Thread Local Storage (Way to get object manager)

**~~Amrok~~** · 09-10-2011

Stupid Ad is stupid --->

Hi,

i took a look at this old object dumper by kynox... he is using another method of getting the object manager...

Code:

DWORD GetObjManager( void )
{
	THREADENTRY32 lpThreadEntry = {0};
	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, PROC_ID);
	if(hSnapShot == INVALID_HANDLE_VALUE)
		throw GetSnapshotHandleException;
	lpThreadEntry.dwSize = sizeof(lpThreadEntry);
	BOOL bThread = Thread32First(hSnapShot, &lpThreadEntry);
	while(bThread)
	{
		if(lpThreadEntry.th32OwnerProcessID == PROC_ID)
		{
			HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, false, lpThreadEntry.th32ThreadID);
			if(!hThread)
				throw GetThreadHandleException;
			CONTEXT ctx = {CONTEXT_SEGMENTS};
			LDT_ENTRY ldtEntry;
			GetThreadContext(hThread, &ctx);
			GetThreadSelectorEntry(hThread, ctx.SegFs, &ldtEntry);
			DWORD dwThreadBase = ldtEntry.BaseLow|(ldtEntry.HighWord.Bytes.BaseMid<<16)|(ldtEntry.HighWord.Bytes.BaseHi<<24);
			CloseHandle(hThread);
			DWORD ObjManager = ReadOffset<DWORD>(ReadOffset<DWORD>(ReadOffset<DWORD>(dwThreadBase+0x2C))+0x10);
			return ObjManager;
		}
		bThread = Thread32Next(hSnapShot, &lpThreadEntry);
	}
	CloseHandle(hSnapShot);
	return NULL;
}

But for some reason it does not work with WoW 4.2.2

This should return the same as:

Code:

ReadOffset<DWORD>(ReadOffset<DWORD>(ModuleBase + g_clientConnection) + s_curMgr)

I'd really prefer the TLS method of getting the object manager.. However it just does not work :\

**lanman92** · 09-10-2011

Stupid thread is stupid.... Why make it harder than it has to be? Just use the second method you showed.

**~~Amrok~~** · 09-10-2011

Originally Posted by lanman92

Stupid thread is stupid.... Why make it harder than it has to be? Just use the second method you showed.

Because if i get this to work my tool works with almost every patch

GTFO static pointers i hate u

**sitnspinlock** · 09-10-2011

heh I thought I was the only one that did this. I use my own implementation though, just enumerate the threads in start time order. The first one should be your thread of interest. Then use ntqueryinformationthread to grab the base of the thread environment block.

**~~Amrok~~** · 09-10-2011

Originally Posted by everdox

heh I thought I was the only one that did this. I use my own implementation though, just enumerate the threads in start time order. The first one should be your thread of interest. Then use ntqueryinformationthread to grab the base of the thread environment block.

Thanks

Now i'll have to understand how to use that NtQueryInformationThread in my case... :\

**Cypher** · 09-10-2011

If you're injected you can avoid all the threading APIs and get access to TLS via compiler intrinsics (__readfsdword). Obviously though you need to have an EndScene hook set up for that to work.

http://msdn.microsoft.com/en-us/libr...(v=vs.80).aspx

**~~Amrok~~** · 09-10-2011

I got it working now

The above code is correct just offsets were wrong.

Solution:
[[[ThreadBase+0x2C]]+0x8] instead of [[[ThreadBase+0x2C]]+0x10]

**flo8464** · 09-10-2011

Originally Posted by Cypher

If you're injected you can avoid all the threading APIs and get access to TLS via compiler intrinsics (__readfsdword). Obviously though you need to have an EndScene hook set up for that to work.

__readfsbyte, __readfsdword, __readfsqword, __readfsword (C++)

He might call NtCurrentTeb directly.

Or even better: EnumVisibleObjects.

Shout-Out

User Tag List

Thread: Thread Local Storage (Way to get object manager)

Thread Tools

Search Thread

Thread Local Storage (Way to get object manager)

Similar Threads

Lazy leecher question: easy way to get quest objectives?

[help] Getting a firm grip on the object manager...

Help understanding the object manager, and getting information on a target

[Request] A way to get Object Doodad display IDS from WoW Viewer or...

Easy way to get object sizes

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino