private void InstallHook()
{
#region Inject New Method
ManagedFasm fasm = new ManagedFasm(d3.ProcessHandle);
fasm.SetMemorySize(0x4096); // Allocate 16KB of memory
string[] endSceneHookASM = new string[]
{
// Original EndScene instructions
"mov edi, edi",
"push ebp",
"mov ebp, esp",
// Save the state of the FPU and general purpose registers
"pushfd",
"pushad",
"call " + InstallUsePower(),
"call " + InstallPressButton(),
// Restore FPU and general purpose registers
"@out:",
"popad",
"popfd",
// Return to right after where we detoured
"jmp " + (oEndScene + 5),
};
foreach (string line in RandomizeAsm(endSceneHookASM))
{
fasm.AddLine(line);
}
byte[] compiled = fasm.Assemble();
uint hookCode = AllocateMemory("EndSceneHook", compiled.Length);
fasm.Inject(hookCode);
fasm.Clear();
#endregion Inject New Method
#region Detour EndScene
origEndSceneBytes = d3.ReadBytes(oEndScene, 5);
fasm.AddLine("jmp 0x{0:X08}", hookCode);
fasm.Inject(oEndScene);
fasm.Clear();
#endregion Detour EndScene
}
public uint InjectAndExecute(string[] asm, bool allowOffline = false)
{
lock (Locker)
{
if (!allowOffline && (!Helpers.Usefuls.InGame || Helpers.Usefuls.IsLoading))
{
return(0);
}
/*List<string> asmCode = new List<string>();
* foreach (string s in asm)
* {
* asmCode.Add(s);
* if (Others.Random(0, 100) > 50)
* {
* int nR = Others.Random(1, 3);
* for (int i = nR; i >= 1; i--)
* {
* asmCode.Add(ProtectHook());
* }
* }
* }
* return (uint) Wow.Memory.WowProcess.Executor.Call(asmCode.ToArray());*/
if (!ThreadHooked)
{
return(0);
}
var fasm = new ManagedFasm(Memory.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
foreach (string s in asm)
{
fasm.AddLine(s);
}
fasm.Inject(_mInjectionCode);
Memory.WriteByte(_mExecuteRequested, 1);
Timer injectTimer = new Timer(2000);
injectTimer.Reset();
while (Memory.ReadByte(_mExecuteRequested) == 1 && !injectTimer.IsReady)
{
Thread.Sleep(1);
}
if (injectTimer.IsReady)
{
Logging.WriteError("Injection have been aborted, execution too long from " + CurrentCallStack);
return(0);
}
Memory.WriteBytes(_mInjectionCode, _mZeroBytesInjectionCodes);
uint returnValue = Memory.ReadUInt(_mResult);
return(returnValue);
}
}
public void Apply()
{
var fasm = new ManagedFasm(Memory.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("jmp " + _mTrampoline);
fasm.Inject(JumpAddress);
}
private void CreateTrampolineDX()
{
_mTrampolineDX = Memory.AllocateMemory(0x1000);
Console.WriteLine("m_trampoline : " + _mTrampolineDX.ToString("X"));
var fasm = new ManagedFasm(Memory.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("pushad");
fasm.AddLine("pushfd");
fasm.AddLine("mov eax, [{0}]", _mLocked); // _mLockedDX
fasm.AddLine("@execution:");
fasm.AddLine("mov eax, [{0}]", _mExecuteRequested); // DX
fasm.AddLine("test eax, eax");
fasm.AddLine("je @lockcheck");
/*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker));
* fasm.AddLine("mov eax, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff1 + "]");
* fasm.AddLine("mov esi, [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "]");
* fasm.AddLine("mov [" + _mSavedAntiban + "], esi");
* fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], eax");*/
fasm.AddLine("call {0}", _mInjectionCode);
fasm.AddLine("mov [" + _mResult + "], eax");
