Warden: Difference between revisions
Jump to navigation
Jump to search
| Line 6: | Line 6: | ||
'''Offset Size Description''' | '''Offset Size Description''' | ||
0x420541 0xA WS2_32.Send check | 0x420541 0xA WS2_32.Send check | ||
0x48A2CC 0x6 | 0x48A2CC 0x6 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher | ||
0x48A2F0 0x5 | 0x48A2F0 0x5 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher | ||
0x48D4A0 0xC AddChatMessage | 0x48D4A0 0xC AddChatMessage | ||
0x490430 0xC SendChatMessage | 0x490430 0xC SendChatMessage | ||
0x49DBB2 0x7 | 0x49DBB2 0x7 Protected Lua Func Check // Cypher | ||
0x4AA9C2 0x5 FrameXML Signature Check | 0x4AA9C2 0x5 FrameXML Signature Check | ||
0x5CDC20 0x6 | 0x5CDC20 0x6 Unknown Falling Check // Cypher | ||
0x61535A 0x9 | 0x61535A 0x9 Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher | ||
0x681778 0x5 | 0x681778 0x5 | ||
0x7B9D42 0x6 | 0x7B9D42 0x6 Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher | ||
0x7BAA98 0xC | 0x7BAA98 0xC | ||
0x8C8398 0x8 Maximum Wall Climb | 0x8C8398 0x8 Maximum Wall Climb | ||
0x8C845C 0x8 | 0x8C845C 0x8 Gravity // Cypher | ||
0x8F7AC8 0x8 Jump Velocity | 0x8F7AC8 0x8 Jump Velocity | ||
0xB93714 0x8 | 0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher | ||
*Hashing relative offsets in modules/sections | *Hashing relative offsets in modules/sections | ||
*Hashing driver names | *Hashing driver names | ||
Revision as of 08:45, 1 September 2008
Page is based on WoW 2.4.3 01/11/08 by kynox
Current methods of attack
- Hashing module names
- Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
- Hashing regions of memory
Offset Size Description 0x420541 0xA WS2_32.Send check 0x48A2CC 0x6 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48A2F0 0x5 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48D4A0 0xC AddChatMessage 0x490430 0xC SendChatMessage 0x49DBB2 0x7 Protected Lua Func Check // Cypher 0x4AA9C2 0x5 FrameXML Signature Check 0x5CDC20 0x6 Unknown Falling Check // Cypher 0x61535A 0x9 Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher 0x681778 0x5 0x7B9D42 0x6 Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher 0x7BAA98 0xC 0x8C8398 0x8 Maximum Wall Climb 0x8C845C 0x8 Gravity // Cypher 0x8F7AC8 0x8 Jump Velocity 0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher
- Hashing relative offsets in modules/sections
- Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
- Determining if certain LUA strings are loaded
- OoOoOoooo0oOO
- BG_DESERTER
Countermeasures
Some countermeasures I'm willing to make public are:
- VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
- Module32First/Next - You can either use these API to hide your module.
- An alternative to this is just to remove your module from the PEB linked list.