[C++] VEH Breakpoints Not Working

[adapa]

Hello all, let me start first by saying that with the VEH code I just copy/pasted, and modified it. And I know that my injector is prob really messy but I only need to test what registers hold and then I don't really use it anymore. I will include both however. My problem is that the location of the VEH is not breaking. I think there is a problem with my injector... but maybe not. I have no idea.

This is also not working with the Example program the person uploaded it with that should be working with the program he provided. I am using VISTAx32(I know... don't laugh) Any help would be appreciated.

DLLInjctor(Pretty crappy... sorry for bad code, I hate it too!)

Code:

#include <windows.h>
#include <stdio.h>
#include <iostream>
using namespace std;

int main()
{
	HWND		hWndProcess;
	DWORD		dwThreadId;
	HMODULE		hInjected;
	HOOKPROC	hDummieProc;

	hWndProcess = FindWindow(NULL, TEXT("World of Warcraft"));

	dwThreadId = GetWindowThreadProcessId(hWndProcess, NULL);

	if (hWndProcess == 0 || dwThreadId == 0)
	{
		MessageBox(NULL, TEXT("Unable to gain thread id!"), TEXT("ERROR"), MB_OK);
		return 0;
	}

	hInjected = LoadLibrary(TEXT("VEHBP.DLL"));
	hDummieProc = (HOOKPROC)GetProcAddress(hInjected, "_DummieCallback@12");

	if (hInjected == NULL || hDummieProc == NULL)
	{
		MessageBox(NULL, TEXT("Unable to inject DLL!"), TEXT("ERROR"), MB_OK);
		FreeLibrary(hInjected);
		return 0;
	}

	SetWindowsHookEx(WH_CALLWNDPROC, hDummieProc, (HINSTANCE)hInjected, dwThreadId);

	std::cout << "\n\n";
	std::cout << "Waiting for you to exit...";
	while(true)
	{
		std::cout << " ...";
		Sleep(1000);
	}
	return 0;

}

VEHBP.DLL(VEH CODE) SOURCE/CREDIT-> Hardware Breakpoints and Structured/Vectored Exception Handling | RCE Endeavors

Code:

#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>

extern "C" __declspec(dllexport) LRESULT CALLBACK DummieCallback(int nCode, WPARAM wParam, LPARAM lParam);

const DWORD func_addr = 0xXXXXXXXX;                  //Input your addr
const DWORD func_addr_offset = func_addr + 0x1;

void print_parameters(PCONTEXT debug_context) {
    printf("EAX: %X EBX: %X ECX: %X EDX: %X\n",
        debug_context->Eax, debug_context->Ebx, debug_context->Ecx, debug_context->Edx);
    printf("ESP: %X EBP: %X\n",
        debug_context->Esp, debug_context->Ebp);
    printf("ESI: %X EDI: %X\n",
        debug_context->Esi, debug_context->Edi);
    printf("Parameters\n"
        "HWND: %X\n"
        "text: %s\n"
        "length: %i\n",
        (HWND)(*(DWORD*)(debug_context->Esp + 0x4)),
        (char*)(*(DWORD*)(debug_context->Esp + 0x8)),
        (int)(*(DWORD*)(debug_context->Esp + 0xC)));
    
}

void modify_text(PCONTEXT debug_context) {
    char* text = (char*)(*(DWORD*)(debug_context->Esp + 0x8));
    int length = strlen(text);
    _snprintf(text, length, "REPLACED");
}

void __declspec(naked) change_text_stub(void) {
    __asm {
        push ebp
        jmp [func_addr_offset]
    }
}

LONG WINAPI ExceptionFilter(PEXCEPTION_POINTERS ExceptionInfo) {
    if(ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) {
        if((DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress == func_addr) {
            PCONTEXT debug_context = ExceptionInfo->ContextRecord;
            printf("Breakpoint hit!\n");
            print_parameters(debug_context);
            modify_text(debug_context);
            debug_context->Eip = (DWORD)&change_text_stub;
            return EXCEPTION_CONTINUE_EXECUTION;
        }
    }
    return EXCEPTION_CONTINUE_SEARCH;
}

