public uint InjectAndExecute(string[] asm, bool allowOffline = false) { lock (Locker) { if (!allowOffline && (!Helpers.Usefuls.InGame || Helpers.Usefuls.IsLoading)) { return(0); } /*List<string> asmCode = new List<string>(); * foreach (string s in asm) * { * asmCode.Add(s); * if (Others.Random(0, 100) > 50) * { * int nR = Others.Random(1, 3); * for (int i = nR; i >= 1; i--) * { * asmCode.Add(ProtectHook()); * } * } * } * return (uint) Wow.Memory.WowProcess.Executor.Call(asmCode.ToArray());*/ if (!ThreadHooked) { return(0); } var fasm = new ManagedFasm(Memory.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); foreach (string s in asm) { fasm.AddLine(s); } fasm.Inject(_mInjectionCode); Memory.WriteByte(_mExecuteRequested, 1); Timer injectTimer = new Timer(2000); injectTimer.Reset(); while (Memory.ReadByte(_mExecuteRequested) == 1 && !injectTimer.IsReady) { Thread.Sleep(1); } if (injectTimer.IsReady) { Logging.WriteError("Injection have been aborted, execution too long from " + CurrentCallStack); return(0); } Memory.WriteBytes(_mInjectionCode, _mZeroBytesInjectionCodes); uint returnValue = Memory.ReadUInt(_mResult); return(returnValue); } }
public void Apply() { var fasm = new ManagedFasm(Memory.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("jmp " + _mTrampoline); fasm.Inject(JumpAddress); }
private void CreateTrampolineDX() { _mTrampolineDX = Memory.AllocateMemory(0x1000); Console.WriteLine("m_trampoline : " + _mTrampolineDX.ToString("X")); var fasm = new ManagedFasm(Memory.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("pushad"); fasm.AddLine("pushfd"); fasm.AddLine("mov eax, [{0}]", _mLocked); // _mLockedDX fasm.AddLine("@execution:"); fasm.AddLine("mov eax, [{0}]", _mExecuteRequested); // DX fasm.AddLine("test eax, eax"); fasm.AddLine("je @lockcheck"); /*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker)); * fasm.AddLine("mov eax, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff1 + "]"); * fasm.AddLine("mov esi, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "]"); * fasm.AddLine("mov [" + _mSavedAntiban + "], esi"); * fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], eax");*/ fasm.AddLine("call {0}", _mInjectionCode); fasm.AddLine("mov [" + _mResult + "], eax"); /*fasm.AddLine("mov edx, {0}", (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker)); * fasm.AddLine("call " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.WoWTextCaller)); * fasm.AddLine("push happilyeverafter"); * fasm.AddLine("push " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.RetFromFunctionBelow)); * fasm.AddLine("jmp " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker2)); * fasm.AddLine("happilyeverafter:");*/ /*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker)); * fasm.AddLine("mov esi, [" + _mSavedAntiban + "]"); * fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], esi");*/ fasm.AddLine("xor eax, eax"); fasm.AddLine("mov [" + _mExecuteRequested + "], eax"); // DX fasm.AddLine("@lockcheck:"); fasm.AddLine("mov eax, [{0}]", _mLocked); // DX fasm.AddLine("test eax, eax"); fasm.AddLine("jne @execution"); fasm.AddLine("push 0"); fasm.AddLine("add esp, 4"); fasm.AddLine("popfd"); fasm.AddLine("popad"); Memory.WriteBytes(_mTrampolineDX, D3D.OriginalBytesDX); fasm.AddLine("jmp " + (JumpAddressDX + D3D.OriginalBytesDX.Length)); fasm.Inject((uint)(_mTrampolineDX + D3D.OriginalBytesDX.Length)); }
