[Release] Advanced hooking

Page 1 of 13

02/20/2011 03:25 IAmHawtness#1

Advanced hooking
Have you ever needed a simple way to control an application without having to resort to DLL injection? I decided to release a class library for .NET applications that allows you to easily manipulate a remote process by using debugging techniques.

All you have to do is add it as a reference to your project, and you're ready to use it. You can see the sample I provided if you're unsure of how it works (can easily be translated to C#, which someone already did (thanks))

The Debuggee class

Functions
AttachDebugger() - Tries to attach the debugger to the target process. Returns true if the function succeeds - returns false otherwise
DetachDebugger() - Tries to detach the debugger from the target process and remove all breakpoints. Returns true if the function succeeds - returns false otherwise
SetHardwareBreakpoint(Address) - Tries to set a hardware breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise
RemoveHardwareBreakpoint(Address) - Tries to remove a hardware breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise
SetMemoryBreakpoint(Address) - Tries to set a memory breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise
RemoveMemoryBreakpoint(Address) - Tries to remove a memory breakpoint at the specified address. Returns true if the function succeeds - returns false otherwise
RemoveAllBreakpoints() - Tries to remove all memory and hardware breakpoints. Returns true if the function succeeds - returns false otherwise
GetModuleFunctionAddress(ModuleName, FunctionName) - Tries to retrieve the address of a function inside a module (DLL) in the target process. If the function succeeds, the return value is the address of the module/DLL function
AllocateMemory(Size) - Tries to allocate memory in the target process. The Size parameter is the amount of bytes to allocate. If the function succeeds, the return value is the address of the allocated memory
FreeMemory(Address) - Tries to free memory at the specified address. The address has to be an address provided by the AllocateMemory function, otherwise the function will fail. Returns true if the function succeeds - returns false otherwise
ReadByte/Int16/Int32/Int64(Address) - Reads from the target process' memory and returns that value
ReadString(Address, Length) - Reads a null-terminated text string from the target process' memory and returns that string
ReadByteArray(Address, Length) - Reads an array of bytes from the target process' memory and returns that array
WriteByte/Int16/Int32/Int64/String/ByteArray(Value, Address) - Writes the value to the target process' memory. Returns true if the function succeeds - returns false otherwise

Methods
RemoveDebugFlag() - Removes the debug flag from the PEB (prevents IsDebuggerPresent function from detecting the debugger)
ExecuteCode(ByteCode) - Executes the "assembly" code specified by the ByteCode parameter

Properties
hProcess - Contains a handle to the targeted process (Initialized on debugger attach)
CurrentHardwareBreakpoint - Contains the current hardware breakpoint (for use with the OnHardwareBreakpoint event)
CurrentMemoryBreakpoint - Contains the current hardware breakpoint (for use with the OnMemoryBreakpoint event)

Events
OnAttach(ref Debuggee, ref ctx) - Raised upon successful debugger attach (EXCEPTION_BREAKPOINT)
OnProcessExit(ref Debuggee, ref ctx) - Raised when the target process exits
OnAccessViolation(ref Debuggee, ref ctx) - Raised upon access violation inside the target process
OnHardwareBreakpoint(ref Deuggee, ref ctx) - Raised when a hardware breakpoint is hit inside the target process
OnMemoryBreakpoint(ref Deuggee, ref ctx) - Raised when a memory breakpoint is hit inside the target process

02/20/2011 04:35 Ian*#2

just checked it out, skimmed threw the code on the CoClient class.

Guess it'll be nice for the forum to have a working client hook, will be interesting to see what people come up with for bots. I like these much better than proxies. Looks like ya already got hooks set up for send and receive functions so now the forum's got something else to use other than the stripped project alchemy source, which I think a lot of people seem to have issues with.

Never looked at it though, proxies seem like nothing special to me. Gotta love working with memory though!

02/20/2011 10:42 ktp21091#3

how to use?

02/20/2011 11:42 IAmHawtness#4

Quote:

Originally Posted by Ian*

just checked it out, skimmed threw the code on the CoClient class.

