[Help]VEH HOOK , how to raise exception without memory editing

**demonguy** · 12-13-2012

Here's my code

Code:

LONG __stdcall VectoredHandler ( PEXCEPTION_POINTERS ExceptionInfo )
{
     
        PCONTEXT Context;
        Context = ExceptionInfo->ContextRecord;

		char m[20];

		sprintf_s(m,"%X",(unsigned int)(PVOID)(ExceptionInfo->ExceptionRecord->ExceptionAddress));

                MessageBoxA(NULL,m,"0",0);
         
        if ( ExceptionInfo->ExceptionRecord->ExceptionAddress  == (PVOID)(TargetAddress + CHack::WoWBase) ) {
            Context->Eip = (DWORD) (TargetAddress  + CHack::WoWBase + 0x51);
			
            return EXCEPTION_CONTINUE_EXECUTION;
        }
		 return EXCEPTION_CONTINUE_SEARCH;
}

	AddVectoredExceptionHandler(1, VectoredHandler );

	DWORD dwOldProtect;

	VirtualProtect(reinterpret_cast<LPVOID>(CHack::WoWBase + TargetAddress),1,PAGE_READONLY, &dwOldProtect);

        ////                   Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc);

When exception is passed to my handler. The "ExceptionInfo->ExceptionRecord->ExceptionAddress" isn't "CHack::WoWBase + TargetAddress" at all
if i use "Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc)" instead, then everything is OK
So why VirtualProtect will raise a wrong address exception ?

**Jadd** · 12-13-2012

The instruction pointer is contained in EIP (RIP in x64). You should use that instead of ExceptionRecord->ExceptionAddress.

You should also replace PAGE_READONLY to PAGE_NOACCESS to prevent future problems.

**demonguy** · 12-13-2012

as far as i know , according to what msgBox shows, ExceptionRecord->ExceptionAddress == ExceptionRecord->EIP when the exception raises
as for PAGE_READONLY, that's because if i set it to "PAGE_NOACCESS", Warden can't read it either ,so i'll be detected right?

and your explanation doesn't explain why are all things OK if i use int3 break instead of virtualprotect eg.(Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc))

**DrakeFish** · 12-14-2012

Originally Posted by demonguy

Here's my code

Code:

LONG __stdcall VectoredHandler ( PEXCEPTION_POINTERS ExceptionInfo )
{
     
        PCONTEXT Context;
        Context = ExceptionInfo->ContextRecord;

		char m[20];

		sprintf_s(m,"%X",(unsigned int)(PVOID)(ExceptionInfo->ExceptionRecord->ExceptionAddress));

                MessageBoxA(NULL,m,"0",0);
         
        if ( ExceptionInfo->ExceptionRecord->ExceptionAddress  == (PVOID)(TargetAddress + CHack::WoWBase) ) {
            Context->Eip = (DWORD) (TargetAddress  + CHack::WoWBase + 0x51);
			
            return EXCEPTION_CONTINUE_EXECUTION;
        }
		 return EXCEPTION_CONTINUE_SEARCH;
}

	AddVectoredExceptionHandler(1, VectoredHandler );

	DWORD dwOldProtect;

	VirtualProtect(reinterpret_cast<LPVOID>(CHack::WoWBase + TargetAddress),1,PAGE_READONLY, &dwOldProtect);

        ////                   Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc);

When exception is passed to my handler. The "ExceptionInfo->ExceptionRecord->ExceptionAddress" isn't "CHack::WoWBase + TargetAddress" at all
if i use "Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc)" instead, then everything is OK
So why VirtualProtect will raise a wrong address exception ?

Using VirtualProtect will change the protection of the entire page you use it on, meaning it won't only affect the address you pass to the function but the page its on. Unless watching access/execution to/on this page is what you want, you will have to either use another technique (like int3) or to "filter" what you need in your exception handler. The latter will be very slow and is probably not a good alternative. If you don't want to write to memory, you could use hardware breakpoints (debug registers), but take note that this isn't necessarily safer.

To my knowledge, using ExceptionAddress or EIP shouldn't matter in this case.

**Jadd** · 12-14-2012

EIP should be the definitive break position. Depending on the type of exception that was raised, ExceptionRecord->ExceptionAddress may not be what you're looking for.

I'm not sure how Warden works around unreadable memory. It will only make a difference if you're using data breakpoints, so if you're just using it to detour functions then leaving it as PAGE_READONLY should be fine.

**demonguy** · 12-14-2012

Originally Posted by DrakeFish

but take note that this isn't necessarily safer.

what do you mean of it ? "hardware breakpoints" will also be detected? by the way , how to register hardware breakpoint?

**DarthTon** · 12-14-2012

what do you mean of it ? "hardware breakpoints" will also be detected?

Everything can be potentially detected, but AFAIK, warden does not care about DR for now.

how to register hardware breakpoint?