/*fasm.AddLine("mov edx, {0}", (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker));
* fasm.AddLine("call " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.WoWTextCaller));
* fasm.AddLine("push happilyeverafter");
* fasm.AddLine("push " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.RetFromFunctionBelow));
* fasm.AddLine("jmp " + (uint) (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.CTMChecker2));
* fasm.AddLine("happilyeverafter:");*/
/*fasm.AddLine("mov ebx, [{0}]", (Wow.Memory.WowProcess.WowModule + (uint) Addresses.FunctionWow.SpellChecker));
* fasm.AddLine("mov esi, [" + _mSavedAntiban + "]");
* fasm.AddLine("mov [ebx+" + (uint) Addresses.FunctionWow.SpellCheckerOff2 + "], esi");*/
fasm.AddLine("xor eax, eax");
fasm.AddLine("mov [" + _mExecuteRequested + "], eax"); // DX
fasm.AddLine("@lockcheck:");
fasm.AddLine("mov eax, [{0}]", _mLocked); // DX
fasm.AddLine("test eax, eax");
fasm.AddLine("jne @execution");
fasm.AddLine("push 0");
fasm.AddLine("add esp, 4");
fasm.AddLine("popfd");
fasm.AddLine("popad");
Memory.WriteBytes(_mTrampolineDX, D3D.OriginalBytesDX);
fasm.AddLine("jmp " + (JumpAddressDX + D3D.OriginalBytesDX.Length));
fasm.Inject((uint)(_mTrampolineDX + D3D.OriginalBytesDX.Length));
}
/// <summary>
/// Call the specifics asm mnemonics in the message handler thread
/// </summary>
/// <param name="p_Mnemonics"></param>
/// <param name="p_BufferSize"></param>
/// <returns></returns>
public uint Call(string[] p_Mnemonics, int p_BufferSize = 0x1000)
{
using (var fasm = new ManagedFasm(Memory.WowProcess.ProcessHandle))
{
fasm.SetMemorySize(0x500);
fasm.SetPassLimit(100);
foreach (var s in p_Mnemonics)
{
fasm.AddLine(s);
}
uint ptrInject = Memory.WowMemory.Memory.AllocateMemory(p_BufferSize);
fasm.Inject(ptrInject);
return(Call(ptrInject));
}
}
private uint InstallUsePower()
{
ManagedFasm fasm = new ManagedFasm(d3.ProcessHandle);
fasm.SetMemorySize(0x4096); // Allocate 16KB of memory
AllocateMemory("UsePower_PowerInfo", 40);
AllocateMemory("UsePower_ActorPtr", 4);
AllocateMemory("UsePower_AcdPtr", 4);
AllocateMemory("UsePower_Flag", 4);
string[] asm = new string[]
{
"mov edx, [" + GetAddress("UsePower_Flag") + "]",
"cmp edx, 1",
"jne @out",
"push " + GetAddress("UsePower_AcdPtr"),
"push 1",
"push 1",
"mov esi, " + GetAddress("UsePower_PowerInfo"),
"mov eax, [" + GetAddress("UsePower_ActorPtr") + "]",
"call " + Offsets.METHOD_USEPOWER,
"add esp, 12",
"@reset:",
"mov ebp, " + GetAddress("UsePower_Flag"),
"mov edx, 0",
"mov [ebp], edx",
"@out:",
"retn"
};
foreach (string line in RandomizeAsm(asm))
{
fasm.AddLine(line);
}
byte[] compiled = fasm.Assemble();
uint address = AllocateMemory("UsePower", compiled.Length);
fasm.Inject(address);
fasm.Clear();
return(address);
}
public void ApplyDX()
{
var fasm = new ManagedFasm(Memory.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("jmp " + _mTrampolineDX);
if (D3D.OriginalBytesDX.Length > 5)
{
fasm.AddLine("nop");
}
if (D3D.OriginalBytesDX.Length > 6)
{
fasm.AddLine("nop");
}
fasm.Inject(JumpAddressDX);
}
private uint InstallPressButton()
{
ManagedFasm fasm = new ManagedFasm(d3.ProcessHandle);
fasm.SetMemorySize(0x4096); // Allocate 16KB of memory
AllocateMemory("PressButton_Ptr", 4);
AllocateMemory("PressButton_Flag", 4);
string[] asm = new string[]
{
"mov edx, [" + GetAddress("PressButton_Flag") + "]",