Guess it'll be nice for the forum to have a working client hook, will be interesting to see what people come up with for bots. I like these much better than proxies. Looks like ya already got hooks set up for send and receive functions so now the forum's got something else to use other than the stripped project alchemy source, which I think a lot of people seem to have issues with.

Never looked at it though, proxies seem like nothing special to me. Gotta love working with memory though!

Yeah, I'm just not really sure if people will understand how to execute the send/recv packet functions inside CO using the Debuggee.ExecuteCode function. I mean, this is how my current code for sending a packet from client to server looks

Code:

    Public Sub SendPacket(ByVal Packet() As Byte, Length As Short)

        Dim PacketType As UShort = BitConverter.ToUInt16(Packet, 2)

        Dim PacketAddress As Integer = AllocateMemory(PacketSize)

        If PacketAddress > 0 Then

            WriteByteArray(Packet, PacketAddress)

            Dim ByteCode As New MemoryStream
            Dim CodeWriter As New BinaryWriter(ByteCode)

            [COLOR="Green"]'mov edx, packettype[/COLOR]
            CodeWriter.Write(CByte(&HBA))
            CodeWriter.Write(CInt(PacketType))

            [COLOR="Green"]'push packetsize[/COLOR]
            CodeWriter.Write(CByte(&H68))
            CodeWriter.Write(CInt(Length))

            [COLOR="Green"]'push packetaddress[/COLOR]
            CodeWriter.Write(CByte(&H68))
            CodeWriter.Write(CInt(PacketAddress))

            [COLOR="Green"]'mov esi, networkclass[/COLOR]
            CodeWriter.Write(CByte(&HBE))
            CodeWriter.Write(CInt(NetworkClass))

            [COLOR="Green"]'mov ecx, [esi+14][/COLOR]
            CodeWriter.Write(New Byte() {&H8B, &H4E, &H14})

            [COLOR="Green"]'mov eax, sendpacketfunction[/COLOR]
            CodeWriter.Write(CByte(&HB8))
            CodeWriter.Write(CInt(SendPacketFunction))

            [COLOR="Green"]'call eax[/COLOR]
            CodeWriter.Write(New Byte() {&HFF, &HD0})

            [COLOR="Green"]'ret[/COLOR]
            CodeWriter.Write(CByte(&HC3))

            [COLOR="Green"]'write to the underlying stream[/COLOR]
            CodeWriter.Flush()

            If Connected Then
                [COLOR="Green"]'execute the code[/COLOR]
                ExecuteCode(ByteCode.ToArray)
            End If

            [COLOR="Green"]'free memory afterwards[/COLOR]
            FreeMemory(PacketAddress)

        End If

    End Sub

I guess I should probably include the send/recv packet functions. Not sure if the community even wants to use this though, I just thought it'd be interesting with something different than regular proxies. This can be used for so much more though, you could use it to make bots for other games too.

02/20/2011 13:35 gabrola#5

A C# version of COClient:

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using AdvancedHooking;
using AdvancedHooking.Helper;

namespace CSHooking
{
    public class COClient
    {
        const int SendPacketAddress = 0x68B0B2;
        const int RecvPacketAddress = 0x688F46;

        private Debuggee _dbg;
        private int ShellExecuteAAddress = 0;
        private bool IsAttached = false;
        private int _ProcessId = 0;

        public event OnExitEventHandler OnExit;
        public event OnRecvPacketEventHandler OnRecvPacket;
        public event OnSendPacketEventHandler OnSendPacket;

        public Debuggee Dbg
        {
            get { return _dbg; }
        }

        public int ProcessId
        {
            get { return _ProcessId; }
        }

        public COClient(int ProcessID)
        {
            this._ProcessId = ProcessID;
            this._dbg = new Debuggee(ProcessID);
        }

        public bool Attach()
        {
            if (IsAttached)
                return false;

            if (_dbg.AttachDebugger())
            {
                IsAttached = true;
                _dbg.OnHardwareBreakpoint += new Debuggee.OnHardwareBreakpointEventHandler(_dbg_OnHardwareBreakpoint);
                _dbg.OnMemoryBreakpoint += new Debuggee.OnMemoryBreakpointEventHandler(_dbg_OnMemoryBreakpoint);
                _dbg.OnAttach += new Debuggee.OnAttachEventHandler(_dbg_OnAttach);
                _dbg.OnProcessExit += new Debuggee.OnProcessExitEventHandler(_dbg_OnProcessExit);

                return true;
            }
            else
            {
                return false;
            }
        }

        void _dbg_OnProcessExit(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
        {
            Detach();