Something like this (will register 1 byte-long HWBP on execution)

PHP Code:


int GetFreeIndex( size_t regval )

{

    if (!(regval & 1))

        return 0;

    else if (!(regval & 4))

        return 1;

    else if (!(regval & 16))

        return 2;

    else if (!(regval & 64))

        return 3;



    return -1;

}



CONTEXT context            = {0};

context.ContextFlags    = CONTEXT_DEBUG_REGISTERS;



// CONTEXT_DEBUG_REGISTERS can be operated without thread suspension

if(!GetThreadContext(hThread, &context))

{

    CloseHandle(hThread);

    return false;

}



// Get free DR

int index = GetFreeIndex(context.Dr7);



// If all 4 registers are occupied - error

if(index < 0)

{

    CloseHandle(hThread);

    return false;

}



context.Dr7                            |= 1 << (2*index ) | 0x100;    // enable corresponding HWBP and local BP flag

*((size_t*)&context.Dr0 + index)        = (size_t)TargetAddress;        // write address to DR0-DR3



// Write values to registers

if(!SetThreadContext(hThread, &context))

{

    CloseHandle(hThread);

    return false;

}

**demonguy** · 12-14-2012

Originally Posted by DarthTon

Everything can be potentially detected, but AFAIK, warden does not care about DR for now.

Something like this (will register 1 byte-long HWBP on execution)

PHP Code:


int GetFreeIndex( size_t regval )
{
    if (!(regval & 1))
        return 0;
    else if (!(regval & 4))
        return 1;
    else if (!(regval & 16))
        return 2;
    else if (!(regval & 64))
        return 3;

    return -1;
}

CONTEXT context            = {0};
context.ContextFlags    = CONTEXT_DEBUG_REGISTERS;

// CONTEXT_DEBUG_REGISTERS can be operated without thread suspension
if(!GetThreadContext(hThread, &context))
{
    CloseHandle(hThread);
    return false;
}

// Get free DR
int index = GetFreeIndex(context.Dr7);

// If all 4 registers are occupied - error
if(index < 0)
{
    CloseHandle(hThread);
    return false;
}

context.Dr7                            |= 1 << (2*index ) | 0x100;    // enable corresponding HWBP and local BP flag
*((size_t*)&context.Dr0 + index)        = (size_t)TargetAddress;        // write address to DR0-DR3

// Write values to registers
if(!SetThreadContext(hThread, &context))
{
    CloseHandle(hThread);
    return false;
}

Thanks all above ...
and +rep for your codes. thanks

**abuckau907** · 12-14-2012

@Jadd "You should also replace PAGE_READONLY to PAGE_NOACCESS to prevent future problems."
that concept had never occurred to me, thank you. -- if it's marked noaccess and something tries to read it, exception thrown?

**sitnspinlock** · 12-14-2012

Originally Posted by DarthTon

Everything can be potentially detected, but AFAIK, warden does not care about DR for now.

Something like this (will register 1 byte-long HWBP on execution)

PHP Code:


int GetFreeIndex( size_t regval )
{
    if (!(regval & 1))
        return 0;
    else if (!(regval & 4))
        return 1;
    else if (!(regval & 16))
        return 2;
    else if (!(regval & 64))
        return 3;

    return -1;
}

CONTEXT context            = {0};
context.ContextFlags    = CONTEXT_DEBUG_REGISTERS;

// CONTEXT_DEBUG_REGISTERS can be operated without thread suspension
if(!GetThreadContext(hThread, &context))
{
    CloseHandle(hThread);
    return false;
}

// Get free DR
int index = GetFreeIndex(context.Dr7);

// If all 4 registers are occupied - error
if(index < 0)
{
    CloseHandle(hThread);
    return false;
}

context.Dr7                            |= 1 << (2*index ) | 0x100;    // enable corresponding HWBP and local BP flag
*((size_t*)&context.Dr0 + index)        = (size_t)TargetAddress;        // write address to DR0-DR3

// Write values to registers
if(!SetThreadContext(hThread, &context))
{
    CloseHandle(hThread);
    return false;
}

err nevermind i was wrong. make sure you use debug register only flag in that case.

afaik bnet use to use ntcontinue to tweak debug registers for anti-debugging

**Cypher** · 12-14-2012

Originally Posted by abuckau907

@Jadd "You should also replace PAGE_READONLY to PAGE_NOACCESS to prevent future problems."
that concept had never occurred to me, thank you. -- if it's marked noaccess and something tries to read it, exception thrown?

Yes .

Shout-Out

User Tag List

Thread: [Help]VEH HOOK , how to raise exception without memory editing

Thread Tools

Search Thread

[Help]VEH HOOK , how to raise exception without memory editing

Similar Threads

[HELP]Anyone know how to get item stats on AH without reading tooltips?

[C#] Simple class for sending chat commands (without memory editing)

[HELP] How to restart server without owner

Ascent Private - How to raise all stats without enchants and gear.

Ascent Private - How to raise all stats without enchants and gear.

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino