Warden: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 1: | Line 1: | ||
Page is based on WoW 2.4.3 01/ | Page is based on WoW 2.4.3 01/9/08 by kynox | ||
==Current methods of attack== | ==Current methods of attack== | ||
*'''Hashing module names''' | *'''Hashing module names''' |
Revision as of 06:52, 3 September 2008
Page is based on WoW 2.4.3 01/9/08 by kynox
Current methods of attack
- Hashing module names
- Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
- Hashing regions of memory
Offset Size Description 0x420541 0xA WS2_32.Send check 0x48A2CC 0x6 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48A2F0 0x5 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48D4A0 0xC AddChatMessage 0x490430 0xC SendChatMessage 0x49DBB2 0x7 Protected Lua Func Check // Cypher 0x4AA9C2 0x5 FrameXML Signature Check 0x5CDC20 0x6 Unknown Falling Check // Cypher 0x61535A 0x9 Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher 0x681778 0x5 0x7B9D42 0x6 Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher 0x7BAA98 0xC 0x8C8398 0x8 Maximum Wall Climb 0x8C845C 0x8 Gravity // Cypher 0x8F7AC8 0x8 Jump Velocity 0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher
- An interesting thing to note about the "Unknown Login Check" is that it's in the .data segment, which is strange given that - except for this - Waren exclusively monitors 'read-only' - .text and .rdata - memory (for obvious reasons).
- Hashing relative offsets in modules/sections
- Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
- Determining if certain LUA strings are loaded
- Examples are "OoOoOoooo0oOO" and "BG_DESERTER".
Countermeasures
Some countermeasures I'm willing to make public are:
- VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
- [1] may get you started (it can be improved upon).
- Module32First/Next - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list.
- See [2] (scroll down).