Warden: Difference between revisions

Page is based on WoW 2.4.3 01/11/08 by kynox

Current methods of attack

• Hashing module names
  • Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
• Hashing regions of memory

Offset		Size		Description
0x420541	0xA		WS2_32.Send check
0x48A2CC	0x6		Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher	
0x48A2F0	0x5		Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher
0x48D4A0	0xC		AddChatMessage
0x490430	0xC		SendChatMessage
0x49DBB2	0x7		Protected Lua Func Check // Cypher
0x4AA9C2	0x5		FrameXML Signature Check
0x5CDC20	0x6		Unknown Falling Check	 // Cypher
0x61535A	0x9		Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher
0x681778	0x5		
0x7B9D42	0x6		Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher
0x7BAA98	0xC	
0x8C8398	0x8		Maximum Wall Climb
0x8C845C	0x8		Gravity	 // Cypher
0x8F7AC8	0x8		Jump Velocity
0xB93714	0x8		Unknown Login Check (Parental restrictions??) // Cypher	

An interesting thing to note about this check is that it's in the .data segment, which is strange given except for this Waren exclusively monitors 'read-only' memory (for obvious reasons)

• Hashing relative offsets in modules/sections
• Hashing driver names
  • IPSect
  • Afde32u
  • Afde32uu
  • HideEx
• Determining if certain LUA strings are loaded
  • OoOoOoooo0oOO
  • BG_DESERTER

Countermeasures

Some countermeasures I'm willing to make public are:

• VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
• Module32First/Next - You can either use these API to hide your module.
  • An alternative to this is just to remove your module from the PEB linked list.