so it might not be as invasive as I thought.

    I don't have any real insights into this, unfortunately, since the SafeSEH stuff was implemented a fair amount of time after I left the picture, sadly.
    Why do I need to ensure I'm at the top of the VEH list? All well written VEH's should pass exceptions they don't know how to handle down the chain.

    If you mean I need to do it for detection reasons, then yes, eventually that will be a concern. But without a better alternative, there's not much I can do to fix that. I guess that can be one of the reasons I need to find a better method.

    Also, the handler needs to be present whilst ever the module is mapped and executing code. Because obviously it needs to handle all exceptions that are raised inside that module's memory region (otherwise they will never be correctly dispatched due to SafeSEH).
    My Website | HadesMem Project Page

    Reply With Quote Reply With Quote
  4. 03-03-2010 #4
    Cypher's Avatar
    Cypher
    Cypher is offline
    Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In case it helps anyone, here's a trace of ntdll.RtlIsValidHandler when my handler is hit.

    Code:
    Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00400000 00e24000   C:\Users\Public\Games\World of Warcraft\WoW.exe
ModLoad: 770a0000 77220000   C:\Windows\SysWOW64\ntdll.dll
ModLoad: 76480000 76580000   C:\Windows\syswow64\kernel32.dll
ModLoad: 752e0000 75326000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 73970000 73a38000   C:\Windows\system32\OPENGL32.dll
ModLoad: 76b50000 76bfc000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 76950000 769f0000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 76460000 76479000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76720000 76810000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 74c10000 74c70000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 74c00000 74c0c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 75150000 751e0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 751e0000 752e0000   C:\Windows\syswow64\USER32.dll
ModLoad: 761c0000 761ca000   C:\Windows\syswow64\LPK.dll
ModLoad: 76c00000 76c9d000   C:\Windows\syswow64\USP10.dll
ModLoad: 73b10000 73b32000   C:\Windows\system32\GLU32.dll
ModLoad: 73880000 73967000   C:\Windows\system32\DDRAW.dll
ModLoad: 73b00000 73b06000   C:\Windows\system32\DCIMAN32.dll
ModLoad: 76580000 7671d000   C:\Windows\syswow64\SETUPAPI.dll
ModLoad: 74ee0000 74f07000   C:\Windows\syswow64\CFGMGR32.dll
ModLoad: 74e50000 74edf000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 75fe0000 7613c000   C:\Windows\syswow64\ole32.dll
ModLoad: 76140000 76152000   C:\Windows\syswow64\DEVOBJ.dll
ModLoad: 71fa0000 71fb3000   C:\Windows\system32\dwmapi.dll
ModLoad: 72af0000 72af9000   C:\Windows\system32\VERSION.dll
ModLoad: 76160000 761c0000   C:\Windows\syswow64\IMM32.dll
ModLoad: 769f0000 76abc000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 74f10000 75004000   C:\Windows\syswow64\WININET.dll
ModLoad: 76400000 76457000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 77070000 77073000   C:\Windows\syswow64\Normaliz.dll
ModLoad: 76810000 76945000   C:\Windows\syswow64\urlmon.dll
ModLoad: 74c70000 74d8c000   C:\Windows\syswow64\CRYPT32.dll
ModLoad: 75140000 7514c000   C:\Windows\syswow64\MSASN1.dll
ModLoad: 761d0000 763c9000   C:\Windows\syswow64\iertutil.dll
ModLoad: 74d90000 74dc5000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 75130000 75136000   C:\Windows\syswow64\NSI.dll
ModLoad: 5c3b0000 5c3e0000   C:\Windows\system32\DINPUT8.dll
ModLoad: 75390000 75fd9000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 10000000 10069000   C:\Users\Public\Games\World of Warcraft\DivxDecoder.dll
ModLoad: 72ba0000 72bd2000   C:\Windows\system32\WINMM.dll
ModLoad: 73d30000 73d44000   C:\Windows\system32\MSACM32.dll
ModLoad: 5c400000 5c409000   C:\Windows\system32\HID.DLL
ModLoad: 74320000 7436b000   C:\Windows\system32\apphelp.dll
ModLoad: 5bba0000 5bc1b000   C:\Windows\AppPatch\AcSpecfc.DLL
ModLoad: 76ac0000 76b44000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16385_none_ebf82fc36c758ad5\COMCTL32.dll
ModLoad: 735d0000 73649000   C:\Windows\system32\mscms.dll
ModLoad: 72b60000 72b77000   C:\Windows\system32\USERENV.dll
ModLoad: 72fd0000 72fdb000   C:\Windows\system32\profapi.dll
ModLoad: 72b80000 72b92000   C:\Windows\system32\MPR.dll
ModLoad: 74dd0000 74e4b000   C:\Windows\syswow64\COMDLG32.dll
ModLoad: 5b960000 5bba0000   C:\Windows\system32\msi.dll
ModLoad: 73700000 7378c000   C:\Windows\AppPatch\AcLayers.DLL
ModLoad: 72b00000 72b51000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 72cd0000 72cf1000   C:\Windows\system32\ntmarta.dll
ModLoad: 75330000 75375000   C:\Windows\syswow64\WLDAP32.dll
ModLoad: 72160000 721e0000   C:\Windows\system32\uxtheme.dll
ModLoad: 66700000 668c3000   C:\Windows\system32\d3d9.dll
ModLoad: 71390000 71396000   C:\Windows\system32\d3d8thk.dll
