64 bit WoW and remote thread menu

User Tag List

Results 1 to 9 of 9
  1. #1
    mixtape's Avatar Private
    Reputation
    1
    Join Date
    May 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    64 bit WoW and remote thread

    I am currently trying to inject a thread into 64 bit WoW from my program. Yes the codecave is 64 bit code thats not what is causing the issue. GetLastError() claims that the call to CreateRemoteThread failed with access denied. But I have full access rights, and it works on 32 bit WoW. There is nothing wrong with my code. I don't know why I would get this issue, any input would be great.

    64 bit WoW and remote thread
  2. #2
    ccKep's Avatar Member
    Reputation
    11
    Join Date
    Jan 2010
    Posts
    33
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Google results suggest you're missing PROCESS_VM_READ when opening the process. If that's not the case you might want to post some code-snippets.
    Also, make sure your injecting program is compiled for 64 bit.
    Last edited by ccKep; 05-06-2012 at 06:43 PM.

  3. #3
    mixtape's Avatar Private
    Reputation
    1
    Join Date
    May 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is process_all_access actually and the handle is returned fine. It works fine on 32 bit processes. But not 64 bit ones.

  4. #4
    mixtape's Avatar Private
    Reputation
    1
    Join Date
    May 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    edit: so I guess 32 bit process cant inject thread into 64 bit?

  5. #5
    ccKep's Avatar Member
    Reputation
    11
    Join Date
    Jan 2010
    Posts
    33
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mixtape View Post
    edit: so I guess 32 bit process cant inject thread into 64 bit?
    Aye. Re-Compile your injector for x64 and it should work.
    StackOverflow: CreateRemoteThread 32->64 and/or 64->32

  6. #6
    sitnspinlock's Avatar Elite User CoreCoins Purchaser
    Reputation
    398
    Join Date
    Sep 2010
    Posts
    439
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mixtape View Post
    edit: so I guess 32 bit process cant inject thread into 64 bit?
    you can but it would be a very unportable solution. i don't really want to get too deep in the water here but..

    ntdll32!NtCreateThreadEx -> wow64 system service dispatcher -> ntqueryinformationprocess with infoclass 0x26 (check msdn) to determine if target process is running in wow64 emulator or not. if it is, it just simply returns with status_access_denied. otherwise with 64 bit stack it will go on to call the x64 ntcreatethreadex. so you can patch that jump and it works fine for homebrew but wow64 binaries change with almost every windows update, so there goes portability and you would also have to walk the x64 peb from your x86 process. more trouble then it's worth.

    so your obvious solution here is to just go with what ccKep already stated. just build a 64 bit application.

  7. #7
    _Mike's Avatar Contributor
    Reputation
    310
    Join Date
    Apr 2008
    Posts
    531
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by everdox View Post
    ntdll32!NtCreateThreadEx -> wow64 system service dispatcher -> ntqueryinformationprocess with infoclass 0x26 (check msdn) to determine if target process is running in wow64 emulator or not. if it is, it just simply returns with status_access_denied.
    IsWow64Process() is an alternative. Technically it uses NTQIP internally. I know you knew this already, but for the OP it's probably a better choice. (And I apologize if I'm underestimating your ability mixtape. No offence intended.)

    [Edit: I misunderstood what you were saying when I first posted this. You were explaining how NtCreateThreadEx works internally but I thought you were explaining how to detect a 64 bit application. Sorry about that.]

    otherwise with 64 bit stack it will go on to call the x64 ntcreatethreadex. so you can patch that jump and it works fine for homebrew but wow64 binaries change with almost every windows update, so there goes portability and you would also have to walk the x64 peb from your x86 process. more trouble then it's worth.