"cmp edx, 1",
"jne @out",
"push 25h",
"mov ecx, [" + GetAddress("PressButton_Ptr") + "]",
"call " + Offsets.METHOD_PRESSBUTTON,
"@reset:",
"mov ebp, " + GetAddress("PressButton_Flag"),
"mov edx, 0",
"mov [ebp], edx",
"@out:",
"retn"
};
foreach (string line in RandomizeAsm(asm))
{
fasm.AddLine(line);
}
byte[] compiled = fasm.Assemble();
uint address = AllocateMemory("PressButton", compiled.Length);
fasm.Inject(address);
fasm.Clear();
return(address);
}
private void CreateTrampoline()
{
_mTrampoline = Memory.AllocateMemory(0x1000);
Console.WriteLine("m_trampoline : " + _mTrampoline.ToString("X"));
var fasm = new ManagedFasm(Memory.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("call {0}", Wow.Memory.WowProcess.WowModule + (uint)Addresses.FunctionWow.ReturnFunc);
fasm.AddLine("pushad");
fasm.AddLine("pushfd");
fasm.AddLine("mov eax, [{0}]", _mLocked);
fasm.AddLine("@execution:");
fasm.AddLine("mov eax, [{0}]", _mExecuteRequested);
fasm.AddLine("test eax, eax");
fasm.AddLine("je @lockcheck");
fasm.AddLine("call {0}", _mInjectionCode);
fasm.AddLine("mov [" + _mResult + "], eax");
fasm.AddLine("xor eax, eax");
fasm.AddLine("mov [" + _mExecuteRequested + "], eax");
fasm.AddLine("@lockcheck:");
fasm.AddLine("mov eax, [{0}]", _mLocked);
fasm.AddLine("test eax, eax");
fasm.AddLine("jne @execution");
fasm.AddLine("popfd");
fasm.AddLine("popad");
fasm.AddLine("jmp " + (JumpAddress + D3D.OriginalBytes.Length));
fasm.Inject(_mTrampoline);
}
public WndProcExecutor(BlackMagic memory)
{
try
{
m_WindowHandle = Memory.WowProcess.MainWindowHandle;
m_Random = new Random();
m_CustomMessageCode = m_Random.Next(0x8000, 0xBFFF); // From MSDN : WM_APP (0x8000) through 0xBFFF
m_WndProcFunction = memory.AllocateMemory(0x500); // WndProc
m_OriginalWndProc = memory.AllocateMemory(0x4); // WndProcOriginalWndProc
IntPtr l_User32 = GetModuleHandle("user32.dll");
IntPtr l_CallWindowProcW = GetProcAddress(l_User32, "CallWindowProcW");
IntPtr l_SetWindowLongW = GetProcAddress(l_User32, "SetWindowLongW");
var fasm = new ManagedFasm(Memory.WowProcess.ProcessHandle);
fasm.SetMemorySize(0x1000);
fasm.SetPassLimit(100);
fasm.AddLine("mov eax, [esp+0x8]"); // Get the message code from the stack);
fasm.AddLine("cmp eax, " + m_CustomMessageCode); // Check if the message code is our custom one
fasm.AddLine("jne @call_original"); // Otherwise simply call the original WndProc
fasm.AddLine("mov eax, [esp+0xC]"); // Function pointer
fasm.AddLine("mov edx, [esp+0x10]"); // Result pointer
fasm.AddLine("push edx"); // Save result pointer
fasm.AddLine("call eax"); // Call the user function
fasm.AddLine("pop edx"); // Restore the result pointer
fasm.AddLine("mov [edx], eax"); // Save user function result
fasm.AddLine("xor eax, eax"); // We handled the message
fasm.AddLine("retn");
fasm.AddLine("@call_original:");
fasm.AddLine("mov ecx, [esp+0x4]"); // Hwnd
fasm.AddLine("mov edx, [esp+0x8]"); // Msg
fasm.AddLine("mov esi, [esp+0xC]"); // WParam
fasm.AddLine("mov edi, [esp+0x10]"); // LParam
fasm.AddLine("mov eax, [" + m_OriginalWndProc + "]");
fasm.AddLine("push edi"); // LParam
fasm.AddLine("push esi"); // WParam
fasm.AddLine("push edx"); // Msg
fasm.AddLine("push ecx"); // Hwnd
fasm.AddLine("push eax"); // WndProc original