            COClient refThis = this;
            if(this.OnExit != null)
                OnExit.Invoke(ref refThis);
        }

        void _dbg_OnAttach(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
        {
            Debugee.RemoveDebugFlag();
            Debugee.SetHardwareBreakpoint(SendPacketAddress);
            Debugee.SetHardwareBreakpoint(RecvPacketAddress);

            this.ShellExecuteAAddress = Debugee.GetModuleFunctionAddress("Shell32.dll", "ShellExecuteA");

            if (this.ShellExecuteAAddress > 0)
                Debugee.SetMemoryBreakpoint(this.ShellExecuteAAddress);
        }

        void _dbg_OnMemoryBreakpoint(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
        {
            if(Debugee.CurrentMemoryBreakpoint == ShellExecuteAAddress)
            {
                int hWnd = Debugee.ReadInt32(ctx.Esp + 4);
                int lpOperation = Debugee.ReadInt32(ctx.Esp + 8);
                int lpFile = Debugee.ReadInt32(ctx.Esp + 12);
                int lpParameters = Debugee.ReadInt32(ctx.Esp + 16);
                int lpDirectory = Debugee.ReadInt32(ctx.Esp + 20);
                int nShowCmd = Debugee.ReadInt32(ctx.Esp + 24);
                string File = Debugee.ReadString(new IntPtr(lpFile), 255);

                if (File == "http://co.91.com/signout/")
                    Debugee.WriteString("http://www.google.com\0", lpFile);
            }
        }

        void _dbg_OnHardwareBreakpoint(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
        {
            if(Debugee.CurrentHardwareBreakpoint == SendPacketAddress)
                HandleSentPacket(ref ctx);
            else if(Debugee.CurrentHardwareBreakpoint == RecvPacketAddress)
                HandleRecvPacket(ref ctx);
        }

        public bool Detach()
        {
            if (_dbg.DetachDebugger())
                return true;
            else
                return false;
        }

        private void HandleSentPacket(ref Helper.CONTEXT ctx)
        {
            int lpPacket = this._dbg.ReadInt32(ctx.Esp + 4);
            int Size = this._dbg.ReadInt32(ctx.Esp + 8);

            byte[] Packet = this._dbg.ReadByteArray(lpPacket, Size);

            if (this.OnSendPacket != null)
                this.OnSendPacket.Invoke(ref Packet);
        }

        private void HandleRecvPacket(ref Helper.CONTEXT ctx)
        {
            int lpPacket = this._dbg.ReadInt32(ctx.Esp + 4);
            int Size = this._dbg.ReadInt32(ctx.Esp + 8);

            byte[] Packet = this._dbg.ReadByteArray(lpPacket, Size);

            if (this.OnRecvPacket != null)
                this.OnRecvPacket.Invoke(ref Packet);
        }

        public delegate void OnExitEventHandler(ref COClient Client);
        public delegate void OnRecvPacketEventHandler(ref byte[] Packet);
        public delegate void OnSendPacketEventHandler(ref byte[] Packet);
    }
}

02/20/2011 13:58 Nullable#6

Handy stuff, thanks.

02/20/2011 15:33 darkopp#7

What is this what can do wit advanced hooking

02/20/2011 15:38 OELABOELA#8

I would use this for sure, not only for conquer but for other games like Warrock and such, because you can basicly send the attack packets to. I really would love to have this packet stuff being setup, so you have todo the filtering yourself and make something of a bot with that.