ModLoad: 65df0000 666f3000   C:\Windows\system32\nvd3dum.dll
ModLoad: 03920000 03a62000   C:\Windows\system32\nvapi.dll
ModLoad: 73c70000 73c95000   C:\Windows\system32\powrprof.dll
ModLoad: 75010000 75093000   C:\Windows\syswow64\CLBCatQ.DLL
ModLoad: 73ef0000 73f29000   C:\Windows\System32\MMDevApi.dll
ModLoad: 73df0000 73ee5000   C:\Windows\System32\PROPSYS.dll
ModLoad: 73d60000 73d96000   C:\Windows\system32\AUDIOSES.DLL
ModLoad: 71fc0000 7215e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
ModLoad: 72c80000 72cc4000   C:\Windows\system32\dnsapi.DLL
ModLoad: 730b0000 730cc000   C:\Windows\system32\iphlpapi.DLL
ModLoad: 730a0000 730a7000   C:\Windows\system32\WINNSI.DLL
ModLoad: 632c0000 632e5000   C:\Windows\system32\peerdist.dll
ModLoad: 634b0000 634cb000   C:\Windows\system32\AUTHZ.dll
ModLoad: 730e0000 7311c000   C:\Windows\system32\mswsock.dll
ModLoad: 730d0000 730d5000   C:\Windows\System32\wshtcpip.dll
ModLoad: 635a0000 635f2000   C:\Windows\system32\RASAPI32.dll
ModLoad: 63580000 63595000   C:\Windows\system32\rasman.dll
ModLoad: 63570000 6357d000   C:\Windows\system32\rtutils.dll
ModLoad: 72fe0000 72fe6000   C:\Windows\system32\sensapi.dll
ModLoad: 748f0000 74900000   C:\Windows\system32\NLAapi.dll
ModLoad: 74290000 74296000   C:\Windows\system32\rasadhlp.dll
ModLoad: 748e0000 748e8000   C:\Windows\System32\winrnr.dll
ModLoad: 748d0000 748e0000   C:\Windows\system32\napinsp.dll
ModLoad: 748b0000 748c2000   C:\Windows\system32\pnrpnsp.dll
ModLoad: 743f0000 743f6000   C:\Windows\System32\wship6.dll
ModLoad: 742b0000 742e8000   C:\Windows\System32\fwpuclnt.dll
ModLoad: 73dc0000 73df0000   C:\Windows\system32\wdmaud.drv
ModLoad: 73db0000 73db4000   C:\Windows\system32\ksuser.dll
ModLoad: 73da0000 73da7000   C:\Windows\system32\AVRT.dll
ModLoad: 73d50000 73d58000   C:\Windows\system32\msacm32.drv
ModLoad: 73d20000 73d27000   C:\Windows\system32\midimap.dll
(12b4.d2c): Break instruction exception - code 80000003 (first chance)
eax=7eef2000 ebx=00000000 ecx=00000000 edx=7713f50a esi=00000000 edi=00000000
eip=770b000c esp=15b5ff5c ebp=15b5ff88 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll - 
ntdll!DbgBreakPoint:
770b000c cc              int     3
0:034> x ntdll!*ValidHandler
0:034> .symfix
0:034> .reload
Reloading current modules
................................................................
.........................
0:034> x ntdll!*ValidHandler
770f852a ntdll!RtlIsValidHandler = <no type information>
0:034> bp ntdll!RtlIsValidHandler
0:034> bbl
0:034> bl
 0 e 770f852a     0001 (0001)  0:**** ntdll!RtlIsValidHandler
 1 e 770b000c     0001 (0001)  0:**** ntdll!DbgBreakPoint
0:034> g
ModLoad: 5b170000 5b227000   C:\Windows\SysWOW64\MSVCP100D.dll
ModLoad: 5aff0000 5b162000   C:\Windows\SysWOW64\MSVCR100D.dll
(12b4.fa8): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=08200000 ecx=00000000 edx=065b10e6 esi=11f8ff44 edi=00000000
eip=752f22a1 esp=11f8ff40 ebp=11f8ff88 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!DebugBreak+0x2:
752f22a1 cc              int     3
0:033> g
(12b4.fa8): C++ EH exception - code e06d7363 (first chance)
Breakpoint 0 hit
eax=065c0cc3 ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f852a esp=11f8fad8 ebp=11f8fb54 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler:
770f852a 8bff            mov     edi,edi
0:033> p
eax=065c0cc3 ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f852c esp=11f8fad8 ebp=11f8fb54 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler+0x2:
770f852c 55              push    ebp
0:033> p
eax=065c0cc3 ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f852d esp=11f8fad4 ebp=11f8fb54 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler+0x3:
770f852d 8bec            mov     ebp,esp
0:033> p
eax=065c0cc3 ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f852f esp=11f8fad4 ebp=11f8fad4 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler+0x5:
770f852f 83ec30          sub     esp,30h
0:033> p
eax=065c0cc3 ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8532 esp=11f8faa4 ebp=11f8fad4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlIsValidHandler+0x8:
770f8532 a188201a77      mov     eax,dword ptr [ntdll!__security_cookie (771a2088)] ds:002b:771a2088=77afec4b
0:033> p
eax=77afec4b ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8537 esp=11f8faa4 ebp=11f8fad4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlIsValidHandler+0xd:
770f8537 33c5            xor     eax,ebp
0:033> p
eax=6657169f ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8539 esp=11f8faa4 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0xf:
770f8539 8945fc          mov     dword ptr [ebp-4],eax ss:002b:11f8fad0=ffffffff
0:033> p
eax=6657169f ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f853c esp=11f8faa4 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x12:
770f853c 53              push    ebx
0:033> p