//fasm.AddLine("call " + l_CallWindowProcW); // Call the original WndProc
fasm.AddLine("retn 0x14");
// Setup our WndProc callback
//memory.WriteBytes(m_WndProcFunction, D3D.OriginalBytesDX);
fasm.Inject(m_WndProcFunction);
// Register our WndProc callback
var fasm2 = new ManagedFasm(Memory.WowProcess.ProcessHandle);
fasm2.SetMemorySize(0x500);
fasm2.SetPassLimit(100);
fasm2.AddLine("push " + m_WndProcFunction);
fasm2.AddLine("push " + GWL_WNDPROC);
fasm2.AddLine("push " + m_WindowHandle);
fasm2.AddLine("call " + l_SetWindowLongW);
fasm2.AddLine("mov [" + m_OriginalWndProc + "], eax");
fasm2.AddLine("retn");
var ptrInject = memory.AllocateMemory(0x500);
fasm2.InjectAndExecute(ptrInject);
/*var l_Process = System.Diagnostics.Process.GetProcessesByName("Wow").First();
* Console.WriteLine("Using process : " + l_Process.Id + ", window " + l_Process.MainWindowHandle + "");
*
* using (RemoteProcess l_RemoteProcess = new RemoteProcess((uint)l_Process.Id))
* using (var l_WndProcExecutor = new WndProcExecutor2(l_RemoteProcess, l_Process.MainWindowHandle))
* {
*
* LuaTest(l_RemoteProcess, l_WndProcExecutor, "print(\"Hello world motha !\")");
*
* }*/
/*var t = new MyMemory.RemoteProcess((uint)Memory.WowProcess.ProcessId);
* var remoteM = t.MemoryManager.AllocateMemory(0x1000);
* var ptrInject = (uint)remoteM.Pointer; //memory.AllocateMemory(0x500);
*
* fasm2.Inject(ptrInject);
* var prot = new RemoteMemoryProtection(t, remoteM.Pointer, remoteM.Size, Enumerations.MemoryProtectionFlags.Execute);
*
* var th = t.ThreadsManager.CreateRemoteThread((IntPtr) ptrInject, IntPtr.Zero, Enumerations.ThreadCreationFlags.Run);
*/
}
catch (Exception e)
{
Logging.WriteError(e.ToString());
}
}
/// <summary>
/// Injects a dll into a process by hijacking the given thread and redirecting it to LoadLibrary.
/// </summary>
/// <param name="hProcess">Handle to process into which dll will be injected.</param>
/// <param name="hThread">Handle to thread that will be hijacked.</param>
/// <param name="szDllPath">Full path to the dll to be injected.</param>
/// <returns>Returns the base address of the injected dll on success, zero on failure.</returns>
public static uint InjectDllRedirectThread(IntPtr hProcess, IntPtr hThread, string szDllPath)
{
const uint INITIAL_EXIT_CODE = 0xFFFFFFFF;
if (hProcess == IntPtr.Zero)
{
throw new ArgumentNullException("hProcess");
}
if (hThread == IntPtr.Zero)
{
throw new ArgumentNullException("hThread");
}
if (szDllPath.Length == 0)
{
throw new ArgumentNullException("szDllPath");
}
if (!szDllPath.Contains("\\"))
{
szDllPath = System.IO.Path.GetFullPath(szDllPath);
}
if (!System.IO.File.Exists(szDllPath))
{
throw new ArgumentException("DLL not found.", "szDllPath");
}
uint dwBaseAddress = RETURN_ERROR;
uint lpLoadLibrary, lpAsmStub;
CONTEXT ctx;
StringBuilder AssemblyStub = new StringBuilder();
ManagedFasm fasm = new ManagedFasm(hProcess);
lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (lpLoadLibrary == 0)
{
return(RETURN_ERROR);
}
lpAsmStub = SMemory.AllocateMemory(hProcess);
if (lpAsmStub == 0)
{
return(RETURN_ERROR);
}
if (SThread.SuspendThread(hThread) != uint.MaxValue)
{
ctx = SThread.GetThreadContext(hThread, CONTEXT_FLAGS.CONTEXT_CONTROL);
if (ctx.Eip > 0)
{
try
{
//located at lpAsmStub+0, where we can monitor LoadLibrary's exit code.
