[PoC] Execute code in the main thread without hook/detour using WndProc callback

[NotJuJuBoSc]

Hello,

Here is a little proof of concept how to execute code in the main thread without any hook/detour/whatever, copy paste from my github :

Code:

This class allow you to run code in a remote process using SendMessage and WndProc override.

It use MyMemory libary and only support x86 (tho x64 is barely the same).

Feel free to copy paste.

Here is how it work step by step :

It generate a custom message number to handle future request.
A codecave is written in the remote process as a WndProc callback.
When we want to execute code, we call SendMessage from our application with our custom message.
Then the remote process should call our callback.
The callback detect our custom message.
The callback then call the function passed in wParam.
It then store result of the call (EAX) into lParam pointer.
The program read the value stored in lParam pointer.
Done, profit !

GitHub - JuJuBoSc/RemoteWndProc: Example to execute code in a remote process using wndproc trick


Only support x86 because I'm lazy and did that just to test the idea, thought it might be useful to some of you.

[Corthezz]

Jadd wrote a tutorial about this before: ntoskrnl | Hooking Threads Without Detours or Patches
Non the less thanks for posting!

[WiNiFiX]

Glad you made a sample app, helped alot to understand Jadd's post, wish more devs realised learning from simple sample code is the best.

@NotJuJuBoSc
One question, I am not familar with your library for memory, how will I get the below to return a value from executed lua?

PHP Code:

static string GetLocalizedText(RemoteProcess process, WndProcExecutor executor, string luaValue)
{
    var ClntObjMgrGetActivePlayerObj = process.ModulesManager.MainModule.BaseAddress + 0x8DD5A;
    var FrameScript__GetLocalizedText = process.ModulesManager.MainModule.BaseAddress + 0x32A5C0;
    var Lua_GetLocalizedText_Space = Encoding.UTF8.GetBytes(luaValue);

    using (var RemoteBuffer = process.MemoryManager.AllocateMemory((uint)luaValue.Length + 1))
    {
        RemoteBuffer.WriteBytes(Lua_GetLocalizedText_Space);

        var asm = new[]
        {
            "call " + ClntObjMgrGetActivePlayerObj,
            "mov ecx, eax",
            "push -1",
            "mov edx, " + Lua_GetLocalizedText_Space + "",
            "push edx",
            "call " + FrameScript__GetLocalizedText,
            "retn"
        };

        executor.Call(asm);                
        return ?
    }
} 


[infotech1]

thanks for the example code

[NotJuJuBoSc]

Glad you made a sample app, helped alot to understand Jadd's post, wish more devs realised learning from simple sample code is the best.

@NotJuJuBoSc
One question, I am not familar with your library for memory, how will I get the below to return a value from executed lua?

PHP Code:

static string GetLocalizedText(RemoteProcess process, WndProcExecutor executor, string luaValue)
{
    var ClntObjMgrGetActivePlayerObj = process.ModulesManager.MainModule.BaseAddress + 0x8DD5A;
    var FrameScript__GetLocalizedText = process.ModulesManager.MainModule.BaseAddress + 0x32A5C0;
    var Lua_GetLocalizedText_Space = Encoding.UTF8.GetBytes(luaValue);

    using (var RemoteBuffer = process.MemoryManager.AllocateMemory((uint)luaValue.Length + 1))
    {
        RemoteBuffer.WriteBytes(Lua_GetLocalizedText_Space);

        var asm = new[]
        {
            "call " + ClntObjMgrGetActivePlayerObj,
            "mov ecx, eax",
            "push -1",
            "mov edx, " + Lua_GetLocalizedText_Space + "",
            "push edx",
            "call " + FrameScript__GetLocalizedText,
            "retn"
        };

        executor.Call(asm);                
        return ?
    }
} 


PHP Code:

IntPtr result = executor.Call(asm); 


simple as that

also you could push directly instead to move it in edx, kinda unecesserary here

[WiNiFiX]

Figured it out, was silly mistake on my side

PHP Code:

        static string GetLocalizedText(RemoteProcess process, WndProcExecutor executor, string luaValue)
        {
            var ClntObjMgrGetActivePlayerObj = process.ModulesManager.MainModule.BaseAddress + 0x8DD5A;
            var FrameScript__GetLocalizedText = process.ModulesManager.MainModule.BaseAddress + 0x32A5C0;
            var Lua_GetLocalizedText_Space = Encoding.UTF8.GetBytes(luaValue);

            using (var RemoteBuffer = process.MemoryManager.AllocateMemory((uint)luaValue.Length + 1))
            {
                RemoteBuffer.WriteBytes(Lua_GetLocalizedText_Space);

                var asm = new[]
                {
                    "call " + ClntObjMgrGetActivePlayerObj,
                    "mov ecx, eax",
                    "push -1",
                    "mov edx, " + RemoteBuffer.Pointer + "",
                    "push edx",
                    "call " + FrameScript__GetLocalizedText,
                    "retn"
                };

                var res = executor.Call(asm);
                return process.MemoryManager.ReadString(res);
            }
        } 


PHP Code:

DoString(remoteProcess, executor, "zoneData = GetZoneText()");
string result = GetLocalizedText(remoteProcess, executor, "zoneData"); 


[zakkord]

So this is the same as just manually mapping a dll with WndProc handler but without proper inter-process communication, gotcha. (and it's still a hook cause you're messing with GWL_WNDPROC)