[Help]VEH HOOK , how to raise exception without memory editing menu

User Tag List

Results 1 to 11 of 11
  1. #1
    demonguy's Avatar Member
    Reputation
    2
    Join Date
    Feb 2012
    Posts
    111
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Help]VEH HOOK , how to raise exception without memory editing

    Here's my code

    Code:
    LONG __stdcall VectoredHandler ( PEXCEPTION_POINTERS ExceptionInfo )
    {
         
            PCONTEXT Context;
            Context = ExceptionInfo->ContextRecord;
    
    		char m[20];
    
    		sprintf_s(m,"%X",(unsigned int)(PVOID)(ExceptionInfo->ExceptionRecord->ExceptionAddress));
    
                    MessageBoxA(NULL,m,"0",0);
             
            if ( ExceptionInfo->ExceptionRecord->ExceptionAddress  == (PVOID)(TargetAddress + CHack::WoWBase) ) {
                Context->Eip = (DWORD) (TargetAddress  + CHack::WoWBase + 0x51);
    			
                return EXCEPTION_CONTINUE_EXECUTION;
            }
    		 return EXCEPTION_CONTINUE_SEARCH;
    }
    
    	AddVectoredExceptionHandler(1, VectoredHandler );
    
    	DWORD dwOldProtect;
    
    	VirtualProtect(reinterpret_cast<LPVOID>(CHack::WoWBase + TargetAddress),1,PAGE_READONLY, &dwOldProtect);
    
            ////                   Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc);
    When exception is passed to my handler. The "ExceptionInfo->ExceptionRecord->ExceptionAddress" isn't "CHack::WoWBase + TargetAddress" at all
    if i use "Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc)" instead, then everything is OK
    So why VirtualProtect will raise a wrong address exception ?

    [Help]VEH HOOK , how to raise exception without memory editing
  2. #2
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1515
    Join Date
    May 2008
    Posts
    2,433
    Thanks G/R
    81/336
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The instruction pointer is contained in EIP (RIP in x64). You should use that instead of ExceptionRecord->ExceptionAddress.

    You should also replace PAGE_READONLY to PAGE_NOACCESS to prevent future problems.

  3. #3
    demonguy's Avatar Member
    Reputation
    2
    Join Date
    Feb 2012
    Posts
    111
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    as far as i know , according to what msgBox shows, ExceptionRecord->ExceptionAddress == ExceptionRecord->EIP when the exception raises
    as for PAGE_READONLY, that's because if i set it to "PAGE_NOACCESS", Warden can't read it either ,so i'll be detected right?

    and your explanation doesn't explain why are all things OK if i use int3 break instead of virtualprotect eg.(Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc))
    Last edited by demonguy; 12-14-2012 at 12:02 AM.

  4. #4
    DrakeFish's Avatar Lazy Leecher

    Reputation
    634
    Join Date
    Nov 2008
    Posts
    569
    Thanks G/R
    0/14
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by demonguy View Post
    Here's my code

    Code:
    LONG __stdcall VectoredHandler ( PEXCEPTION_POINTERS ExceptionInfo )
    {
         
            PCONTEXT Context;
            Context = ExceptionInfo->ContextRecord;
    
    		char m[20];
    
    		sprintf_s(m,"%X",(unsigned int)(PVOID)(ExceptionInfo->ExceptionRecord->ExceptionAddress));
    
                    MessageBoxA(NULL,m,"0",0);
             
            if ( ExceptionInfo->ExceptionRecord->ExceptionAddress  == (PVOID)(TargetAddress + CHack::WoWBase) ) {
                Context->Eip = (DWORD) (TargetAddress  + CHack::WoWBase + 0x51);
    			
                return EXCEPTION_CONTINUE_EXECUTION;
            }
    		 return EXCEPTION_CONTINUE_SEARCH;
    }
    
    	AddVectoredExceptionHandler(1, VectoredHandler );
    
    	DWORD dwOldProtect;
    
    	VirtualProtect(reinterpret_cast<LPVOID>(CHack::WoWBase + TargetAddress),1,PAGE_READONLY, &dwOldProtect);
    