02/20/2011 16:22 pro4never#9

Very handy but the thread title just makes me feel like a h0 :(

02/20/2011 17:31 IAmHawtness#10

Quote:

Originally Posted by pro4never

Very handy but the thread title just makes me feel like a h0 :(

Lololololol, I actually gave it a lot of thought - the title of the thread/project.
At least "Advanced hooking" sounds better than like "debugging hooker". I mean.. yeah

02/20/2011 17:34 -Shunsui-#11

This is Sexy, Thanks alot

02/20/2011 20:59 pro4never#12

As usual, very impressed.

Just decided to test it out and wow... so incredibly simple to use and works great.

Super basic test example for people who are still confused...

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using AdvancedHooking;

namespace ProjectHooker
{
    class Program
    {
        public class COClient
        {
            const int SendPacketAddress = 0x68B0B2;
            const int RecvPacketAddress = 0x688F46;

            private Debuggee _dbg;
            private int ShellExecuteAAddress = 0;
            private bool IsAttached = false;
            private int _ProcessId = 0;

            public event OnExitEventHandler OnExit;
            public event OnRecvPacketEventHandler OnRecvPacket;
            public event OnSendPacketEventHandler OnSendPacket;

            public Debuggee Dbg
            {
                get { return _dbg; }
            }

            public int ProcessId
            {
                get { return _ProcessId; }
            }

            public COClient(int ProcessID)
            {
                this._ProcessId = ProcessID;
                this._dbg = new Debuggee(ProcessID);
            }

            public bool Attach()
            {
                if (IsAttached)
                    return false;

                if (_dbg.AttachDebugger())
                {
                    IsAttached = true;
                    _dbg.OnHardwareBreakpoint += new Debuggee.OnHardwareBreakpointEventHandler(_dbg_OnHardwareBreakpoint);
                    _dbg.OnMemoryBreakpoint += new Debuggee.OnMemoryBreakpointEventHandler(_dbg_OnMemoryBreakpoint);
                    _dbg.OnAttach += new Debuggee.OnAttachEventHandler(_dbg_OnAttach);
                    _dbg.OnProcessExit += new Debuggee.OnProcessExitEventHandler(_dbg_OnProcessExit);

                    return true;
                }
                else
                {
                    return false;
                }
            }

            void _dbg_OnProcessExit(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
            {
                Detach();

                COClient refThis = this;
                if (this.OnExit != null)
                    OnExit.Invoke(ref refThis);
            }

            void _dbg_OnAttach(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
            {
                Debugee.RemoveDebugFlag();
                Debugee.SetHardwareBreakpoint(SendPacketAddress);
                Debugee.SetHardwareBreakpoint(RecvPacketAddress);

                this.ShellExecuteAAddress = Debugee.GetModuleFunctionAddress("Shell32.dll", "ShellExecuteA");

                if (this.ShellExecuteAAddress > 0)
                    Debugee.SetMemoryBreakpoint(this.ShellExecuteAAddress);
            }

            void _dbg_OnMemoryBreakpoint(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
            {
                if (Debugee.CurrentMemoryBreakpoint == ShellExecuteAAddress)
                {
                    int hWnd = Debugee.ReadInt32(ctx.Esp + 4);
                    int lpOperation = Debugee.ReadInt32(ctx.Esp + 8);
                    int lpFile = Debugee.ReadInt32(ctx.Esp + 12);
                    int lpParameters = Debugee.ReadInt32(ctx.Esp + 16);
                    int lpDirectory = Debugee.ReadInt32(ctx.Esp + 20);
                    int nShowCmd = Debugee.ReadInt32(ctx.Esp + 24);
                    string File = Debugee.ReadString(new IntPtr(lpFile), 255);

                    if (File == "http://co.91.com/signout/")
                        Debugee.WriteString("http://www.google.com\0", lpFile);
                }
            }

            void _dbg_OnHardwareBreakpoint(ref Debuggee Debugee, ref Helper.CONTEXT ctx)
            {
                if (Debugee.CurrentHardwareBreakpoint == SendPacketAddress)
                    HandleSentPacket(ref ctx);
                else if (Debugee.CurrentHardwareBreakpoint == RecvPacketAddress)
                    HandleRecvPacket(ref ctx);
            }

