Warpten/Helper.h Secret

## dllmain.cpp
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <windows.h>

__declspec(dllexport) void InitConsole();
__declspec(dllexport) void InitSniffer();
__declspec(dllexport) void JmpPatch(void *pDest, void *pSrc, int nNops = 0);
__declspec(dllexport) void JmpPatch(unsigned long dest, unsigned long src, int nNops = 0) { JmpPatch((PBYTE)dest, (PBYTE)src, nNops); };
void _printf(char* str);
void OnPacketReceive();

BOOL APIENTRY DllMain( HMODULE Module,
                       DWORD  callReason,
                       LPVOID lpReserved
					 )
{
	switch (callReason)
	{
	    case DLL_PROCESS_ATTACH:
            InitConsole();
            InitSniffer();
            break;
	    case DLL_THREAD_ATTACH:
            _printf("Got attached to a thread\n");
            break;
        case DLL_THREAD_DETACH:
	    case DLL_PROCESS_DETACH:
            _printf("Detaching ...\n");
            Sleep(100);
            FreeConsole();
            TerminateThread(Module, 0);
            FreeLibrary(Module);
		    break;
	}
    return true;
}

void OnPacketReceive() {
    __asm pushad;
    _printf("Hello world!\n");
    __asm popad;
}

__declspec(dllexport) void InitConsole()
{
    AllocConsole();
    SetConsoleTitle(TEXT("Flu 1.0 - Created by Warpten <vertozor@gmail.com>"));
    _printf("Welcome to Flu 1.0\n");
    _printf("Successfully injected - DLL is now running.\n\n");
}

__declspec(dllexport) void InitSniffer()
{
    _printf("Checking build ID\n");
    // ReadProcessMemory(GetCurrentProcess(), 0xBB8638, // Errr ....J'sais pas
    HMODULE wowHandle = GetModuleHandle(NULL);
    printf("Handle %u", (void*)wowHandle);
    //if (!wowHandle)
        //_printf("Errr derp, bad shit\n");

    //BYTE clientBuild = *(BYTE*)(0x00BB8638 - 0x400000 + wowHandle);
}

void _printf(char* str)
{
    HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE);
    WriteConsole(h, str, strlen(str), NULL, NULL);
}

__declspec(dllexport) void JmpPatch(void *pDest, void *pSrc, int nNops) {

	DWORD OldProt;

	VirtualProtect(pSrc, 5 + nNops, PAGE_EXECUTE_READWRITE, &OldProt);

	*(char*)pSrc = (char)0xE9;
	*(DWORD*)((DWORD)pSrc + 1) = (DWORD)pDest - (DWORD)pSrc - 5;

	for (int i = 0; i < nNops; ++i) { *(BYTE*)((DWORD)pSrc + 5 + i) = 0x90; }

	VirtualProtect(pSrc, 5 + nNops, OldProt, &OldProt);
}

## Helper.h
#undef UNICODE
#include <windows.h>
#include <windowsx.h>
#include <iostream>
#include <cstdio>
#include <string>
#include <vector>
#include <string>
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <psapi.h>

#pragma comment(lib, "psapi.lib")

#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

#define CLIENT_BUILD_335 12340
#define CLIENT_BUILD_434 15595

#define HookAddrCMSG    0x77B16A    // 5.0.5 (Rebased to 0x0)

## main.cpp
#include "Helper.h"
#include <strsafe.h>
#include <direct.h>
#include <sstream>
#include <algorithm>

void ErrorExit(LPTSTR lpszFunction);
void CheckClientBuild(HANDLE clientHandle, DWORD address, int len, void* buffer);
HMODULE WINAPI GetRemoteModuleHandle(HANDLE hProcess, LPCSTR lpModuleName);
std::string GetDllPath();

int main()
{
    std::cout << "Welcome to Flu - World of Warcraft 4.3.4.15595 Sniffer" << std::endl;
    std::cout << "Written by Warpten <vertozor@gmail.com>" << std::endl << std::endl;

    // EnableTokenPrivilege(SE_DEBUG_NAME);