/// <summary> /// Call the specifics asm mnemonics in the message handler thread /// </summary> /// <param name="p_Mnemonics"></param> /// <param name="p_BufferSize"></param> /// <returns></returns> public uint Call(string[] p_Mnemonics, int p_BufferSize = 0x1000) { using (var fasm = new ManagedFasm(Memory.WowProcess.ProcessHandle)) { fasm.SetMemorySize(0x500); fasm.SetPassLimit(100); foreach (var s in p_Mnemonics) { fasm.AddLine(s); } uint ptrInject = Memory.WowMemory.Memory.AllocateMemory(p_BufferSize); fasm.Inject(ptrInject); return(Call(ptrInject)); } }
public void ApplyDX() { var fasm = new ManagedFasm(Memory.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("jmp " + _mTrampolineDX); if (D3D.OriginalBytesDX.Length > 5) { fasm.AddLine("nop"); } if (D3D.OriginalBytesDX.Length > 6) { fasm.AddLine("nop"); } fasm.Inject(JumpAddressDX); }
private void CreateTrampoline() { _mTrampoline = Memory.AllocateMemory(0x1000); Console.WriteLine("m_trampoline : " + _mTrampoline.ToString("X")); var fasm = new ManagedFasm(Memory.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("call {0}", Wow.Memory.WowProcess.WowModule + (uint)Addresses.FunctionWow.ReturnFunc); fasm.AddLine("pushad"); fasm.AddLine("pushfd"); fasm.AddLine("mov eax, [{0}]", _mLocked); fasm.AddLine("@execution:"); fasm.AddLine("mov eax, [{0}]", _mExecuteRequested); fasm.AddLine("test eax, eax"); fasm.AddLine("je @lockcheck"); fasm.AddLine("call {0}", _mInjectionCode); fasm.AddLine("mov [" + _mResult + "], eax"); fasm.AddLine("xor eax, eax"); fasm.AddLine("mov [" + _mExecuteRequested + "], eax"); fasm.AddLine("@lockcheck:"); fasm.AddLine("mov eax, [{0}]", _mLocked); fasm.AddLine("test eax, eax"); fasm.AddLine("jne @execution"); fasm.AddLine("popfd"); fasm.AddLine("popad"); fasm.AddLine("jmp " + (JumpAddress + D3D.OriginalBytes.Length)); fasm.Inject(_mTrampoline); }
public void Dispose() { IntPtr l_User32 = GetModuleHandle("user32.dll"); IntPtr l_SetWindowLongW = GetProcAddress(l_User32, "SetWindowLongW"); // Restore the original WndProc callback var fasm2 = new ManagedFasm(Memory.WowProcess.ProcessHandle); fasm2.SetMemorySize(0x500); fasm2.SetPassLimit(100); fasm2.AddLine("mov eax, [" + m_OriginalWndProc + "]"); fasm2.AddLine("push eax"); fasm2.AddLine("push " + GWL_WNDPROC + ""); fasm2.AddLine("push " + m_WindowHandle + ""); fasm2.AddLine("call " + l_SetWindowLongW + ""); fasm2.AddLine("retn"); var ptrInject = Memory.WowMemory.Memory.AllocateMemory(0x500); fasm2.InjectAndExecute(ptrInject); Memory.WowMemory.Memory.FreeMemory(m_WndProcFunction); Memory.WowMemory.Memory.FreeMemory(m_OriginalWndProc); }
