** If anything is unclear, I'm sorry. The code isn't great cos i hacked it together this afternoon just a PoC. Enjoy! **
I dunno if anyone has posted anything about using a code cave to run functions in Wow instead of injecting a DLL, but I'm going to now.
First, for those that don't know what a code cave is:
It is somewhere in a remote process' memory where you put your own code, maybe some space that isn't used or some space that you allocate with VirtualAllocEx and free with VirtualFreeEx
You can insert code in to this space and then run it!
After you insert your code you can pause the current thread, change the instruction pointer to where your code is, then resume the thread. This will run your code.
Of course, if you jump to some code that uses registers/flags and you don't restore them bad things will happen. The easiest way to do that is just to push them on the stack at the start of the injected code and pop them off at the end.
Also you'll probably want to return to where the thread was before your code ran, so you'll need to push the return address on to the stack first.
Code:
push 0xDEADBABE // Placeholder for the return address
pushfd // Save the flags and registers
pushad
//-- Something useful goes here :)
popad // Restore the registers and flags
popfd
ret // Return control to the hijacked thread
Something like that would be a good start.
So... HOWTO:
Here's what i did:
Find the target Window Handle
Find the main thread ID
Open the process PID
Open the thread
Allocate space for the code
Make any changes to the "to-be-injected" code (return address, etc.)
Write the code to the allocated space
Pause the thread
Update the instruction pointer to point the allocated space
Resume the thread
Wait a bit for the code to run
De-allocate the memory allocated for the code
Have a beer
In you code you could call a function or whatever, but you won't be able to get any return values... unless you allocate some space for the result and have you code write that result to that known location and then read it later. So in addition to the above you must:
Allocate space for the result
Edit your code to write to the allocated location
Read the result after the thread is resumed
I have produced some code (in C++) that will do all of this, it can be found here: [Only registered and activated users can see links. ].
It calls the CompareUnitFaction function to get the reaction of one unit's faction to another.
It doesn't do anything fancy and the Unit 1 and Unit 2 base addresses are hardcoded in. But if you don't know how to find them this really isn't for you
*
Credit here to kynox and Shynd for info about CompareUnitFaction
Finding the functions and working out the arguments takes some time and a good disassembler/debugger, personally I like IDA (cos I can do other things - mega drive hehe)
*
The CompareUnitFaction (as it's being called) function takes two arguments, a pointer to the current Unit and a pointer to the second Unit. The current Unit is in the register ECX and the second Unit is pushed on to the stack. In my code it is called by doing:
Code:
push 0xDEADBABE // Place holder for Unit2
mov ecx, 0xDEADBABE // Place holder for Unit1
mov eax, 0x005D4AB0 // Offset for the CompareUnitFaction function
call eax
This will run and return the faction's reaction to you in EAX, I used this code to right that value in to memory where it could be read:
Code:
mov ebx, 0xDEADBABE // Offset to read result from :)
mov dword ptr [ebx], eax
In the program the place holders are replaced with memcpy after the memory protection has been changed.
injectCode is the function with the asm in it :
OK, think that covers everything. I have NOT tested this on a live server only on an emulated server so I dunno if you'll get disconnected or whatever. I didn't on the emulated server i was on (OpenAscent TRUNK r334/Release-Win-X86).
If i have missed anything or you have any question I will try to answer them as best I can
Edit: Here is an output from the program very verbose hehe
Only suggestion I'd make is instead of sleeping a static 2000ms while waiting for it to execute, I'd do a loop while reading memory on your dwResult address, waiting for the result to != 0 (or initialize it as 0xFFFFFFFF and sleep until it != 0xFFFFFFFF).
Code:
DWORD dwResult = 0xFFFFFFFF;
WriteProcessMemory(hProcess, pInjectResult, (LPVOID)dwResult, sizeof(DWORD), NULL);
for (int i = 0; i < 200 && dwResult == 0xFFFFFFFF; i++)
{
if (!ReadProcessMemory(hProcess, pInjectResult, &dwResult, sizeof(DWORD), &dwBytesRead ))
break;
Sleep(10);
}
Slightly more overhead, but you'll get the result as soon as it's available.
Yes, that is a good idea I have something similar in my new code already. But you're code looks better
However, you do have to wait a bit longer after it has finished to make sure that the flags and registers are popped off the stack and ret is called otherwise Wow will crash cos the memory is deallocated while it's still being executed hehe. The Wow send error report is pretty useful for debugging (no surprise) I don't know enough (anything) about writing a debugger but some kind of break point would be a useful thing, at the return address so you read the result and de-allocate the memory then. Maybe when it's not 4AM
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)codecaveaddress, NULL, NULL, NULL);
WaitForObject(hThread, INFINITE);
DWORD dwExit;
GetExitCodeThread(hThread, &dwExit); //dwExit is now the value of EAX when RETN is hit
Little more overhead but it makes it much easier to handle. If you're only calling it every once in a while, it shouldn't cause any problems.
And writing a debugger isn't too difficult. DebugActiveProcess API for the win. You just have to handle the breakpoints in the correct manner, something that's not documented very many places (if you're still interested, even after understanding how easily debuggers can be detected, let me know and I'll make a post about it).
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)codecaveaddress, NULL, NULL, NULL);
WaitForObject(hThread, INFINITE);
DWORD dwExit;
GetExitCodeThread(hThread, &dwExit); //dwExit is now the value of EAX when RETN is hit
Little more overhead but it makes it much easier to handle. If you're only calling it every once in a while, it shouldn't cause any problems.
And writing a debugger isn't too difficult. DebugActiveProcess API for the win. You just have to handle the breakpoints in the correct manner, something that's not documented very many places (if you're still interested, even after understanding how easily debuggers can be detected, let me know and I'll make a post about it).
Edit: Oh yeah,
This method won't work for any functions that read from the TLS (Being that its Thread local storage). Opening another thread won't have the TLS data in it, though you can put it in yourself
Do not PM me about the ME fix or other ME questions
Haha, Yeah, it gave me a real run around when i first started out. In the end though i just hacked up some code to set the TLS in my thead to the s_curMgr pointer. Works a treat
Do not PM me about the ME fix or other ME questions
I'm not an X86 ASM expert so I dunno if this is the best way to do it, but it appears to work:
This code will load the address of the Object Manager in to EAX. Not really of any use but easy to check to see if it worked.
0x00153C60 is the linear address of the thread-local storage array for the main thread.
FS:0x2C is where the linear address of the thread-local storage is stored, so if you over write it it should be good. Please correct me if i am wrong :]
Code Caving WoW [With Code (C++)]
I don't know enough (anything) about writing a debugger but some kind of break point would be a useful thing, at the return address so you read the result and de-allocate the memory then. Maybe when it's not 4AM 
