Injecting code to main thread

[kajko]

Hello,

I am trying to inject and execute code to main WOW thread.

After ResumeThread, it crashes with this:

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal exception!

Program: S:\World of Warcraft\Wow.exe
ProcessID: 3944
Exception: ACCESS_VIOLATION

The instruction at "0x00000000" referenced memory at "0x00000000".
The memory could not be "executed".

and here is the code I am using, it does nothing, basically, just want to test code cave injection.

Code:

	__declspec(naked) DWORD codeasm()
	{
		__asm
		{
			//   Placeholder for the return address
			push 0xDEADBEEF

			pushfd
			pushad

			popad
			popfd

 			ret
		};
	}

	void Manager::doNothing()
	{
		unsigned long threadID = m_pMemMan->get_main_thread_id();
		HANDLE hThread;

		DWORD cbCodeSize = 100;

		hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION), false, threadID);
		SuspendThread(hThread);

		LPVOID pCode = VirtualAllocEx(hThread, NULL, cbCodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

		unsigned long oldIP, oldprot;
		CONTEXT ctx;
		ZeroMemory(&ctx, sizeof(ctx));
		ctx.ContextFlags = CONTEXT_CONTROL;
		GetThreadContext(hThread, &ctx);
		oldIP = ctx.Eip;
		ctx.Eip = (DWORD)pCode;
		ctx.ContextFlags = CONTEXT_CONTROL;

		VirtualProtect(codeasm, cbCodeSize, PAGE_EXECUTE_READWRITE, &oldprot);
		// store return address
		memcpy((void *)((unsigned long)codeasm + 1), &oldIP, sizeof(unsigned long));
		
		WriteProcessMemory(hThread, pCode, &codeasm, cbCodeSize, NULL);
		SetThreadContext(hThread, &ctx);

		ResumeThread(hThread);

		Sleep(1000);
		CloseHandle(hThread);
		VirtualFreeEx(hThread, pCode, cbCodeSize, MEM_RELEASE);
	}

Assuming I, with your help, make it work:
Is this better/recommended way or should I go, maybe for DLL injection ?

Thaks
Kajko

[culino2]

VirtualAllocEx takes the process handle, not the thread handle.

Same for VirtualFreeEx, WriteProcessMemory.

[kajko]

VirtualAllocEx takes the process handle, not the thread handle.

Same for VirtualFreeEx, WriteProcessMemory.

Updated:

Code:

		unsigned long threadID = m_pMemMan->get_main_thread_id();
		HANDLE hThread;

		DWORD cbCodeSize = 100;

		hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION), false, threadID);
		SuspendThread(hThread);

		LPVOID pCode = VirtualAllocEx(m_pMemMan->hProcess, NULL, cbCodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

		unsigned long oldIP, oldprot;
		CONTEXT ctx;
		ZeroMemory(&ctx, sizeof(ctx));
		ctx.ContextFlags = CONTEXT_CONTROL;
		GetThreadContext(hThread, &ctx);
		oldIP = ctx.Eip;
		ctx.Eip = (DWORD)pCode;
		ctx.ContextFlags = CONTEXT_CONTROL;

		VirtualProtect(codeasm, cbCodeSize, PAGE_EXECUTE_READWRITE, &oldprot);
		// store return address
		memcpy((void *)((unsigned long)codeasm + 1), &oldIP, sizeof(unsigned long));
		
		WriteProcessMemory(m_pMemMan->hProcess, pCode, &codeasm, cbCodeSize, NULL);
		SetThreadContext(hThread, &ctx);

		ResumeThread(hThread);

still crash same way

[culino2]

Updated:

Code:

		unsigned long threadID = m_pMemMan->get_main_thread_id();
		HANDLE hThread;

		DWORD cbCodeSize = 100;

		hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION), false, threadID);
		SuspendThread(hThread);

		LPVOID pCode = VirtualAllocEx(m_pMemMan->hProcess, NULL, cbCodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

		unsigned long oldIP, oldprot;
		CONTEXT ctx;
		ZeroMemory(&ctx, sizeof(ctx));
		ctx.ContextFlags = CONTEXT_CONTROL;
		GetThreadContext(hThread, &ctx);
		oldIP = ctx.Eip;
		ctx.Eip = (DWORD)pCode;
		ctx.ContextFlags = CONTEXT_CONTROL;

		VirtualProtect(codeasm, cbCodeSize, PAGE_EXECUTE_READWRITE, &oldprot);
		// store return address
		memcpy((void *)((unsigned long)codeasm + 1), &oldIP, sizeof(unsigned long));
		
		WriteProcessMemory(m_pMemMan->hProcess, pCode, &codeasm, cbCodeSize, NULL);
		SetThreadContext(hThread, &ctx);

		ResumeThread(hThread);

still crash same way

Change __declspec(naked) DWORD codeasm() to static __declspec(naked) DWORD codeasm()

This should do the trick.

[kajko]

Change __declspec(naked) DWORD codeasm() to static __declspec(naked) DWORD codeasm()

This should do the trick.

Thanks, that static did the trick.