    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    HANDLE tool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    BOOL process = Process32First(tool32, &pe32);
    bool foundWow = false;
    while ((Process32Next(tool32, &pe32)) == TRUE) {
        if (strcmp(pe32.szExeFile, "Wow.exe") != 0)
            continue;

        foundWow = true;
        break;
    }
    CloseHandle(tool32);

    if (!foundWow) {
        std::cout << "Wow.exe is not running." << std::endl;
        return 1;
    }

    // 1. Grab the handle -- [[
    HANDLE clientHandle = OpenProcess(0x1FFFFFu, FALSE, pe32.th32ProcessID);
    if (!clientHandle) {
        ErrorExit("OpenProcess()");
        return 1;
    }
    // ]]

    // 2. Get path to executable -- [[
    TCHAR wowPath[MAX_PATH];
    if (!GetModuleFileNameEx(clientHandle, NULL, wowPath, MAX_PATH)) { // Serious shit going on, invoke GetLastError here.
        ErrorExit("GetModuleFileNameEx(clientHandle, NULL, wowPath, MAX_PATH)");
        return 1;
    }
    std::cout << "Wow exe found at: " << wowPath << std::endl;
    // ]]

    // 3. Find the path to the DLL (same folder where we are)
    std::string injectedDLL = GetDllPath();

    // 4. Check if DLL is already injected.

    /*// 5. Check build
    char clientBuild[6] = {0};
    CheckClientBuild(clientHandle, 0x00BB8638, 6, &clientBuild);
    printf("Tried reading client build: %s, %u", clientBuild, (void*)clientModule);*/

    // 5. Get LoadLibraryAddr
    LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

    // 6. Allocate memory inside Wow.exe and write dll path it
    LPVOID allocatedBlock = (LPVOID)VirtualAllocEx(clientHandle, NULL, injectedDLL.size(), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(clientHandle, allocatedBlock, injectedDLL.c_str(), injectedDLL.size(), NULL);

    // 7. Create a thread inside a virtual address space of Wow.exe
    HANDLE dllHandle = CreateRemoteThread(clientHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, allocatedBlock, NULL, NULL);

    CloseHandle(clientHandle);
    return 0;
}

void CheckClientBuild(HANDLE clientHandle, DWORD address, int len, void* buffer)
{
    ReadProcessMemory(clientHandle, (void*)address, buffer, len, NULL);
}

void ErrorExit(LPTSTR lpszFunction)
{
    // Retrieve the system error message for the last-error code
    LPVOID lpMsgBuf;
    LPVOID lpDisplayBuf;
    DWORD dw = GetLastError();

    FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
        NULL,
        dw,
        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
        (LPTSTR) &lpMsgBuf,
        0, NULL);

    // Display the error message and exit the process

    lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT, (lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR));
    StringCchPrintf((LPTSTR)lpDisplayBuf,
        LocalSize(lpDisplayBuf) / sizeof(TCHAR),
        TEXT("%s failed with error %d : %s"),
        lpszFunction, dw, lpMsgBuf);
    MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);

    LocalFree(lpMsgBuf);
    LocalFree(lpDisplayBuf);
    ExitProcess(dw);
}

std::string GetDllPath()
{
    char currentPath[MAX_PATH];
    if (!GetModuleFileName(NULL, currentPath, MAX_PATH)) { // Serious shit going on, invoke GetLastError here.
        ErrorExit("GetModuleFileName(NULL, currentPath, MAX_PATH)");
        return NULL;
    }

    std::string injectedDLL;
    std::string snifferPath(currentPath);
    std::stringstream dllPath;
    std::string::size_type i = snifferPath.find_last_of('\\');
    snifferPath.erase(snifferPath.begin() + i + 1, snifferPath.end());
    dllPath << snifferPath << "InjectedDLL.dll";
    injectedDLL = dllPath.str();
    std::replace(injectedDLL.begin(), injectedDLL.end(), '\\', '/');
    return injectedDLL;
}
	// dllmain.cpp : Defines the entry point for the DLL application.
	#include "stdafx.h"
	#include <windows.h>

