[Linux][wine] Reading memory - ptrace

[klipeto]

I was thinking about learning some WoW memory stuff and I would like to create a class for WoW memory reading and possibly tweaking which could be used later in other projects.
There are some already but my approach is memory tweaking from out of the wine environment in Linux, ie. without injecting or dll replacing.

I'll probably write more stuff here if I find something interesting. In the meantime this is my first chapter of my adventure in the land of WoW memory...

For reading WoW memory running through wine I use ptrace system function which is able to read/write memory of a process if you are root. I've found nice ptrace library for python.
If you are interested python-ptrace is just a ptrace wrapper or you can try to find your favourite language library or just use C/++
Just man ptrace and search for PEEK and POKE. Actually scanmem uses ptrace as well.

Base memory address seems to be always 0x00400000 as it is usually. I think that you can get the actual address by reading /proc/pid/maps where are all memory ranges of the process. ie. in shell you can get the base this way:

Code:

$ grep Wow.exe /proc/`pidof Wow.exe`/maps
00400000-00401000 r-xp 00000000 08:01 1337759                            /path/to/Wow.exe

Here is a small python script just to show you how you can read the memory:

Code:

#!/usr/bin/env python

from ptrace.debugger.debugger import PtraceDebugger
from ptrace.debugger.process import PtraceProcess
from struct import unpack
from os import popen

# read Word, or ByteArray if size is provided
def read(address, size=None):
    global tracer

    if not size:
        return tracer.readWord(address)
    return tracer.readBytes(address, size)

# read unsigned int
def readInt4(address):
    return unpack("I", read(address, 4))[0]

# get pid and instantiate ptrace wrapper
pid = int(popen("pidof Wow.exe", "r").read().strip())
tracer = PtraceProcess(PtraceDebugger(), pid, False)

# read 4 byte unsigned integer
data = readInt4(yourFavouriteOffset) # instead of yourFavouriteOffset provide your favourite offset, ie. 0x12345

If you need to read something else then Word, uInt or byteArray, check method unpack and the provided readInt4 function which you can copy, change number of bytes you need and change unpack's format character.
Here are unpack's format characters: 7.3. struct ? Interpret strings as packed binary data — Python v2.7.2 documentation
Also PtraceProcess has some others readSomething functions which might be worth to be checked: https://bitbucket.org/haypo/python-p...cess.py#cl-100

PS: Don't forget that you need root access to ptrace a process. Just sudo or login as root.

[flo8464]

It's better to attach via ptrace and use /proc/[pid]/mem tro read/write process memory.

[klipeto]

@flo8464 Ah, that works well. Thank you. I didn't know that /proc/pid/mem becames available when I attach it by ptrace.

[kouteiheika]

Generally there isn't really much of a point in doing this as it's usually easier to just use the LD_PRELOAD trick, though it can be a bit challenging to make an LD_PRELOAD hack in a scripting language; I've made one in Ruby and it required some creative stack pointer manipulation and jumping around to get it to work properly. The only other advantage I can think of that this method has is that you can restart your hack/bot/whatever while WoW is running, but that also can be easily achieved with LD_PRELOAD by using a 2-stage loading process.

[flo8464]

Generally there isn't really much of a point in doing this as it's usually easier to just use the LD_PRELOAD trick, though it can be a bit challenging to make an LD_PRELOAD hack in a scripting language; I've made one in Ruby and it required some creative stack pointer manipulation and jumping around to get it to work properly. The only other advantage I can think of that this method has is that you can restart your hack/bot/whatever while WoW is running, but that also can be easily achieved with LD_PRELOAD by using a 2-stage loading process.

On Windows injection is also easier and people are still writing out-of-process bots. So I guess it's ok to work out-of-process on linux, especially as it is extremly safe. (Without massive hacking there's no chance to detect a passive Kinux bot)


@klipeto: You might want to take a look at my library, it's written in C++ and does many things you like to do:
http://www.mmowned.com/forums/world-...g-library.html

[kouteiheika]

On Windows injection is also easier and people are still writing out-of-process bots. So I guess it's ok to work out-of-process on linux, especially as it is extremly safe. (Without massive hacking there's no chance to detect a passive Kinux bot)

Well, on Windows people write out-of-process bots as it's supposedly safer, right? On Linux on other hand an LD_PRELOAD hack is just as safe as such out-of-process hack.

[namreeb]

People write out-of-process bots because they have fallen for the fallacy that it is supposedly safer. It is not inherently safter. I think most people stay out of process because they don't know how to inject.

[Cypher]

People write out-of-process bots because they have fallen for the fallacy that it is supposedly safer. It is not inherently safter. I think most people stay out of process because they don't know how to inject.

Injection is scary and dangerous.

[klipeto]

Thank you, guys.

I'm just a noob learning some memory stuff first. Later I might try some injection.

@kouteiheika: I know about the LD_PRELOAD thread. Good info there.

@flo8464: great lib, thank you. Even I'm not going to use C and I don't need so many features like scanning yet I might get some inspiration

[MaiN]

Injection is scary and dangerous.

It's only dangerous if you don't have your ring 0 proxies running.

[suicidity]

It's only dangerous if you don't have your ring 0 proxies running.

or when you accidentally destroy the peb and kernel ring 3 can't find it. this problem is put best in peterslone's words..

..or this image.

[Cypher]

​Hahahahaha. Epic.