public WndProcExecutor(BlackMagic memory) { try { m_WindowHandle = Memory.WowProcess.MainWindowHandle; m_Random = new Random(); m_CustomMessageCode = m_Random.Next(0x8000, 0xBFFF); // From MSDN : WM_APP (0x8000) through 0xBFFF m_WndProcFunction = memory.AllocateMemory(0x500); // WndProc m_OriginalWndProc = memory.AllocateMemory(0x4); // WndProcOriginalWndProc IntPtr l_User32 = GetModuleHandle("user32.dll"); IntPtr l_CallWindowProcW = GetProcAddress(l_User32, "CallWindowProcW"); IntPtr l_SetWindowLongW = GetProcAddress(l_User32, "SetWindowLongW"); var fasm = new ManagedFasm(Memory.WowProcess.ProcessHandle); fasm.SetMemorySize(0x1000); fasm.SetPassLimit(100); fasm.AddLine("mov eax, [esp+0x8]"); // Get the message code from the stack); fasm.AddLine("cmp eax, " + m_CustomMessageCode); // Check if the message code is our custom one fasm.AddLine("jne @call_original"); // Otherwise simply call the original WndProc fasm.AddLine("mov eax, [esp+0xC]"); // Function pointer fasm.AddLine("mov edx, [esp+0x10]"); // Result pointer fasm.AddLine("push edx"); // Save result pointer fasm.AddLine("call eax"); // Call the user function fasm.AddLine("pop edx"); // Restore the result pointer fasm.AddLine("mov [edx], eax"); // Save user function result fasm.AddLine("xor eax, eax"); // We handled the message fasm.AddLine("retn"); fasm.AddLine("@call_original:"); fasm.AddLine("mov ecx, [esp+0x4]"); // Hwnd fasm.AddLine("mov edx, [esp+0x8]"); // Msg fasm.AddLine("mov esi, [esp+0xC]"); // WParam fasm.AddLine("mov edi, [esp+0x10]"); // LParam fasm.AddLine("mov eax, [" + m_OriginalWndProc + "]"); fasm.AddLine("push edi"); // LParam fasm.AddLine("push esi"); // WParam fasm.AddLine("push edx"); // Msg fasm.AddLine("push ecx"); // Hwnd fasm.AddLine("push eax"); // WndProc original //fasm.AddLine("call " + l_CallWindowProcW); // Call the original WndProc fasm.AddLine("retn 0x14"); // Setup our WndProc callback //memory.WriteBytes(m_WndProcFunction, D3D.OriginalBytesDX); fasm.Inject(m_WndProcFunction); // Register our WndProc callback var fasm2 = new ManagedFasm(Memory.WowProcess.ProcessHandle); fasm2.SetMemorySize(0x500); fasm2.SetPassLimit(100); fasm2.AddLine("push " + m_WndProcFunction); fasm2.AddLine("push " + GWL_WNDPROC); fasm2.AddLine("push " + m_WindowHandle); fasm2.AddLine("call " + l_SetWindowLongW); fasm2.AddLine("mov [" + m_OriginalWndProc + "], eax"); fasm2.AddLine("retn"); var ptrInject = memory.AllocateMemory(0x500); fasm2.InjectAndExecute(ptrInject); /*var l_Process = System.Diagnostics.Process.GetProcessesByName("Wow").First(); * Console.WriteLine("Using process : " + l_Process.Id + ", window " + l_Process.MainWindowHandle + ""); * * using (RemoteProcess l_RemoteProcess = new RemoteProcess((uint)l_Process.Id)) * using (var l_WndProcExecutor = new WndProcExecutor2(l_RemoteProcess, l_Process.MainWindowHandle)) * { * * LuaTest(l_RemoteProcess, l_WndProcExecutor, "print(\"Hello world motha !\")"); * * }*/ /*var t = new MyMemory.RemoteProcess((uint)Memory.WowProcess.ProcessId); * var remoteM = t.MemoryManager.AllocateMemory(0x1000); * var ptrInject = (uint)remoteM.Pointer; //memory.AllocateMemory(0x500); * * fasm2.Inject(ptrInject); * var prot = new RemoteMemoryProtection(t, remoteM.Pointer, remoteM.Size, Enumerations.MemoryProtectionFlags.Execute); * * var th = t.ThreadsManager.CreateRemoteThread((IntPtr) ptrInject, IntPtr.Zero, Enumerations.ThreadCreationFlags.Run); */ } catch (Exception e) { Logging.WriteError(e.ToString()); } }