From .exe to .dll

[2Old4this]

Hello, today I have a small bot that use CTM and follows a simple waypoint-path. I do this by using the read/write-memory from a .exe file. I'm curious to take the next step and make one .Dll with a endscene hook. What is the biggest difference to be in WoW's process space?. What I'm looking for is some tips/keywords.I know how to implement the dll and the hook, but I feel like a noob when it comes to wow-specifik stuff. Humbly grateful for some advice so I start in the right direction.

..:: 2Old4This :confused:

[streppel]

the biggest difference: you can use luafunctions and create a much better bot this way

if i were you i'd being wiritng the hook and the lua handler(alogn with getting return values), then you have the most important stuff done and you can focus on more important things like a good logic and navigation

[2Old4this]

Thanks for the reply Streppel, tonight it will be to start testing some lua_dostring things.

..:: 2Old4This

[flo8464]

The biggest difference is that you are not running in your own context, which is highly dangerous in terms of safe programming.
You have to deal with threads you can't controll and you maybe don't even know about, functions you don't know exactly etc.

To write something safe and stable in the context of a foreign process is a hell of work, most people fail at it.

[streppel]

idk how it is for wow exactly, but for the game i'm devloping a bot for, it is more or less the same if you are IP or OOP(using asm injection and createremotethread). in both cases it fails miserably when doing something bad(aka calling engine functions while not making sure that it's threadsafe with hooking something)

[Thongs]

idk how it is for wow exactly, but for the game i'm devloping a bot for, it is more or less the same if you are IP or OOP(using asm injection and createremotethread). in both cases it fails miserably when doing something bad(aka calling engine functions while not making sure that it's threadsafe with hooking something)

If you're using ASM injection and CreateRemoteThread you're not out of process.

[Bananenbrot]

I would call that kind of out of process "observing" as oppossed to a "passive" bot.
We really shouldn't start that debate again in this thread...

[flo8464]

I would call that kind of out of process "observing" as oppossed to a "passive" bot.
We really shouldn't start that debate again in this thread...

There is nothing to debate.
Why should there be a difference between injecting executable code directly and making the dynamic loader load some code from a library?
Is library injection without LoadLibrary/dlopen ("manual mapping") also observing ?

[Bananenbrot]

I only introduced these terms to differentiate between meanings of "out of process".
Note that I do not see any advantage to be observing over to be truly injected into the process.
It's only about terms: How else would you describe those hack'ish runtime compiled asm injecting beasts?
The main logic is certainly not executed inside the process.
Therefore, I propose to use those 3 different terms, they are just un-misunderstandable: "passive", "observing" (ok, beat me on this one) and "injected"/"in process".

Based on my understanding, manual mapping is being injected, because your main logic really runs inside the process.

[2Old4this]

Do not fight now guys, I appreciate your help so far. Know that in/out of process is a sacred issue

..:: 2Old4This

[Cypher]

There is nothing to debate.
Why should there be a difference between injecting executable code directly and making the dynamic loader load some code from a library?
Is library injection without LoadLibrary/dlopen ("manual mapping") also observing ?

^ This.

Code injection is code injection. The only time it makes a difference is when your bot is public, and you're comparing DLL injection to manual mapping (or ASM injection). In this one case, the DLL is slightly more detectable because DLLs loaded by the Windows PE loader are backed by a kernel section object, which can be detected (yes, this is even if you unlink yourself from the PEB loader list... nowadays everyone knows about the section object detection trick, so PEB unlinking is pointless). However, you're already detectable either way via memory hashing etc, so if you're public you'd need to hook the same APIs regardless (section objects that back memory regions are queried via NtQueryVirtualMemory, which is the same API you'd need to hook to hide your memory block anyway -- among others).

Tl;dr: In a public bot, manually mapping a DLL is slightly better than regular injection, but it doesn't matter anyway, as there are a thousand other ways to detect your code. (e.g. I'm in ur stack, tracin ur function callz.)

[Bananenbrot]

I think we are talking at cross-purposes... You are right of course, but what I meant is more pragmatic.
Think of Thongs:

If you're using ASM injection and CreateRemoteThread you're not out of process.

But is this real injection from a pragmatic point of view? Sure, it injects some dirty codecaves to call engine functions, but is the devil really "inside" the process?
What about an out of process bot that only writes to the global CTM struct. There is not much injection going on (despite those memory writes).
The main logic is executed in a seperate process. Codecaves are dumb, as are simple memory writes. It's more like a doctor who is modifying his patients internals, while he's narcotized (SuspendThread). The doctor is "observing", but not passive.

Nothing from the "all or nothing" point of view regarding security while injecting here, just some more vocabulary to avoid misunderstandings. Maybe call it "ASM injection" to make it more clearly, but "Observing" was only one adjective that fit better to a dll name for me :P

[streppel]

i would rep you bananenbrot but i can't again yet
injection is good for private things, so lets get back to topic now

2old4this how is it going?

[Thongs]

Keep in mind what my initial post was responding to; streppel claimed that whether you're in or out of process, if you make a mistake you're basically going to crash WoW. If you were truly out of process, a mistake in your code wouldn't do this at all, though.

Like flo said, there isn't any debate as to whether or not injecting ASM, or even writing values to memory, is in process. It absolutely is. I understand that you can separate OOP, 'observing', and in-process, but that doesn't change the fact that 'observing' still IS in-process. 'Observing' would be a category within in-process - but you can't be 'observing' without being in-process. I know that you understand this, though, Bananenbrot.

I come to this forum to learn - everything I've ever done regarding programming and computer science in general has stemmed from this forum, as my bots were my first and only application I've written. As long as people continue to be told that they're safe as long as they don't inject a DLL, the longer it will take for them to truly understand what they're doing.

[2Old4this]

The only problem with this site is that when you are looking for one thing you'll find 10 new things you want to watch . Perhaps a luxury problem, searched information about lua_dostring but finding myself sitting in IDA and OllyDbg trying to understand how certain functions work. But these have to be clearly the most fun way to learn things about programming. Perhaps the best thing is to write down a list of things to do, so you do not float out with lots of other interesting things you find along the way.

..:: 2Old4This