fasm.AddLine("lpExitCode dd 0x{0:X}", INITIAL_EXIT_CODE);
//lpAsmStub+4, where the actual code part starts
fasm.AddLine("push 0x{0:X}", ctx.Eip);
fasm.AddLine("pushad");
fasm.AddLine("push szDllPath");
fasm.AddLine("call 0x{0:X}", lpLoadLibrary);
fasm.AddLine("mov [lpExitCode], eax");
fasm.AddLine("popad");
fasm.AddLine("retn");
//dll path
fasm.AddLine("szDllPath db \'{0}\',0", szDllPath);
fasm.Inject(lpAsmStub);
}
catch
{
SMemory.FreeMemory(hProcess, lpAsmStub);
SThread.ResumeThread(hThread);
return(RETURN_ERROR);
}
ctx.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL;
ctx.Eip = lpAsmStub + 4; //skip over lpExitCode data
if (SThread.SetThreadContext(hThread, ctx))
{
if (SThread.ResumeThread(hThread) != uint.MaxValue)
{
for (int i = 0; i < 400; i++)
{
System.Threading.Thread.Sleep(5);
if ((dwBaseAddress = SMemory.ReadUInt(hProcess, lpAsmStub)) != INITIAL_EXIT_CODE)
{
break;
}
}
}
}
}
}
if (fasm != null)
{
fasm.Dispose();
fasm = null;
}
SMemory.FreeMemory(hProcess, lpAsmStub);
return(dwBaseAddress);
}
/// <summary>
/// Injects a dll into a process by hijacking the given thread and redirecting it to LoadLibrary.
/// </summary>
/// <param name="hProcess">Handle to process into which dll will be injected.</param>
/// <param name="hThread">Handle to thread that will be hijacked.</param>
/// <param name="szDllPath">Full path to the dll to be injected.</param>
/// <returns>Returns the base address of the injected dll on success, zero on failure.</returns>
public static uint InjectDllRedirectThread(IntPtr hProcess, IntPtr hThread, string szDllPath) {
const uint INITIAL_EXIT_CODE = 0xFFFFFFFF;
if (hProcess == IntPtr.Zero)
throw new ArgumentNullException("hProcess");
if (hThread == IntPtr.Zero)
throw new ArgumentNullException("hThread");
if (szDllPath.Length == 0)
throw new ArgumentNullException("szDllPath");
if (!szDllPath.Contains("\\"))
szDllPath = System.IO.Path.GetFullPath(szDllPath);
if (!System.IO.File.Exists(szDllPath))
throw new ArgumentException("DLL not found.", "szDllPath");
uint dwBaseAddress = RETURN_ERROR;
uint lpLoadLibrary, lpAsmStub;
CONTEXT ctx;
StringBuilder AssemblyStub = new StringBuilder();
ManagedFasm fasm = new ManagedFasm(hProcess);
lpLoadLibrary = (uint)Imports.GetProcAddress(Imports.GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (lpLoadLibrary == 0)
throw new Exception("Failed to get address of LoadLibraryA in kernel32.dll");
lpAsmStub = MemoryHelper.AllocateMemory(hProcess);
if (lpAsmStub == 0)
throw new Exception("Failed to allocate Memory in the Process!");
if (ThreadHelper.SuspendThread(hThread) != uint.MaxValue) {
ctx = ThreadHelper.GetThreadContext(hThread, CONTEXT_FLAGS.CONTEXT_CONTROL);
if (ctx.Eip > 0) {
try {
//located at lpAsmStub+0, where we can monitor LoadLibrary's exit code.
fasm.AddLine("lpExitCode dd 0x{0:X}", INITIAL_EXIT_CODE);
//lpAsmStub+4, where the actual code part starts
fasm.AddLine("push 0x{0:X}", ctx.Eip);
fasm.AddLine("pushad");
fasm.AddLine("push szDllPath");
fasm.AddLine("call 0x{0:X}", lpLoadLibrary);
fasm.AddLine("mov [lpExitCode], eax");
fasm.AddLine("popad");
fasm.AddLine("retn");
//dll path
fasm.AddLine("szDllPath db \'{0}\',0", szDllPath);
fasm.Inject(lpAsmStub);
} catch {
MemoryHelper.FreeMemory(hProcess, lpAsmStub);
ThreadHelper.ResumeThread(hThread);
return RETURN_ERROR;
}
ctx.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL;
ctx.Eip = lpAsmStub + 4; //skip over lpExitCode data
if (ThreadHelper.SetThreadContext(hThread, ctx)) {
if (ThreadHelper.ResumeThread(hThread) != uint.MaxValue) {
for (int i = 0; i < 400; i++) {
System.Threading.Thread.Sleep(5);
if ((dwBaseAddress = MemoryHelper.ReadUInt(hProcess, lpAsmStub)) != INITIAL_EXIT_CODE)
break;
}
}
}
}
}
if (fasm != null) {
fasm.Dispose();
fasm = null;
}
MemoryHelper.FreeMemory(hProcess, lpAsmStub);
return dwBaseAddress;
}