eax=6657169f ebx=11f8ff7c ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f853d esp=11f8faa0 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x13:
770f853d 8b5d08          mov     ebx,dword ptr [ebp+8] ss:002b:11f8fadc=065c0cc3
0:033> p
eax=6657169f ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8540 esp=11f8faa0 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x16:
770f8540 56              push    esi
0:033> p
eax=6657169f ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8541 esp=11f8fa9c ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x17:
770f8541 57              push    edi
0:033> p
eax=6657169f ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8542 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x18:
770f8542 8d45f8          lea     eax,[ebp-8]
0:033> p
eax=11f8facc ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8545 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x1b:
770f8545 50              push    eax
0:033> p
eax=11f8facc ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8546 esp=11f8fa94 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x1c:
770f8546 8d45f0          lea     eax,[ebp-10h]
0:033> p
eax=11f8fac4 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8549 esp=11f8fa94 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x1f:
770f8549 50              push    eax
0:033> p
eax=11f8fac4 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f854a esp=11f8fa90 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x20:
770f854a 53              push    ebx
0:033> p
eax=11f8fac4 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f854b esp=11f8fa8c ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x21:
770f854b e85c000000      call    ntdll!RtlLookupFunctionTable (770f85ac)
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=770f8550 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0x26:
770f8550 33ff            xor     edi,edi
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=770f8552 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0x28:
770f8552 8945f4          mov     dword ptr [ebp-0Ch],eax ss:002b:11f8fac8=770bfa8a
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=770f8555 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0x2b:
770f8555 3bc7            cmp     eax,edi
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=770f8557 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0x2d:
770f8557 0f84a5130200    je      ntdll!RtlIsValidHandler+0x82 (77119902) [br=1]
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=77119902 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0x82:
77119902 397d0c          cmp     dword ptr [ebp+0Ch],edi ss:002b:11f8fae0=0000004d
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=77119905 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x85:
77119905 7442            je      ntdll!RtlIsValidHandler+0x87 (77119949) [br=0]
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=77119907 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0x9e:
77119907 8b450c          mov     eax,dword ptr [ebp+0Ch] ss:002b:11f8fae0=0000004d
0:033> p
eax=0000004d ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=7711990a esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0xa1:
7711990a 83e030          and     eax,30h
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=7711990d esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xa4:
7711990d 3c30            cmp     al,30h
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=7711990f esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xa6:
7711990f 0f847fecfdff    je      ntdll!RtlIsValidHandler+0xec (770f8594) [br=0]
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=77119915 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xac:
77119915 e99e6a0100      jmp     ntdll!RtlIsValidHandler+0xa8 (771303b8)
0:033> p
eax=00000000 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303b8 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xa8:
771303b8 8d45ec          lea     eax,[ebp-14h]
0:033> p
eax=11f8fac0 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303bb esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xab:
771303bb 50              push    eax
0:033> p
eax=11f8fac0 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303bc esp=11f8fa94 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xac:
771303bc 6a1c            push    1Ch
0:033> p
eax=11f8fac0 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303be esp=11f8fa90 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xae:
771303be 8d45d0          lea     eax,[ebp-30h]
0:033> p
eax=11f8faa4 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303c1 esp=11f8fa90 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xb1:
771303c1 50              push    eax
0:033> p
eax=11f8faa4 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303c2 esp=11f8fa8c ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xb2:
771303c2 57              push    edi
0:033> p