            ////                   Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc);
    When exception is passed to my handler. The "ExceptionInfo->ExceptionRecord->ExceptionAddress" isn't "CHack::WoWBase + TargetAddress" at all
    if i use "Memory::Write<byte>(CHack::WoWBase + TargetAddress, 0xcc)" instead, then everything is OK
    So why VirtualProtect will raise a wrong address exception ?
    Using VirtualProtect will change the protection of the entire page you use it on, meaning it won't only affect the address you pass to the function but the page its on. Unless watching access/execution to/on this page is what you want, you will have to either use another technique (like int3) or to "filter" what you need in your exception handler. The latter will be very slow and is probably not a good alternative. If you don't want to write to memory, you could use hardware breakpoints (debug registers), but take note that this isn't necessarily safer.

    To my knowledge, using ExceptionAddress or EIP shouldn't matter in this case.
    Last edited by DrakeFish; 12-14-2012 at 12:27 AM.

  5. #5
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1515
    Join Date
    May 2008
    Posts
    2,433
    Thanks G/R
    81/336
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    EIP should be the definitive break position. Depending on the type of exception that was raised, ExceptionRecord->ExceptionAddress may not be what you're looking for.

    I'm not sure how Warden works around unreadable memory. It will only make a difference if you're using data breakpoints, so if you're just using it to detour functions then leaving it as PAGE_READONLY should be fine.
    Last edited by Jadd; 12-14-2012 at 12:25 AM.

  6. #6
    demonguy's Avatar Member
    Reputation
    2
    Join Date
    Feb 2012
    Posts
    111
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by DrakeFish View Post
    but take note that this isn't necessarily safer.
    what do you mean of it ? "hardware breakpoints" will also be detected? by the way , how to register hardware breakpoint?

  7. #7
    DarthTon's Avatar Contributor
    Reputation
    171
    Join Date
    Apr 2010
    Posts
    108
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what do you mean of it ? "hardware breakpoints" will also be detected?
    Everything can be potentially detected, but AFAIK, warden does not care about DR for now.

    how to register hardware breakpoint?
    Something like this (will register 1 byte-long HWBP on execution)
    PHP Code:
    int GetFreeIndexsize_t regval )
    {
        if (!(
    regval 1))
            return 
    0;
        else if (!(
    regval 4))
            return 
    1;
        else if (!(
    regval 16))
            return 
    2;
        else if (!(
    regval 64))
            return 
    3;

        return -
    1;
    }

    CONTEXT context            = {0};
    context.ContextFlags    CONTEXT_DEBUG_REGISTERS;

    // CONTEXT_DEBUG_REGISTERS can be operated without thread suspension
    if(!GetThreadContext(hThread, &context))
    {
        
    CloseHandle(hThread);
        return 
    false;
    }

    // Get free DR
    int index GetFreeIndex(context.Dr7);

    // If all 4 registers are occupied - error
    if(index 0)
    {
        
    CloseHandle(hThread);
        return 
    false;
    }

    context.Dr7                            |= << (2*index ) | 0x100;    // enable corresponding HWBP and local BP flag
    *((size_t*)&context.Dr0 index)        = (size_t)TargetAddress;        // write address to DR0-DR3

    // Write values to registers
    if(!SetThreadContext(hThread, &context))
    {
        
    CloseHandle(hThread);
        return 
    false;


  8. #8
    demonguy's Avatar Member
    Reputation
    2
    Join Date
    Feb 2012
    Posts
    111
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by DarthTon View Post
    Everything can be potentially detected, but AFAIK, warden does not care about DR for now.