    so your obvious solution here is to just go with what ccKep already stated. just build a 64 bit application.
    No wow64 patching needed. Assemble with yasm and link with your application. You could potentially also use inline assembly and 'emit' the byte code or use a function pointer pointing to a byte array if you want to complicate it even more
    Might also be possible to do with AsmJit. I haven't tested if you can use it's 64 bit assembler from a 32 bit app.
    Code:
    CreateRemoteThread64:
      bits 32
      ; [set up stack]
      db 9Ah ; callf opcode
      dd offset create_thread_proxy64 ; target address
      db 33h ; segment selector 33 - sets the cpu to long mode
      ; [clean up stack and return]
    
    create_thread_proxy64:
      bits 64
      ; [set up stack]
      call ntdll64!NtCreateThreadEx ; or use syscall/sysenter directly.
      ; [possibly wait for the thread to complete and get the exit code]
      ; [clean up stack]
      bits 32
      retf
    
    // Then in your C(++) code it's as simple as calling
    exit_code = CreateRemoteThread64(target_handle, thread_start_address, thread_args);
    I'm not sure about the portability of using syscall. Is the system call numbering the same between windows versions?
    You'd also need to write your own GetProcAddress64 to get the address for ntdll64!NtCreateThreadEx if you go that route. The link below has an example of how to get the address of ntdll64 using the 64 bit PEB, and the PE+ format is well documented.
    But yes, a 64 bit application is the way to go unless you are just doing this for the learning experience. And the fact that it's incredibly cool to do everything from a single binary

    Credits to Heaven’s Gate: 64-bit code in 32-bit file | wasnt nate for publishing info on the call gate.
    Last edited by _Mike; 05-06-2012 at 08:50 PM.

  8. #8
    sitnspinlock's Avatar Elite User CoreCoins Purchaser
    Reputation
    398
    Join Date
    Sep 2010
    Posts
    439
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    that is also good idea _Mike

    and yeh syscall indices usually change between versions of windows. lots of malware (but not just malware) store a table of indices then check the windows version in kuser_shared_data and map a stub. ive also seen storing all versions of NtCreateFile and NtReadFile, then opening ntdll on disk and going from there.

    again waaay over the top. but still fun


    oh i should have tried to make it more clear what I was trying to explain lul. i was just stating that was how wow64 determines whether or not the target process of the handle passed to CreateRemoteThread is running in the emulator or not. they just use ntqip. but yeh IsWow64Process() would be the correct thing to do.
    Last edited by sitnspinlock; 05-06-2012 at 10:43 PM.

  9. #9
    _Mike's Avatar Contributor
    Reputation
    310
    Join Date
    Apr 2008
    Posts
    531
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just wish there was some way to link 32 and 64 bit COFF .obj files together. It would be so much easier if you could write mixed mode C++ code with just a small call gate made in assembler, compared to having to write all the 64 bit code in asm.
    It's very easy to do with ELF object files as the gcc toolchain supports it right out of the box but it seems impossible with MSVC. I'm thinking about attempting to write a small util to convert 64 bit COFF to 32 and add it as a custom build step as the COFF format seems to be fairly well documented. I just need to find the time for it

Similar Threads

  1. [Question] what is a good wow auction house bot ingame and remote
    By paul0920 in forum WoW Bots Questions & Requests
    Replies: 2
    Last Post: 06-18-2014, 03:19 PM
  2. [How-To] Install and run 64-bit WoW Client (4.3.2)
    By Zuleyah in forum World of Warcraft Guides
    Replies: 16
    Last Post: 02-06-2012, 10:47 AM
  3. Bumpers and Old Threads...
    By kalish in forum World of Warcraft Model Editing
    Replies: 9
    Last Post: 12-25-2006, 05:49 AM
  4. some comics of wow and a guy mastubating on wow
    By Alond in forum Community Chat
    Replies: 2
    Last Post: 11-27-2006, 03:50 PM
  5. How to get WoW and their Patches with Hack?
    By fReAk in forum World of Warcraft General
    Replies: 0
    Last Post: 06-11-2006, 01:41 AM
All times are GMT -5. The time now is 08:03 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search