eax=11f8faa4 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303c3 esp=11f8fa88 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xb3:
771303c3 53              push    ebx
0:033> p
eax=11f8faa4 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303c4 esp=11f8fa84 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xb4:
771303c4 6aff            push    0FFFFFFFFh
0:033> p
eax=11f8faa4 ebx=065c0cc3 ecx=770f8653 edx=771a2070 esi=11f8fb6c edi=00000000
eip=771303c6 esp=11f8fa80 ebp=11f8fad4 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
ntdll!RtlIsValidHandler+0xb6:
771303c6 e8adf7f8ff      call    ntdll!ZwQueryVirtualMemory (770bfb78)
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=771303cb esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlIsValidHandler+0xbb:
771303cb 85c0            test    eax,eax
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=771303cd esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xbd:
771303cd 0f8cc181fcff    jl      ntdll!RtlIsValidHandler+0xec (770f8594) [br=0]
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=771303d3 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xbf:
771303d3 f645e4f0        test    byte ptr [ebp-1Ch],0F0h    ss:002b:11f8fab8=20
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=771303d7 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlIsValidHandler+0xc3:
771303d7 743a            je      ntdll!RtlIsValidHandler+0x109 (77130413) [br=0]
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=771303d9 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlIsValidHandler+0xc5:
771303d9 817de800000001  cmp     dword ptr [ebp-18h],1000000h ss:002b:11f8fabc=00020000
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=771303e0 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler+0xcc:
771303e0 7524            jne     ntdll!RtlIsValidHandler+0xff (77130406) [br=1]
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=77130406 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler+0xff:
77130406 8a450c          mov     al,byte ptr [ebp+0Ch]      ss:002b:11f8fae0=4d
0:033> p
eax=0000004d ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=77130409 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!RtlIsValidHandler+0x102:
77130409 c0e805          shr     al,5
0:033> p
eax=00000002 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=7713040c esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlIsValidHandler+0x105:
7713040c 2401            and     al,1
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=7713040e esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0x107:
7713040e e98381fcff      jmp     ntdll!RtlIsValidHandler+0xee (770f8596)
0:033> p
eax=00000000 ebx=065c0cc3 ecx=5dc30000 edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8596 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xee:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\nvd3dum.dll - 
770f8596 8b4dfc          mov     ecx,dword ptr [ebp-4] ss:002b:11f8fad0=6657169f
0:033> p
eax=00000000 ebx=065c0cc3 ecx=6657169f edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8599 esp=11f8fa98 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xf1:
770f8599 5f              pop     edi
0:033> p
eax=00000000 ebx=065c0cc3 ecx=6657169f edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f859a esp=11f8fa9c ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xf2:
770f859a 5e              pop     esi
0:033> p
eax=00000000 ebx=065c0cc3 ecx=6657169f edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f859b esp=11f8faa0 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xf3:
770f859b 33cd            xor     ecx,ebp
0:033> p
eax=00000000 ebx=065c0cc3 ecx=77afec4b edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f859d esp=11f8faa0 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0xf5:
770f859d 5b              pop     ebx
0:033> p
eax=00000000 ebx=11f8ff7c ecx=77afec4b edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f859e esp=11f8faa4 ebp=11f8fad4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!RtlIsValidHandler+0xf6:
770f859e e8115afdff      call    ntdll!__security_check_cookie (770cdfb4)
0:033> p
eax=00000000 ebx=11f8ff7c ecx=77afec4b edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f85a3 esp=11f8faa4 ebp=11f8fad4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xfb:
770f85a3 c9              leave
0:033> p
eax=00000000 ebx=11f8ff7c ecx=77afec4b edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f85a4 esp=11f8fad8 ebp=11f8fb54 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlIsValidHandler+0xfc:
770f85a4 c20800          ret     8
0:033> p
eax=00000000 ebx=11f8ff7c ecx=77afec4b edx=11e1e8b8 esi=11f8fb6c edi=00000000
eip=770f8715 esp=11f8fae4 ebp=11f8fb54 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlDispatchException+0x10e:
770f8715 84c0            test    al,al
    Last edited by Cypher; 03-03-2010 at 11:02 PM.
    My Website | HadesMem Project Page