void set_breakpoints(void) {
    HANDLE hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if(hTool32 != INVALID_HANDLE_VALUE) {
        THREADENTRY32 thread_entry32;
        thread_entry32.dwSize = sizeof(THREADENTRY32);
        FILETIME exit_time, kernel_time, user_time;
        FILETIME creation_time;
        FILETIME prev_creation_time;
        prev_creation_time.dwLowDateTime = 0xFFFFFFFF;
        prev_creation_time.dwHighDateTime = INT_MAX;
        HANDLE hMainThread = NULL;
        if(Thread32First(hTool32, &thread_entry32)) {
            do {
                if(thread_entry32.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(thread_entry32.th32OwnerProcessID)
                    && thread_entry32.th32OwnerProcessID == GetCurrentProcessId()
                    && thread_entry32.th32ThreadID != GetCurrentThreadId()) {
                        HANDLE hThread = OpenThread(THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION,
                            FALSE, thread_entry32.th32ThreadID);
                        GetThreadTimes(hThread, &creation_time, &exit_time, &kernel_time, &user_time);
                        if(CompareFileTime(&creation_time, &prev_creation_time) == -1) {
                            memcpy(&prev_creation_time, &creation_time, sizeof(FILETIME));
                            if(hMainThread != NULL)
                                CloseHandle(hMainThread);
                            hMainThread = hThread;
                        }
                        else
                            CloseHandle(hThread);
                }
                thread_entry32.dwSize = sizeof(THREADENTRY32);
            } while(Thread32Next(hTool32, &thread_entry32));
            AddVectoredExceptionHandler(1, ExceptionFilter);
            CONTEXT thread_context = {CONTEXT_DEBUG_REGISTERS};
            thread_context.Dr0 = func_addr;
            thread_context.Dr7 = (1 << 0);
            SetThreadContext(hMainThread, &thread_context);
            CloseHandle(hMainThread);
        }
        CloseHandle(hTool32);
    }
}

int APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved) {
    if(reason == DLL_PROCESS_ATTACH) {
        DisableThreadLibraryCalls(hModule);
        if(AllocConsole()) {
            freopen("CONOUT$", "w", stdout);
            SetConsoleTitle(L"Console");
            SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
            printf("DLL loaded.\n");
        }
        set_breakpoints();

		printf("waiting for offset to be called...");
    }
    return TRUE;
}

extern "C" __declspec(dllexport) LRESULT CALLBACK DummieCallback(int nCode, WPARAM wParam, LPARAM lParam)
{

	///////////
	// This function is used for SetWindowsHookEx.
	// We don't really care what it returns, but it's needed for the
	// way I'm trying to do this.
	//////////
	return CallNextHookEx(NULL, nCode, wParam, lParam);

}

[sitnspinlock]

I don't think you should be using someone elses code without really knowing what is going on ;p You should take the formal approach

Before you even move on to the address space of another program, you should really run a few tests in your own programs address space to understand what a VEH is and how it works.

Firstly read here AddVectoredExceptionHandler Function (Windows)

Secondly for a how the actual callback function should look, take a look here VectoredHandler

That code you posted is really messy and I really didn't want to look at it.. my eyes hurt already, but I see you are using SetWindowsHookEx to inject a dll into a single target app which is quite unfeasible. Save that route for a user-mode rootkit or something.. but actually please dont

You should look into the use of CreateRemoteThread

[adapa]

I don't think you should be using someone elses code without really knowing what is going on ;p You should take the formal approach

Before you even move on to the address space of another program, you should really run a few tests in your own programs address space to understand what a VEH is and how it works.

Firstly read here AddVectoredExceptionHandler Function (Windows)

Secondly for a how the actual callback function should look, take a look here VectoredHandler

That code you posted is really messy and I really didn't want to look at it.. my eyes hurt already, but I see you are using SetWindowsHookEx to inject a dll into a single target app which is quite unfeasible. Save that route for a user-mode rootkit or something.. but actually please dont

You should look into the use of CreateRemoteThread

Indeed you are correct, the injector is just something simple that does work. I guess what I am really asking is the example the guy gave(the DLL) doesnt work with his example program he made. I learn best by examples, and fiddling around with things and looking up the function on MSDN. His source doesn't want to work, and I wasnt aware if it was my injector or not.

But thanks for the fast reply, I guess its back to the drawling board of having to once again, program from scratch after getting done rewriting other tools. tsk tsk tsk. -_-;;

--EDIT-- AUGUST 20/2011

The DLL works, the injector was the problem. Remade with a createremotethread. But it seems that battle.net.dll is throwing it off, anything after login and before login works perfectly. *sigh*

[Bananenbrot]

I'm injecting via a windows hook too and it's quite unproblematic...
You don't have to suspend the main thread (which I would recommend while applying the first detour) and you can be sure to access internals in a valid state while setting up your session.
Messing around with DllMain isn't a problem too since you can do your stuff in the API hook. If you properly unhook, the bootstrap dll is even unloaded from the process.
And of course, it's more rebellious than the standard CreateRemoteThread thing