Warden: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 51: | Line 51: | ||
*'''Module32First/Next''' - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list. | *'''Module32First/Next''' - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list. | ||
:See [http://www.battleforums.com/forums/diablo-hacking/104427-cloakdll-cpp.html] (scroll down). | :See [http://www.battleforums.com/forums/diablo-hacking/104427-cloakdll-cpp.html] (scroll down). | ||
*'''Microsoft Windows XP''' - Our allmighty Micros**t gave us the most powerfull and 100% compliant with Blizzard ToW, EULA, etc. The tool is called guest account. Start world of warcraft using 'runas /noprofile /user:guest "<path to wow>\Wow.exe" ' and wouu have a blind Warden. The only thing that could (and will) rise a red flag at Blizzard HQ is background boting (characters performing actions in a window without focus). |
Revision as of 20:52, 19 April 2009
Page is based on WoW 2.4.3 01/9/08 by kynox
Current methods of attack
- Hashing module names
- Module: 089801ff6aca7b00bbad8d4fefeab53c75e58c61 Key: EF3FC08A
- Module: 147571bff593004edea415f2390a308d50f4d307 Key: 84A01C4B
- Module: 29ab9d8324afeec0e8a4504a738ccf61f2919392 Key: 1A44494F
- Module: 2c4060ba93f31950d9c727d7d499a62ee6b7cfb1 Key: 273A7E44
- Module: 4a91be8ec38cbdf88a60fe82eb1322829f09aff0 Key: 1AA85316
- Module: 6ec6545b867fe99ddb315ef3b7118aae341667fe Key: 446A539A
- Module: 8b0e1572e708106820abdd144bd6537363e55693 Key: 1D8A1BEB
- Module: ba1272f5c390d8d62984289a6ecb293c5a698208 Key: 777739AA
- Module: badd8b801de1b9ed3bc65bb6a7a42db5806b6008 Key: 712F9F07
- Module: bd107865a859de4f0acef954157255b7a4db7c51 Key: 381755D8
- Module: bfd6aa808dc04c2a5585c63fbb8286dc3f46b13f Key: 93A6E04A
- Module: ff76bc9112912e53a97517bd78b952e1c4f0272e Key: 5D2621D3
To obtain a hash of your DLL, refer to http://en.wikipedia.org/wiki/HMAC#Implementation "hash" is SHA-1 for Warden.
- Hashing regions of memory
Offset Size Description 0x420541 0xA WS2_32.Send check 0x48A2CC 0x6 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48A2F0 0x5 Unknown Chat Related (Called by CGChat__AdChatMessage) // Cypher 0x48D4A0 0xC AddChatMessage 0x490430 0xC SendChatMessage 0x49DBB2 0x7 Protected Lua Func Check // Cypher 0x4AA9C2 0x5 FrameXML Signature Check 0x5CDC20 0x6 Unknown Falling Check // Cypher 0x61535A 0x9 Unknown. CGUnit_C Member Function. Uses SummonedBy/CreatedBy. ?? // Cypher 0x681778 0x5 0x7B9D42 0x6 Unknown. Movement related. (?) Only Xref uses CInputControl. // Cypher 0x7BAA98 0xC 0x8C8398 0x8 Maximum Wall Climb 0x8C845C 0x8 Gravity // Cypher 0x8F7AC8 0x8 Jump Velocity // Note from Cypher: Physics sucks ass, its not really velocity but we're calling it that anyway. 0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher
- An interesting thing to note about the "Unknown Login Check" is that it's in the .data segment, which is strange given that - except for this - Warden exclusively monitors 'read-only' - .text and .rdata - memory (for obvious reasons).
- Hashing relative offsets in modules/sections
- Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
- Determining if certain LUA strings are loaded
- Examples are "OoOoOoooo0oOO" and "BG_DESERTER".
Countermeasures
Some countermeasures I'm willing to make public are:
- VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
- [1] may get you started (it can be improved upon).
- Module32First/Next - You can either use these API to hide your module. An alternative to this is just to remove your module from the PEB linked list.
- See [2] (scroll down).
- Microsoft Windows XP - Our allmighty Micros**t gave us the most powerfull and 100% compliant with Blizzard ToW, EULA, etc. The tool is called guest account. Start world of warcraft using 'runas /noprofile /user:guest "<path to wow>\Wow.exe" ' and wouu have a blind Warden. The only thing that could (and will) rise a red flag at Blizzard HQ is background boting (characters performing actions in a window without focus).