What steps to safely inject and run your code?

[Viano]

Hello there,

I've been away for some time but would love to play around with live servers again.
Blizzard seems to care more about protecting WoW from bots. So what is currently necessary to safely inject and run your code?
I mean can you still execute your code inside FrameScriptExecute (was this the name back then?)? Is object manager still around? Can you enumerate objects around you? Do you have to unlink your module?

What are the steps to hide your private program?

[Tambel]

I tried to hook some functions to get Lua state address and this worked but after ~1 min its crashed with segfault without clear reason. This can be some kind of protection or I just messed up with something like calling conventions and etc(99.999..% chance of second case).

If you run Wow on linux with wine, you can use LD_PRELOAD or recompile wine`s "dxgi.dll" with modified Present and all you code will run as legit direcx library(in main thread) without injections and modifying of executable, but its still detectable, so I don’t think it have any significant advantage and I just consider this as a small bonus of linux usage

P.S. Sowy for my engrish.

[Viano]

I'm 100% on Windows and would like to load my dll into WoW and use DirectX hook to run inside main thread. Is it enough to unlink your module or do you have to avoid calling some functions additionally?

[culino2]

I'm 100% on Windows and would like to load my dll into WoW and use DirectX hook to run inside main thread. Is it enough to unlink your module or do you have to avoid calling some functions additionally?

Why not hooking WndProc instead to run your code inside the main-thread? To do pulse stuff I use SetTimer (set at some point in my WndProc hook), never had trouble with this way. They shouldn't detect private modules unless you do something that's detected...

[zys924]

Why not hooking WndProc instead to run your code inside the main-thread? To do pulse stuff I use SetTimer (set at some point in my WndProc hook), never had trouble with this way. They shouldn't detect private modules unless you do something that's detected...

Setting a new WndProc can easily be detected by looking at GetWindowLong and check the return value's address range (whether in .text section). It is quite similar as the old WoW Lua C function address check. So the reason why you are not banned out of this is Blizzard is lazy to do this check.

[tutrakan]

Why not hooking WndProc instead to run your code inside the main-thread? To do pulse stuff I use SetTimer (set at some point in my WndProc hook), never had trouble with this way. They shouldn't detect private modules unless you do something that's detected...

Good point. I should be worth to try something similar.

[Viano]

...something that's detected...

And what's that? Can I find out myself? Any hints?

[culino2]

Setting a new WndProc can easily be detected by looking at GetWindowLong and check the return value's address range (whether in .text section). It is quite similar as the old WoW Lua C function address check. So the reason why you are not banned out of this is Blizzard is lazy to do this check.

I'm pretty sure some legit software is using WndProc hooks too. A simple WndProc hook leading to unknown modules shouldn't be a ban reason for blizzard.

And what's that? Can I find out myself? Any hints?

Warden should be a good start, can't tell you more at this point, I don't even updated my warden detours for x64 yet. I'm not aware of any call checks for x64 beside of the known page checks that lead into a crashes (ClntObjMgrGetActivePlayerObj()) if you don't do it correctly. Feel free to correct me here.

[ak48disk]

dxgi hooks has some legitimate use cases such as reshade.