Deprecated: The behavior of unparenthesized expressions containing both '.' and '+'/'-' will change in PHP 8: '+'/'-' will take a higher precedence in /home/iano/public_html/tpforums-vb5/forum/includes/class_core.php on line 5842

PHP Warning: Use of undefined constant MYSQL_NUM - assumed 'MYSQL_NUM' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: Use of undefined constant MYSQL_ASSOC - assumed 'MYSQL_ASSOC' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: Use of undefined constant MYSQL_BOTH - assumed 'MYSQL_BOTH' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in ..../includes/functions_navigation.php on line 588

PHP Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in ..../includes/functions_navigation.php on line 612

PHP Warning: Use of undefined constant misc - assumed 'misc' (this will throw an Error in a future version of PHP) in ..../global.php(29) : eval()'d code(6) : eval()'d code on line 1

PHP Warning: Use of undefined constant index - assumed 'index' (this will throw an Error in a future version of PHP) in ..../global.php(29) : eval()'d code(6) : eval()'d code on line 1

PHP Warning: Use of undefined constant misc - assumed 'misc' (this will throw an Error in a future version of PHP) in ..../includes/class_bootstrap.php(1422) : eval()'d code(4) : eval()'d code on line 1

PHP Warning: Use of undefined constant index - assumed 'index' (this will throw an Error in a future version of PHP) in ..../includes/class_bootstrap.php(1422) : eval()'d code(4) : eval()'d code on line 1

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 6

PHP Warning: Use of undefined constant onlinestatusphrase - assumed 'onlinestatusphrase' (this will throw an Error in a future version of PHP) in ..../includes/class_core.php(4684) : eval()'d code on line 85
Synchronizing and thread hijacking - Page 3
Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 49

Thread: Synchronizing and thread hijacking

  1. #21
    PeekMessage is called from the IAT, so you can just use an IAT hook on it. Here's a write-up on IAT hooking from my (very old, outdated, and unused) blog http://revpp.blogspot.com/2011/12/iat-hooking.html

  2. #22
    Senior Member Lolrapa's Avatar
    Join Date
    Mar 2014
    Posts
    125
    Hay! nice to see you again DarkstaR i've been looking your code and I will try it for peekMessage, but can you help me to understand a concept?
    I see your function just do
    Code:
    DWORD WINAPI MyGetLastError()
    {
            SetLastError(987654321);
            return OrigGetLastError();
    }
    Whats up with the params sent to te original funcion? Im pretty shure your code will change registers and in my casw if I do stuff in my func and then I call original peekMessage some registers will change, do I have to worry about that?

  3. #23
    If you match the function prototype with your hook callback, the compiler will take care of everything for you.

  4. #24
    Senior Member Lolrapa's Avatar
    Join Date
    Mar 2014
    Posts
    125
    Ahh, so you mean in the typdef, I made this from MSDN
    Code:
    typedef DWORD(WINAPI *_peekMessage)(LPMSG, HWND, UINT, UINT, UINT);
    but why when I call back
    Code:
    return OrigPeekMessage();
    It asks me for params? Should'nt they be stored in
    Code:
    OrigPeekMessage = (_peekMessage)PlaceIATHook("peekMessageA", (DWORD)MyPeekMessage);


    Edit:


    Oooh, I think I get it!
    DWORD WINAPI MyPeekMessage() should be DWORD WINAPI MyPeekMessage(LPMSG, HWND, UINT, UINT, UINT)
    so then I just pass the parameters, And the parameters I get are those who tibia send
    Last edited by Lolrapa; 05-28-2015 at 12:07 PM.

  5. #25
    Senior Member Lolrapa's Avatar
    Join Date
    Mar 2014
    Posts
    125
    Thanks Darkstar It works, and most important I can undersand it, now i just have to look at the import table function to undersand it, I was able to geet a list of all the function in the import table xD

    I think i could do something similiar for SendOutgoinPacket right? I want to do a packer reader to get all the packets tibia send so this is the plan
    I make a poiner to the prototype _sendPacket(BYTE* buffer, DWORD length) <-- is this right?
    then I replace this pointer in every call of the original function
    I get the packet from buffer
    And I call _sendPacket
    Last edited by Lolrapa; 05-28-2015 at 12:09 PM.

  6. #26
    SendOutgoinPacket wont be in the import table. The import table is used to import functions from Dynamic Link Libraries (.DLLs), so you'll only find those functions there. It's great for hooking Window's API functions.

  7. #27
    Senior Member Lolrapa's Avatar
    Join Date
    Mar 2014
    Posts
    125
    Quote Originally Posted by DarkstaR View Post
    SendOutgoinPacket wont be in the import table. The import table is used to import functions from Dynamic Link Libraries (.DLLs), so you'll only find those functions there. It's great for hooking Window's API functions.
    I know, but if I have the right prototype couldn't I create a pointer to it and replace the actual call to SendPacket in tibia's memory with that pointer, or the other way, I could call sendPacket using that pointer right?

  8. #28
    Yes, you could call it using a pointer and proper prototype, that's what you should be doing, check out TibiaSock. No, you can't hook it that way, because it is called using a near call which uses relative addressing.

  9. #29
    Senior Member Lolrapa's Avatar
    Join Date
    Mar 2014
    Posts
    125
    Oooh! darn!
    So I have to go back to the old method then
    Replace this five bytes
    PUSH EBP
    MOV EBP,ESP
    PUSH -1
    For a call to my function, can't make it stop crashing tho
    I'll have to keep trying :P


    Thanks for your answers, always help me alot!!

  10. #30
    Senior Member Lolrapa's Avatar
    Join Date
    Mar 2014
    Posts
    125
    Hello!!
    I was able to do all that I intended with this proyect but I have a really odd problem, If I injtect my dll in tibia a few times, (closing and reopening tibia) the pc starts to act strange, every program take a really long time to open like 3 or 4 minutes,
    taskmanager also takes several minutes to open

    I cheked memory and procesor consumption and everything is ok, the problem continues even tibia is closed and I have to reboot to fix it.
    All programs works fine once they are running, but take an insane amount of time to open.

    I leave here my injection method since the dll structure is the one you sent me
    Code:
    IntPtr handle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proceso.Id);
    
    IntPtr cargarLibAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
    
    IntPtr addrMemoriaReservada = VirtualAllocEx(handle, IntPtr.Zero, (uint)((dll.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, AGE_READWRITE);
    
    UIntPtr bytesEscritos;
    
    res = WriteProcessMemory(handle, addrMemoriaReservada, Encoding.Default.GetBytes(dll), (uint)((dll.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesEscritos);
    
    CreateRemoteThread(handle, param, 0, cargarLibAddr, addrMemoriaReservada, 0, IntPtr.Zero);
    Thanks!

    Edit: now Tibia always takes a really long time to open (even if I just rebooted), long time to login but once there it works fine (I dont think I modified the exe file, or if I did I didnt realize)
    If I inject a couple of times then all the programs start to take a while to open
    Last edited by Lolrapa; 05-31-2015 at 03:45 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •