C# DLL Injection and Hooking Endscene with WhiteMagic

[rlane187]

I am learning to put a bot together. I am writing it in C#. I use a bootstrap DLL to load the .NET Framework. Browsing the PE shows me that the CLR is loaded. Now I am moving on to trying to hook Endscene. I found what very well may be the example I need http://www.ownedcore.com/forums/worl...k-example.html ([Source] C# EndScene hook example), but MegaUpload is dead and I cannot get a look at anything. I read Apoc's example of how to hook Endscene and I am 100% certain I am getting it wrong. Basically, I am trying to hook Endscene after I select the client I want to run the bot on and I am doing it from inside the bot program. Below is the code, I know you guys hate cut and paste and I am not looking to be spoonfed so I will try to keep this to a minimum.

Code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Windows.Forms;
using WhiteMagic;

namespace WoWEmuBot
{
    public partial class FormSetup : Form
    {
        #region Properties
        private Infrastructure.WindowInfo WInfo
        {
            get;
            set;
        }

        private List<Infrastructure.WindowInfo> WInfoList
        {
            get;
            set;
        }
        #endregion 

        #region Endscene Hooking Setup

        [UnmanagedFunctionPointer(CallingConvention.Winapi)]
        public delegate int EndSceneDelegate(IntPtr instance);

        private static readonly EndSceneDelegate EndSceneHandler = EndScene;

        private static readonly WhiteMagic.Magic white = new WhiteMagic.Magic();

        private static int EndScene(IntPtr instance)
        {
            // Pulse();
            MessageBox.Show("EndScene");
            return (int)white.Detours["EndScene"].CallOriginal(instance);
        }

        #endregion

        public FormSetup()
        {
            InitializeComponent();
        }

        private void buttonFindClients_Click(object sender, EventArgs e)
        {
            WInfo = new Infrastructure.WindowInfo();
            WInfoList = WInfo.GetWindowList("Wow");
            this.comboBoxClientSelect.DataSource = WInfoList;
            this.comboBoxClientSelect.DisplayMember = "DisplayName";
            this.comboBoxClientSelect.ValueMember = "ProcessID";
        }

        private void buttonSelectClient_Click(object sender, EventArgs e)
        {
            Magic.BlackMagic magic = new Magic.BlackMagic();
            magic.OpenProcessAndThread(WInfoList[this.comboBoxClientSelect.SelectedIndex].ProcessID);
            string path = AppDomain.CurrentDomain.BaseDirectory;
            string DLL = path + "Bootstrap.dll";
            magic.InjectDllCreateThread(DLL);
            IntPtr endSceneAddr = white.GetObjectVtableFunction(white.Read<IntPtr>(0x0123E908, 0x397C), 42); // This is where my problem is.
            white.Detours.CreateAndApply(white.RegisterDelegate<EndSceneDelegate>(endSceneAddr), EndSceneHandler, "EndScene");
            
        }
    }
}

At the commented line above (which I did find a post with someone else having trouble with the same spot but no solution), I get an exception that it is trying to read protected memory. If I just try to read the address I get an exception that it is null. I believe there is a fundamental disconnect between my understanding of what I think needs to happen and what actually needs to happen.
So now come the very basic and very stupid questions that will improve my understanding if I can get them answered:

1. I have the .NET runtime loaded in WoW. I am having trouble understanding how I can Marshal a function in WoW and call it in the program I wrote. They do not share the same memory space, do they?
2. It feels like I should be putting all of these functions in a framework and packing them onto the DLL that gets pulled into the client. If that is the case, how do I call them from my program. They are different AppDomains, aren't they?

In the interim, I am dissecting babbot and trying to discern how to hook Endscene with EasyHook to try to improve my understanding but I would still like to learn to use WhiteMagic, it looks like a really nice tool.

I know the offsets are off from Live. I am messing around with the 3.3.5 12340 client at the moment.

[miceiken]

Read up on ASRL, and find out how to rebase the offset. Search before creating a new thread.

[rlane187]

I have read several posts about offsets and ASLR. I would post them, but I am restricted on how many URLs I have in my posts. The most helpful was http://www.ownedcore.com/forums/worl...r-enabled.html (Finding the BaseAddress when ASLR is enabled).
On my machine, Wow.exe is at 0x400000. But after reading about ASLR, I think it would be better to use Process.GetModule("Wow.exe").BaseAddress everytime I run. Based on what I read, the offsets I got are from IDA and have not been rebased. In order to rebase them I just need to add the Base Address of Wow.exe to them. Is that correct, or am I missing something else?

[miceiken]

First substract 0x400000 and then add base adress.

[~Unknown~]

First substract 0x400000 and then add base adress.

This^. I'm also lazy so I usually rebase my whole IDA DB each patch so addresses have 0x400000 subtracted, but thats personal preference.

[_Mike]

I might be wrong here as I have never personally used BlackMagic & WhiteMagic; But if I remember correctly White is meant to be running in the context of the target application, which in your case currently is the loader app. Probably not what you intended

1. I have the .NET runtime loaded in WoW. I am having trouble understanding how I can Marshal a function in WoW and call it in the program I wrote. They do not share the same memory space, do they?

Correct, you can't call it directly. Create a remote thread or implement some kind of cross-process communication if you want to call wow's functions from another app.

[Aftiagouras]

I think you have missunderstood some things.
Here's what you need:
1. Injector app
2. Native Bootstrap DLL (probably written in C++)
3. Bot app to be loaded and executed by your bootstrap (along with the CLR) inside the target program.
You should not use whitemagic in your injector but in your bot. That's where you hook endscene from.
You can use a Domain manager between 2 and 3 so you can load/unload your bot without closing the program. Helps a ton when debugging/testing stuff. Search for Apoc's domain manager.
Also most functions in wow need to be run from its main thread so make sure the execution path starts from your Endscene "pulse" when calling such functions.
Good luck.