Warden: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
m (styled up a bit.) |
||
Line 1: | Line 1: | ||
Page is based on WoW 2.4.3 01/11/08 by kynox | Page is based on WoW 2.4.3 01/11/08 by kynox | ||
==Current methods of attack== | ==Current methods of attack== | ||
*Hashing module names | *'''Hashing module names''' | ||
:Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes. | |||
*Hashing regions of memory | *'''Hashing regions of memory''' | ||
'''Offset Size Description''' | '''Offset Size Description''' | ||
0x420541 0xA WS2_32.Send check | 0x420541 0xA WS2_32.Send check | ||
Line 19: | Line 19: | ||
0x8C8398 0x8 Maximum Wall Climb | 0x8C8398 0x8 Maximum Wall Climb | ||
0x8C845C 0x8 Gravity // Cypher | 0x8C845C 0x8 Gravity // Cypher | ||
0x8F7AC8 0x8 Jump Velocity | 0x8F7AC8 0x8 Jump Velocity | ||
0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher | 0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher | ||
:An interesting thing to note about the "Jump Velocity" check is that it's in the .data segment, which is strange given that - except for this - Waren exclusively monitors 'read-only' memory (for obvious reasons). | |||
*Hashing relative offsets in modules/sections | *'''Hashing relative offsets in modules/sections''' | ||
*Hashing driver names | *'''Hashing driver names''' | ||
**IPSect | **IPSect | ||
**Afde32u | **Afde32u | ||
**Afde32uu | **Afde32uu | ||
**HideEx | **HideEx | ||
*Determining if certain LUA strings are loaded | *'''Determining if certain LUA strings are loaded''' | ||
:Examples are "OoOoOoooo0oOO" and "BG_DESERTER". | |||
==Countermeasures== | ==Countermeasures== | ||
Some countermeasures I'm willing to make public are: | Some countermeasures I'm willing to make public are: | ||
*VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module. | *'''VirtualQuery''' - Hooking VirtualQuery, you can prevent Warden from reading data from your module. | ||
:[http://forum.gamedeception.net/showthread.php?t=13964] may get you started (it can be improved upon). | |||
*Module32First/Next - You can either use these API to hide your module. | *'''Module32First/Next''' - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list. | ||
:See [http://www.battleforums.com/forums/diablo-hacking/104427-cloakdll-cpp.html] (scroll down). | |||
Revision as of 19:31, 2 September 2008
Page is based on WoW 2.4.3 01/11/08 by kynox
Current methods of attack
- Hashing module names
- Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
- Hashing regions of memory
Offset Size Description 0x420541 0xA WS2_32.Send check 0x48A2CC 0x6 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48A2F0 0x5 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48D4A0 0xC AddChatMessage 0x490430 0xC SendChatMessage 0x49DBB2 0x7 Protected Lua Func Check // Cypher 0x4AA9C2 0x5 FrameXML Signature Check 0x5CDC20 0x6 Unknown Falling Check // Cypher 0x61535A 0x9 Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher 0x681778 0x5 0x7B9D42 0x6 Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher 0x7BAA98 0xC 0x8C8398 0x8 Maximum Wall Climb 0x8C845C 0x8 Gravity // Cypher 0x8F7AC8 0x8 Jump Velocity 0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher
- An interesting thing to note about the "Jump Velocity" check is that it's in the .data segment, which is strange given that - except for this - Waren exclusively monitors 'read-only' memory (for obvious reasons).
- Hashing relative offsets in modules/sections
- Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
- Determining if certain LUA strings are loaded
- Examples are "OoOoOoooo0oOO" and "BG_DESERTER".
Countermeasures
Some countermeasures I'm willing to make public are:
- VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
- [1] may get you started (it can be improved upon).
- Module32First/Next - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list.
- See [2] (scroll down).