Warden: Difference between revisions

Page is based on WoW 2.4.3 01/9/08 by kynox

Current methods of attack

• Hashing module names

Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.

• Hashing regions of memory

Offset		Size		Description
0x420541	0xA		WS2_32.Send check
0x48A2CC	0x6		Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher	
0x48A2F0	0x5		Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher
0x48D4A0	0xC		AddChatMessage
0x490430	0xC		SendChatMessage
0x49DBB2	0x7		Protected Lua Func Check // Cypher
0x4AA9C2	0x5		FrameXML Signature Check
0x5CDC20	0x6		Unknown Falling Check	 // Cypher
0x61535A	0x9		Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher
0x681778	0x5		
0x7B9D42	0x6		Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher
0x7BAA98	0xC	
0x8C8398	0x8		Maximum Wall Climb
0x8C845C	0x8		Gravity	 // Cypher
0x8F7AC8	0x8		Jump Velocity // Note from Cypher: Physics sucks ass, its not really velocity but we're calling it that anyway.
0xB93714	0x8		Unknown Login Check (Parental restrictions??) // Cypher	

An interesting thing to note about the "Unknown Login Check" is that it's in the .data segment, which is strange given that - except for this - Warden exclusively monitors 'read-only' - .text and .rdata - memory (for obvious reasons).

• Hashing relative offsets in modules/sections
• Hashing driver names
  • IPSect
  • Afde32u
  • Afde32uu
  • HideEx
• Determining if certain LUA strings are loaded

Examples are "OoOoOoooo0oOO" and "BG_DESERTER".

Countermeasures

Some countermeasures I'm willing to make public are:

• VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.

[1] may get you started (it can be improved upon).

• Module32First/Next - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list.

See [2] (scroll down).