    Something like this (will register 1 byte-long HWBP on execution)
    PHP Code:
    int GetFreeIndexsize_t regval )
    {
        if (!(
    regval 1))
            return 
    0;
        else if (!(
    regval 4))
            return 
    1;
        else if (!(
    regval 16))
            return 
    2;
        else if (!(
    regval 64))
            return 
    3;

        return -
    1;
    }

    CONTEXT context            = {0};
    context.ContextFlags    CONTEXT_DEBUG_REGISTERS;

    // CONTEXT_DEBUG_REGISTERS can be operated without thread suspension
    if(!GetThreadContext(hThread, &context))
    {
        
    CloseHandle(hThread);
        return 
    false;
    }

    // Get free DR
    int index GetFreeIndex(context.Dr7);

    // If all 4 registers are occupied - error
    if(index 0)
    {
        
    CloseHandle(hThread);
        return 
    false;
    }

    context.Dr7                            |= << (2*index ) | 0x100;    // enable corresponding HWBP and local BP flag
    *((size_t*)&context.Dr0 index)        = (size_t)TargetAddress;        // write address to DR0-DR3

    // Write values to registers
    if(!SetThreadContext(hThread, &context))
    {
        
    CloseHandle(hThread);
        return 
    false;

    Thanks all above ...
    and +rep for your codes. thanks

  9. #9
    abuckau907's Avatar Active Member
    Reputation
    49
    Join Date
    May 2009
    Posts
    225
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @Jadd "You should also replace PAGE_READONLY to PAGE_NOACCESS to prevent future problems."
    that concept had never occurred to me, thank you. -- if it's marked noaccess and something tries to read it, exception thrown?
    Some things that can be counted, don't matter. And some things that matter, can't be counted.

  10. #10
    sitnspinlock's Avatar Elite User CoreCoins Purchaser
    Reputation
    398
    Join Date
    Sep 2010
    Posts
    439
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by DarthTon View Post
    Everything can be potentially detected, but AFAIK, warden does not care about DR for now.



    Something like this (will register 1 byte-long HWBP on execution)
    PHP Code:
    int GetFreeIndexsize_t regval )
    {
        if (!(
    regval 1))
            return 
    0;
        else if (!(
    regval 4))
            return 
    1;
        else if (!(
    regval 16))
            return 
    2;
        else if (!(
    regval 64))
            return 
    3;

        return -
    1;
    }

    CONTEXT context            = {0};
    context.ContextFlags    CONTEXT_DEBUG_REGISTERS;

    // CONTEXT_DEBUG_REGISTERS can be operated without thread suspension
    if(!GetThreadContext(hThread, &context))
    {
        
    CloseHandle(hThread);
        return 
    false;
    }

    // Get free DR
    int index GetFreeIndex(context.Dr7);

    // If all 4 registers are occupied - error
    if(index 0)
    {
        
    CloseHandle(hThread);
        return 
    false;
    }

    context.Dr7                            |= << (2*index ) | 0x100;    // enable corresponding HWBP and local BP flag
    *((size_t*)&context.Dr0 index)        = (size_t)TargetAddress;        // write address to DR0-DR3

    // Write values to registers
    if(!SetThreadContext(hThread, &context))
    {
        
    CloseHandle(hThread);
        return 
    false;

    err nevermind i was wrong. make sure you use debug register only flag in that case.

    afaik bnet use to use ntcontinue to tweak debug registers for anti-debugging
    Last edited by sitnspinlock; 12-14-2012 at 12:37 PM.

  11. #11
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by abuckau907 View Post
    @Jadd "You should also replace PAGE_READONLY to PAGE_NOACCESS to prevent future problems."
    that concept had never occurred to me, thank you. -- if it's marked noaccess and something tries to read it, exception thrown?
    Yes .

Similar Threads

  1. Replies: 4
    Last Post: 05-06-2013, 08:03 AM
  2. Replies: 4
    Last Post: 03-18-2013, 11:03 PM
  3. [HELP] How to restart server without owner
    By slayer99 in forum WoW EMU Guides & Tutorials
    Replies: 3
    Last Post: 06-29-2008, 06:21 AM
  4. Ascent Private - How to raise all stats without enchants and gear.
    By IlluzionE in forum WoW EMU Guides & Tutorials
    Replies: 17
    Last Post: 05-18-2008, 03:59 PM
  5. Ascent Private - How to raise all stats without enchants and gear.
    By IlluzionE in forum World of Warcraft Exploits
    Replies: 16
    Last Post: 03-15-2008, 04:56 AM
All times are GMT -5. The time now is 06:16 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search