[Injection] What way to go?

[Corthezz]

Hey together,
when I started learning about injection I discovered iHook which was a big help understande the topic.
From that point on I always worked with asm injection.

Detouring:

1. jmp instruction takes 5 bytes.
2. First two instructions of the function i want to detour got each 4 bytes (just for example).
3. Backup those two instructions
4. allocate space for my detour
5. place the jmp to the detour
6. add the two backupped instructions to the beginning of the detour
7. backup registers
8. do my stuff
9. jmp back to the detoured function (to the next full instruction after the jmp)

Well thats it pretty much. For the things I realised in the past it was always the easiest method but once the stuff you want to accomplish becomes more complicated its a pain in the ass to write the logic in ASM.
For example I detoured FrameScript__Register to find out at which point I have to reapply my custom Lua functions which is stil easy.
But lets say you want to dump the function name (ecx) aswell the address (edx) being registered to a file each execution: It would be a lot easier doing this with C++ instead of ASM (hell I dont even know how to write to a file in ASM ).

Right now I realise the above mentioned mechanic like this:
Allocate space for the function address aswell the name of the function and a byte which will signalise my C# program that it has to do something.
When the detour is executed it will write the functionname and the address into the allocated space and set the signal byte to 1. After that it will wait until the signal byte is zero again:

Code:

[...]
@outOne:
cmp [signalByte], 1
je @outOne
[...]

At the same time my C# program reads the signal byte every 50 ms. If the signal byte is 1 it will read the function address and name from the allocated space and afterwards switch the signal byte to 0 again (which makes the main thread break out of the while loop).

Imo this method is pretty horrible (I guess) but it works. Well the point is I finally want to get fully injected aswell get some distance from C# (its not that great for being inprocess isnt it?).
I never learned C++ nor real ASM. One point I just started downloading sources without even knowing what a class is and from that point I made my way til today.

Today I looked at a few C++ injection examples and a few question came up:
1. C++ seems like a language where you can do many things wrong. Should I maybe read a book first? If yes which one? I dont feel like stepping through a whole book again where it just deals with very basic stuff (what is an int and equal things).
2. I found thousand different examples: One using MsDetours, another one working with some inline ASM which will call the c++ function etc. Is there any good example of the "right way"?

I hope this thread doesnt sound to stupid :3

[reliasn]

I also use ASM injection, but my stub is a mix of C++ and ASM. The stub is a __declspec(naked) function and in my prologue I basically save the registers (pushad and pushfd) and after that I initialize the parameters I declared locally or parameters that are passed to the function (so yeah, I've got push ebp, mov ebp, esp, sub esp, <size I need>, etc).

After initializing the function, I start using pure C++ with function pointers to actually call the functions I need. It's more or less like the code below (some functions are outdated because I don't have access to my updated source code where I'm at now).

Anyways, that's the "easiest" way I found to avoid using ASM as much as you can... it seems complicated maybe because I don't use any hooking libraries, but I've started making my own and things have become quite easy since then. And yeah, I'm open to suggestions on how to improve the ASM stub below (PS: inject a DLL isn't a valid argument)

Code:

typedef int (__cdecl * DoString)(DWORD arg1, DWORD arg2, int arg3);
typedef int (__cdecl * GetText)(DWORD pont_string, DWORD menosum, DWORD zero);
typedef int (__thiscall * UpdateDisplay)(DWORD thisptr, DWORD flag);
typedef int (__cdecl * UpdateScale)(DWORD loguid, DWORD higuid);
typedef int (__thiscall * GetText)(DWORD arg1, DWORD arg3, DWORD arg4);
typedef int (__thiscall * ClickToMove)(DWORD thisptr, DWORD type, DWORD guid, DWORD position, DWORD precision);
typedef int (__thiscall * MountDisplay)(DWORD thisptr, DWORD displayid);
typedef int (__cdecl * ClntObjMgrObjectPtr)(DWORD loguid, DWORD higuid, DWORD flag);
typedef int (__cdecl * World__Intersect)(DWORD end, DWORD start, DWORD result, DWORD distance, DWORD flag, DWORD optional);

