Warden: Difference between revisions

From wowdev
Jump to navigation Jump to search
No edit summary
Line 4: Line 4:
**Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
**Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
*Hashing regions of memory
*Hashing regions of memory
  '''Offset Size'''
  '''Offset Size Description'''
  0x420541 0xA
  0x420541 0xA WS2_32.Send check
  0x48A2CC 0x6
  0x48A2CC 0x6
  0x48A2F0 0x5
  0x48A2F0 0x5
  0x48D4A0 0xC
  0x48D4A0 0xC AddChatMessage
  0x490430 0xC
  0x490430 0xC SendChatMessage
  0x49DBB2 0x7
  0x49DBB2 0x7
  0x4AA9C2 0x5
  0x4AA9C2 0x5 FrameXML Signature Check
  0x5CDC20 0x6
  0x5CDC20 0x6
  0x61535A 0x9
  0x61535A 0x9
  0x681778 0x5
  0x681778 0x5
  0x7B9D42 0x6
  0x7B9D42 0x6
  0x7BAA98 0xC
  0x7BAA98 0xC
  0x8C8398 0x8
  0x8C8398 0x8 Maximum Wall Climb
  0x8C845C 0x8
  0x8C845C 0x8
  0x8F7AC8 0x8
  0x8F7AC8 0x8 Jump Velocity
  0xB93714 0x8
  0xB93714 0x8
*Hashing relative offsets in modules/sections
*Hashing relative offsets in modules/sections
*Hashing driver names
*Hashing driver names

Revision as of 05:32, 1 September 2008

Page is based on WoW 2.4.3 01/11/08 by kynox

Current methods of attack

  • Hashing module names
    • Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
  • Hashing regions of memory
Offset		Size		Description
0x420541	0xA		WS2_32.Send check
0x48A2CC	0x6	
0x48A2F0	0x5	
0x48D4A0	0xC		AddChatMessage
0x490430	0xC		SendChatMessage
0x49DBB2	0x7	
0x4AA9C2	0x5		FrameXML Signature Check
0x5CDC20	0x6	
0x61535A	0x9	
0x681778	0x5	
0x7B9D42	0x6	
0x7BAA98	0xC	
0x8C8398	0x8		Maximum Wall Climb
0x8C845C	0x8	
0x8F7AC8	0x8		Jump Velocity
0xB93714	0x8
  • Hashing relative offsets in modules/sections
  • Hashing driver names
    • IPSect
    • Afde32u
    • Afde32uu
    • HideEx
  • Determining if certain LUA strings are loaded
    • OoOoOoooo0oOO
    • BG_DESERTER

Countermeasures

Some countermeasures I'm willing to make public are:

  • VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
  • Module32First/Next - You can either use these API to hide your module.
    • An alternative to this is just to remove your module from the PEB linked list.
Retrieved from "https://wowdev.wiki/index.php?title=Warden&oldid=1454"