[Question] API Protection 3.3.2

[noctural]

Actually, damn. I don't think I can use VEH to bypass code, only hook..which doesn't help me. Back to the drawing board.

[JuJuBoSc]

Why not only register your own LUA function, which call Lua_Execute, and call it from game?

[noctural]

That's what Cypher suggested, but I wasn't sure how to do that :/

[lanman92]

It's super simple. Look at the xrefs to the start of the array of Lua functions(there's multiple arrays- any will do). Register your function have it just pop your string off the lua stack and feed it into FrameScript_Execute. Ignore the actual LuaState parameter, pass zero. If you want to get return values, use lua_pcall/call and grab them after you call it. Look at how lua works somewhere.

[noctural]

Thanks for the replies guys. I know it must get tiresome with the questions from new guys, but I really do appreciate the help. I've been scouring the forum off and on for the past 10 hours, but with no prior ASM, it's challenging to say the least. I'm sure I'll have my 'a ha' moment.

[Xarg0]

pro tip:
don't pass the actual address of your lua callback, find something that'll cause an exception when executed in the wow.exe module and pass that adress, install a VEH to catch the exception and redirect the execution to your callback, that way you can trick the IsFunctionPtrInRange check without any further hooks.

I wont explain in detail how a vectored handler needs to look like to deal with this task, this is something you should be able to find out yourself easily, you'd even find some copy pasta code with google but I'd suggest you to write it on your own using msdn, so you actually understand what you're doing.

And about your asm knowledge, you can learn the basics of asm rather quickly there are dozens of tutorials on this subject, you'll have to search for X86 assembler and I'd suggest you to use a tutorial with intel style syntax, because that's what most disassmblers use, reading some tutorials on debugging won't hurt btw

[noctural]

Thanks Xarg0. I have been debugging..even written my own apps and debugged them to understand what was going on in asm.

I've been able to setup a VEH to fire on a function of mine, by setting the memory of the function to PAGE_NOACCESS. When my func runs, the exception is thrown and my handler is called. My handler returns EXCEPTION_CONTINUE_EXECUTION, which appears to continue execution of the function. Is it possible to make my VEH, change the EIP or something to skip over my function entirely?

[Xarg0]

Guess what's in the context structure that the pcontext pointer in the exception structure points to

[noctural]

Guess what's in the context structure that the pcontext pointer in the exception structure points to

Thanks! So, would this change the EFlags for the next executed instruction after the handler returns to continue execution?

Code:

ULONG VEHandler(PEXCEPTION_POINTERS exc)
{
     if (exc->ExceptionRecord->ExceptionCode != STATUS_ACCESS_VIOLATION && exc->ExceptionRecord->ExceptionCode != STATUS_SINGLE_STEP)
     {
         return (EXCEPTION_CONTINUE_SEARCH);
     }
     else if (exc->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP)
     {
         exc->ContextRecord->EFlags |= 0x40;
     }

     return (EXCEPTION_CONTINUE_EXECUTION);
}

[lanman92]

You might want to change the EIP value so that your code is executed

[noctural]

You might want to change the EIP value so that your code is executed

I thought that my code is executing in the VEH. Or are you saying the exception handler modifies a different CONTEXT than that of the main thread?

[lanman92]

Yes, set the EIP in the PCONTEXT structure and then return EXCEPTION_CONTINUE_EXECUTION and it will jump to your Eip value. You can do your magic there. Make sure to be careful with stack corruption though, make a stub __declspec(naked) function to call your actual code.

[noctural]

Yes, set the EIP in the PCONTEXT structure and then return EXCEPTION_CONTINUE_EXECUTION and it will jump to your Eip value. You can do your magic there. Make sure to be careful with stack corruption though, make a stub __declspec(naked) function to call your actual code.

My Exception Handler seems to be in an infinite loop. I set the breakpoint on the function address correctly, the Exception Handler fires...then continues execution..but the breakpoint is hit again, firing the exception handler again, to infinity.

I thought if I set the RF(bit 16) in the EFLAGS, that it would cause the breakpoint to be disabled for one instruction. Here's my exception handler code.. does anyone know what I might be doing wrong here, thanks again!

Code:

ULONG HookHandler(PEXCEPTION_POINTERS exc)
{
	if (exc->ExceptionRecord->ExceptionCode != STATUS_SINGLE_STEP)
	{
		MessageBoxA(NULL,"Handler was not single step, continuing.","NOT STATUS_SINGLE_STEP",MB_OK);
		return (EXCEPTION_CONTINUE_SEARCH);
	}
	
	MessageBoxA(NULL,"Hit the BP!","STATUS_SINGLE_STEP",MB_OK);
	exc->ContextRecord->EFlags |= (DWORD)0x10000;
	return (EXCEPTION_CONTINUE_EXECUTION);
}

[noctural]

Hmm.. It seems I have to clear the debug register when the VEH is called the first time and set the TF. Then continue execution, and the next time the VEH is called.. restore the debug register. Does this RF flag not do what I think it does? Which is to say this:

"Controls the processor’s response to instruction-breakpoint
conditions. When set, this flag temporarily disables debug exceptions
(#DB) from being generated for instruction breakpoints (although other
exception conditions can cause an exception to be generated). When clear,
instruction breakpoints will generate debug exceptions."