	__declspec(dllexport) void InitConsole();
	__declspec(dllexport) void InitSniffer();
	__declspec(dllexport) void JmpPatch(void pDest, void pSrc, int nNops = 0);
	__declspec(dllexport) void JmpPatch(unsigned long dest, unsigned long src, int nNops = 0) { JmpPatch((PBYTE)dest, (PBYTE)src, nNops); };
	void _printf(char* str);
	void OnPacketReceive();

	BOOL APIENTRY DllMain( HMODULE Module,
	DWORD callReason,
	LPVOID lpReserved
	)
	{
	switch (callReason)
	{
	case DLL_PROCESS_ATTACH:
	InitConsole();
	InitSniffer();
	break;
	case DLL_THREAD_ATTACH:
	_printf("Got attached to a thread\n");
	break;
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
	_printf("Detaching ...\n");
	Sleep(100);
	FreeConsole();
	TerminateThread(Module, 0);
	FreeLibrary(Module);
	break;
	}
	return true;
	}

	void OnPacketReceive() {
	__asm pushad;
	_printf("Hello world!\n");
	__asm popad;
	}

	__declspec(dllexport) void InitConsole()
	{
	AllocConsole();
	SetConsoleTitle(TEXT("Flu 1.0 - Created by Warpten <vertozor@gmail.com>"));
	_printf("Welcome to Flu 1.0\n");
	_printf("Successfully injected - DLL is now running.\n\n");
	}

	__declspec(dllexport) void InitSniffer()
	{
	_printf("Checking build ID\n");
	// ReadProcessMemory(GetCurrentProcess(), 0xBB8638, // Errr ....J'sais pas
	HMODULE wowHandle = GetModuleHandle(NULL);
	printf("Handle %u", (void*)wowHandle);
	//if (!wowHandle)
	//_printf("Errr derp, bad shit\n");

	//BYTE clientBuild = (BYTE)(0x00BB8638 - 0x400000 + wowHandle);
	}

	void _printf(char* str)
	{
	HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE);
	WriteConsole(h, str, strlen(str), NULL, NULL);
	}

	__declspec(dllexport) void JmpPatch(void pDest, void pSrc, int nNops) {

	DWORD OldProt;

	VirtualProtect(pSrc, 5 + nNops, PAGE_EXECUTE_READWRITE, &OldProt);

	(char)pSrc = (char)0xE9;
	(DWORD)((DWORD)pSrc + 1) = (DWORD)pDest - (DWORD)pSrc - 5;

	for (int i = 0; i < nNops; ++i) { (BYTE)((DWORD)pSrc + 5 + i) = 0x90; }

	VirtualProtect(pSrc, 5 + nNops, OldProt, &OldProt);
	}
	#undef UNICODE
	#include <windows.h>
	#include <windowsx.h>
	#include <iostream>
	#include <cstdio>
	#include <string>
	#include <vector>
	#include <string>
	#include <windows.h>
	#include <tlhelp32.h>
	#include <iostream>
	#include <psapi.h>

	#pragma comment(lib, "psapi.lib")

	#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD \| PROCESS_QUERY_INFORMATION \| PROCESS_VM_OPERATION \| PROCESS_VM_WRITE \| PROCESS_VM_READ)

	#define CLIENT_BUILD_335 12340
	#define CLIENT_BUILD_434 15595

	#define HookAddrCMSG 0x77B16A // 5.0.5 (Rebased to 0x0)
	#include "Helper.h"
	#include <strsafe.h>
	#include <direct.h>
	#include <sstream>
	#include <algorithm>

	void ErrorExit(LPTSTR lpszFunction);
	void CheckClientBuild(HANDLE clientHandle, DWORD address, int len, void* buffer);
	HMODULE WINAPI GetRemoteModuleHandle(HANDLE hProcess, LPCSTR lpModuleName);
	std::string GetDllPath();

	int main()
	{
	std::cout << "Welcome to Flu - World of Warcraft 4.3.4.15595 Sniffer" << std::endl;
	std::cout << "Written by Warpten <vertozor@gmail.com>" << std::endl << std::endl;

	// EnableTokenPrivilege(SE_DEBUG_NAME);