    Reply With Quote Reply With Quote
  5. 03-03-2010 #5
    Cypher's Avatar
    Cypher
    Cypher is offline
    Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Some more information has come to light in regards to the default state of the ImageDispatchEnable flag.

    From the Blackhat 2008 paper "Impressing Girls With Browser Memory Protection Bypasses":
    The ExecuteDispatchEnable and ImageDispatchEnable bits are part of the process execution flags in the kernel KPROCESS structure. These two bits control whether the exception dispatcher will call handlers located in non-executable memory or outside of an image. The two bits can be changed at runtime, but by default they are both set for processes with DEP disabled and cleared for processes with DEP enabled.
    By "changed at runtime" I'm not sure whether they mean only from kernelmode, or from both kernelmode and usermode. If it includes usermode then maybe I was right originally and I just ****ed up the NtSetInformationProcess call. However I can't see where I went wrong, so if someone else wants to try it and let me know whether it works that would be awesome.
    My Website | HadesMem Project Page

    Reply With Quote Reply With Quote
  6. 03-04-2010 #6
    amadmonk's Avatar
    amadmonk
    amadmonk is offline
    Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I replied over at G-D. I'm guessing that the DEP Permanent flag is set, which means you can't modify it at runtime.
    Don't believe everything you think.
    Reply With Quote Reply With Quote
  7. 03-04-2010 #7
    Cypher's Avatar
    Cypher
    Cypher is offline
    Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by amadmonk View Post
    I replied over at G-D. I'm guessing that the DEP Permanent flag is set, which means you can't modify it at runtime.
    I replied to your reply over at GD.
    My Website | HadesMem Project Page

    Reply With Quote Reply With Quote
  8. 03-11-2010 #8
    wraithZX's Avatar
    wraithZX
    wraithZX is offline
    Active Member
    Reputation
    43
    Join Date
    May 2007
    Posts
    122
    Thanks G/R
    0/1
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just a note for Memory.h, if I'm reading things correctly, in your __thiscall handler for x86 (lines 278-281 on googlecode), you're still mucking around with eax instead of shoving the first arg into ecx.
    Reply With Quote Reply With Quote
  9. 03-11-2010 #9
    Cypher's Avatar
    Cypher
    Cypher is offline
    Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by wraithZX View Post
    Just a note for Memory.h, if I'm reading things correctly, in your __thiscall handler for x86 (lines 278-281 on googlecode), you're still mucking around with eax instead of shoving the first arg into ecx.
    Nice catch. Fixed.
    My Website | HadesMem Project Page

    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Manual Mapping and EH support
    By Cypher in forum WoW Memory Editing
    Replies: 7
    Last Post: 10-15-2010, 11:53 AM
  2. Create Map And News Zone, help
    By Black Twister in forum WoW ME Questions and Requests
    Replies: 2
    Last Post: 07-18-2008, 09:10 AM
  3. [Observation]STV map and India
    By kazi88 in forum World of Warcraft General
    Replies: 22
    Last Post: 06-06-2008, 03:33 AM
  4. All Map And Instance ID's
    By megamoocow in forum World of Warcraft Emulator Servers
    Replies: 5
    Last Post: 05-12-2008, 11:35 AM
  5. [GUIDE] Mining 1-375 With Maps and pictures!
    By -Lex in forum World of Warcraft Guides
    Replies: 13
    Last Post: 04-02-2008, 08:32 AM
All times are GMT -5. The time now is 01:27 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search