            public bool Detach()
            {
                if (_dbg.DetachDebugger())
                    return true;
                else
                    return false;
            }

            private void HandleSentPacket(ref Helper.CONTEXT ctx)
            {
                int lpPacket = this._dbg.ReadInt32(ctx.Esp + 4);
                int Size = this._dbg.ReadInt32(ctx.Esp + 8);

                byte[] Packet = this._dbg.ReadByteArray(lpPacket, Size);

                if (this.OnSendPacket != null)
                    this.OnSendPacket.Invoke(ref Packet);
            }

            private void HandleRecvPacket(ref Helper.CONTEXT ctx)
            {
                int lpPacket = this._dbg.ReadInt32(ctx.Esp + 4);
                int Size = this._dbg.ReadInt32(ctx.Esp + 8);

                byte[] Packet = this._dbg.ReadByteArray(lpPacket, Size);

                if (this.OnRecvPacket != null)
                    this.OnRecvPacket.Invoke(ref Packet);
            }

            public delegate void OnExitEventHandler(ref COClient Client);
            public delegate void OnRecvPacketEventHandler(ref byte[] Packet);
            public delegate void OnSendPacketEventHandler(ref byte[] Packet);
        }

        static void Main(string[] args)
        {
            Console.WriteLine("Enter the process ID to hook");
            int PID = int.Parse(Console.ReadLine());
            COClient T = new COClient(PID);
            T.Attach();
            T.OnRecvPacket += new COClient.OnRecvPacketEventHandler(T_OnRecvPacket);
            T.OnSendPacket += new COClient.OnSendPacketEventHandler(T_OnSendPacket);
        }

        static void T_OnSendPacket(ref byte[] Packet)
        {
            Console.WriteLine("Sending packet");
        }

        static void T_OnRecvPacket(ref byte[] Packet)
        {
            Console.WriteLine("Receiving packet");
        }
    }
}

Obviously does nothing... Just figured I'd demonstrate for people how to attempt to use it.

For process ID I just used the example program to find them. I'm thinking after work though I might write a super basic bot using this for people to mess around with. Just something simple obviously.

02/21/2011 00:53 IAmHawtness#13

- Fixed some spelling errors in the AdvancedHooking.dll, re-uploaded new version.
- Added some documentation to the first post

02/21/2011 02:26 pro4never#14

Now I have the hardest decision I may have ever faced in my life....

Should I call my new proxy "Hooker: The Bot" or "ProstiBot"

So many choices :(

<edit>

So I wanna be all 'shmancy' and actually use this properly to make a proper memory based bot vs just using the send/receive functions to make a packet based bot using memory hooks...

I assume I can use a program such as cheat engine to help me find memory addresses? (although I know many of them are more complex then a fixed memory address but I can cross that bridge when I come to it)

02/21/2011 02:41 IAmHawtness#15

Quote:

Originally Posted by pro4never

Now I have the hardest decision I may have ever faced in my life....

Should I call my new proxy "Hooker: The Bot" or "ProstiBot"

So many choices :(

<edit>

So I wanna be all 'shmancy' and actually use this properly to make a proper memory based bot vs just using the send/receive functions to make a packet based bot using memory hooks...

I assume I can use a program such as cheat engine to help me find memory addresses? (although I know many of them are more complex then a fixed memory address but I can cross that bridge when I come to it)

You can easily find memory addresses using CheatEngine. Even though some values aren't fixed, it's easy to find pointers, like the PlayerBaseAddressPointer that points to the base of your character, which holds all kind of information about your character like id, name, coordinates, hp, mp, stamina, etc.

Unfortunately, you can only place 4 hardware breakpoints since that's what modern processors are limited to :(. So you've got to be creative when placing breakpoints on functions. You could of course use memory breakpoints, but these alter the memory of the executable directly, so gotta be careful :p

Page 1 of 13

Last »