	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(PROCESSENTRY32);
	HANDLE tool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	BOOL process = Process32First(tool32, &pe32);
	bool foundWow = false;
	while ((Process32Next(tool32, &pe32)) == TRUE) {
	if (strcmp(pe32.szExeFile, "Wow.exe") != 0)
	continue;

	foundWow = true;
	break;
	}
	CloseHandle(tool32);

	if (!foundWow) {
	std::cout << "Wow.exe is not running." << std::endl;
	return 1;
	}

	// 1. Grab the handle -- [[
	HANDLE clientHandle = OpenProcess(0x1FFFFFu, FALSE, pe32.th32ProcessID);
	if (!clientHandle) {
	ErrorExit("OpenProcess()");
	return 1;
	}
	// ]]

	// 2. Get path to executable -- [[
	TCHAR wowPath[MAX_PATH];
	if (!GetModuleFileNameEx(clientHandle, NULL, wowPath, MAX_PATH)) { // Serious shit going on, invoke GetLastError here.
	ErrorExit("GetModuleFileNameEx(clientHandle, NULL, wowPath, MAX_PATH)");
	return 1;
	}
	std::cout << "Wow exe found at: " << wowPath << std::endl;
	// ]]

	// 3. Find the path to the DLL (same folder where we are)
	std::string injectedDLL = GetDllPath();

	// 4. Check if DLL is already injected.

	/*// 5. Check build
	char clientBuild[6] = {0};
	CheckClientBuild(clientHandle, 0x00BB8638, 6, &clientBuild);
	printf("Tried reading client build: %s, %u", clientBuild, (void)clientModule);/

	// 5. Get LoadLibraryAddr
	LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

	// 6. Allocate memory inside Wow.exe and write dll path it
	LPVOID allocatedBlock = (LPVOID)VirtualAllocEx(clientHandle, NULL, injectedDLL.size(), MEM_RESERVE \| MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(clientHandle, allocatedBlock, injectedDLL.c_str(), injectedDLL.size(), NULL);

	// 7. Create a thread inside a virtual address space of Wow.exe
	HANDLE dllHandle = CreateRemoteThread(clientHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, allocatedBlock, NULL, NULL);

	CloseHandle(clientHandle);
	return 0;
	}

	void CheckClientBuild(HANDLE clientHandle, DWORD address, int len, void* buffer)
	{
	ReadProcessMemory(clientHandle, (void*)address, buffer, len, NULL);
	}

	void ErrorExit(LPTSTR lpszFunction)
	{
	// Retrieve the system error message for the last-error code
	LPVOID lpMsgBuf;
	LPVOID lpDisplayBuf;
	DWORD dw = GetLastError();

	FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER \| FORMAT_MESSAGE_FROM_SYSTEM \| FORMAT_MESSAGE_IGNORE_INSERTS,
	NULL,
	dw,
	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
	(LPTSTR) &lpMsgBuf,
	0, NULL);

	// Display the error message and exit the process

	lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT, (lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR));
	StringCchPrintf((LPTSTR)lpDisplayBuf,
	LocalSize(lpDisplayBuf) / sizeof(TCHAR),
	TEXT("%s failed with error %d : %s"),
	lpszFunction, dw, lpMsgBuf);
	MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);

	LocalFree(lpMsgBuf);
	LocalFree(lpDisplayBuf);
	ExitProcess(dw);
	}

	std::string GetDllPath()
	{
	char currentPath[MAX_PATH];
	if (!GetModuleFileName(NULL, currentPath, MAX_PATH)) { // Serious shit going on, invoke GetLastError here.
	ErrorExit("GetModuleFileName(NULL, currentPath, MAX_PATH)");
	return NULL;
	}

	std::string injectedDLL;
	std::string snifferPath(currentPath);
	std::stringstream dllPath;
	std::string::size_type i = snifferPath.find_last_of('\\');
	snifferPath.erase(snifferPath.begin() + i + 1, snifferPath.end());
	dllPath << snifferPath << "InjectedDLL.dll";
	injectedDLL = dllPath.str();
	std::replace(injectedDLL.begin(), injectedDLL.end(), '\\', '/');
	return injectedDLL;
	}