8.1.0 RemapViewOfSection 0x80 causing ACCESS_VIOLATION

[sendeos23]

Hi,

First off I'm relatively new to the reversing / botting scene (3~ months).

These forums have been really helpful with getting me to where I am now so thank you all!

A few months back I wrote a really basic internal bot for 8.0.1.27980.

As I wanted to call in game functions from the main thread I found a function to detour.

Once my DLL is injected I make a call to RemapViewOfSection with 0x40 to allow memory writes (using the code found here : Force-Page-Protection/memory.cpp at master . changeofpace/Force-Page-Protection . GitHub ) then use MinHook to install my detour.

Everything was working perfectly, had my fishing bot running on multiple clients for hours on end making calls to Interact and FrameExecuteBuffer with no exceptions. Happy botting...

Now, 8.1.0( 28768 ) has dropped and wow is crashing about a 1/3 of the time when the bot gets injected.

I originally thought it might be something to do with my dll injection process or the detour being installed.

However, through a process of elimination I'm almost 100% sure the issue is the remap (RemapViewOfSection).

I wrote a simple test that starts Wow.exe and calls remap with 0x40 , no DLL injection or hooking.

Confirmed that 1/3 of the time the call to remap causes Wow.exe to crash with :
[15816] ACCESS_VIOLATION : error 138: ERROR #138 (0x8510008a) Fatal exception!
[15816] The instruction at "0x0000000000000000" referenced memory at "0x0000000000000000".
[15816] The memory could not be "executed".

My only guess is there is something in wow process that is checking for a change in memory protection and crashing the game.

Note : I have also tried remapping the memory with 0x80 as suggested here (https://www.ownedcore.com/forums/wor...-coming-8.html (The Free Lunch Is Over - Obfuscation is Coming)) by king48488 but still running into the same issue.

Question :
I'm pretty sure I need to make this RemapViewOfSection call in order to write my detour but after reading the 'free lunch is over thread' I'm starting to think that there is another way around this.
Has anyone else recently (8.0.1->8.1.0) started getting these ACCESS_VIOLATION exceptions when remapping, or if not , how are you guys able to write detours without remapping?

I appreciate that many of you might not want your methods to become public - in which case please PM me.

Cheers
sendeos23

[ynyzyfy]

Can you try to create process manually(suspend) , and hook NtCreateSection(syscall) to change the protection type?(I used in 8.0.1).
Finally, you can try writing a driver

[doityourself]

That is not a new error. It happens since 7.3.0. If you didn't get it you was just lucky.

[sendeos23]

Can you try to create process manually(suspend) , and hook NtCreateSection(syscall) to change the protection type?(I used in 8.0.1).
Finally, you can try writing a driver

Thanks, will give these a try.
I have been waiting for a reason to get my lazy ass to learn about drivers / write my own.

[ynyzyfy]

Oh,yes.Wow has some integrity checks.If you modified the watched .text section or opened some programs,It will crash after a while.

[sendeos23]

Update :

After a day of looking at disassembly near the function I was originally detouring I found a call to a function pointer defined in the data segment.

From there it was simply a case of modifying the pointer to point at my function. This 'DetourFunc' first runs my bot code, then finally calls the original function.

As this function pointer is in the .data segment I don't need to do any remapping or patching of .text segment. win win.

pseudocode

Code:

typedef int64(__fastcall *HookFunction)(int, int, int);
HookFunction OriginalFunc = 0;
HookFunction* FunctionPointer = 0;

int64 DetourFunc(int a, int b, int c)
{
	DoBotStuff();
        return OriginalFunc(a, b, c);
}

int InstallHook()
{
	FunctionPointer = (HookFunction*)(wowBaseAddress + Offsets::detourFunctionPointer); //Pointer to data segment we are going to modify

	OriginalFunc = *FunctionPointer; //save the original function so we can replace it in RemoveHook

	*FunctionPointer = DetourFunc;

	return 1;
}

void RemoveHook()
{
	*FunctionPointer = OriginalFunc;
}