__declspec(naked) void codeasm(){
	DWORD flagz, basead, pointer, data1, data2, data3;
	__asm{
		nop
		pushad
		pushfd
		push 	ebp
		mov		ebp, esp
		sub		esp, 0x40
		call	dummy
dummy:  pop		edx
		sub		edx, 0xE
		add		edx, 500
		mov		eax, [edx+4]	     //check flag
		cmp		eax, 0x0
		je      outh
		cmp		eax, 0xff
		je      outh
		mov		ebx, [edx+0]	     //check base address
		mov		basead, ebx
		add		edx, 0x8
		mov		flagz, eax
		mov		pointer, edx
		mov		ecx, [edx]
		mov		data1, ecx
		mov		ecx, [edx+4]
		mov		data2, ecx
		mov		ecx, [edx+0x8]
		mov		data3, ecx
		sub		edx, 0x8
		push	edx
		mov		[edx+4],0x0
	}
	if(flagz == 1){
		UpdateDisplay(basead + WoW::UpdateDisplayInfo)(data1,1);
	}else if(flagz == 2){
		DoString(basead + WoW::Framescript_ExecuteBuffer)(pointer,pointer,0);
	}else if(flagz == 3){
		World__Intersect(basead + WoW::CGWorldFrame__Intersect)(pointer+0x30, pointer+0x40, pointer+0x20, pointer+0xC, data1, 0);
	}else if(flagz == 4){
		ClickToMove(basead + WoW::ClickToMoveOfs)(data1,data2,pointer+0x14,pointer+0x8,0);
	}else if(flagz == 5){
		GetText(basead + WoW::Framescript_GetText)(pointer,-1,0);
	}else if(flagz == 6){
		MountDisplay(basead + WoW::MountDisplayChanged)(data1,data2);
	}else if(flagz == 7){
		ClntObjMgrObjectPtr(basead + WoW::ClntObjMgrObjectPtr)(data1,data2,1);
	}else if(flagz == 8){
		UpdateScale(basead + WoW::UpdateScale)(data1,data2);
	}
	__asm{
		pop edx						// restore EDX value
	}
	if(flagz != 0){
		__asm{
			mov [edx + 0x4], 0xff
			mov [edx + 0xF0], eax   // get EAX value (return)
		}
	}

	__asm{
outh:	mov esp, ebp
		pop ebp

		popfd
		popad
		nop
		nop
		// replaced code
		mov eax, edi
		pop edi
		pop esi
		pop ebp
		ret
	}
}

[Corthezz]

+3 rep for you
I will study the snippet a bit and report back.

[-Ryuk-]

Just to point out... Don't jump to your empty codecave, fill it first then apply the jump. Or you may get crashes

[Corthezz]

Just to point out... Don't jump to your empty codecave, fill it first then apply the jump. Or you may get crashes

Thats what I actually do
I just missplaced the steps for unknown reason.

Same like on unload:
1. remove jmp
2. remove detour

[Midi12]

1. C++ seems like a language where you can do many things wrong. Should I maybe read a book first? If yes which one? I dont feel like stepping through a whole book again where it just deals with very basic stuff (what is an int and equal things).

Most books on the market are designed for begginers, so it will mainly talking about variables and structures, but in order to learn basics of C++ (not basics of programming which you seems to know) there is plenty of good web ressources like :
- Learn C++
- C++ Language - C++ Tutorials
To find ressources about executing/injecting code into remote process I suggest you to look for pdf or web ressources because I don't know any book talking about this subject.

2. I found thousand different examples: One using MsDetours, another one working with some inline ASM which will call the c++ function etc. Is there any good example of the "right way"?

As for most programming related problems there is no "one best way", then you would try to make your code as clean as you can in regard of the remote process memory.
There is multiple way to achieve this :
- creating a new thread
- hijacking thread context
- hooking
- and more ...
It really depends of your needs and goals, so if your goal is to avoid ASM as much as possible dll injection & hooking could be a solution for you.
About your question if c# is great for beiing in process, there is a wonderful library : GreyMagic (credits goes to Apoc, found this reupload since the link in original thread (original thread of GreyMagic (GreyMagic - The best of both worlds, and then some)) is dead).

[Jadd]

I'm open to suggestions on how to improve the ASM stub below (PS: inject a DLL isn't a valid argument)

Inject a DLL.