Warden
Jump to navigation
Jump to search
Page is based on WoW 2.4.3 01/11/08 by kynox
Current methods of attack
- Hashing module names
- Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
- Hashing regions of memory
Offset Size Description 0x420541 0xA WS2_32.Send check 0x48A2CC 0x6 0x48A2F0 0x5 0x48D4A0 0xC AddChatMessage 0x490430 0xC SendChatMessage 0x49DBB2 0x7 0x4AA9C2 0x5 FrameXML Signature Check 0x5CDC20 0x6 0x61535A 0x9 0x681778 0x5 0x7B9D42 0x6 0x7BAA98 0xC 0x8C8398 0x8 Maximum Wall Climb 0x8C845C 0x8 0x8F7AC8 0x8 Jump Velocity 0xB93714 0x8
- Hashing relative offsets in modules/sections
- Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
- Determining if certain LUA strings are loaded
- OoOoOoooo0oOO
- BG_DESERTER
Countermeasures
Some countermeasures I'm willing to make public are:
- VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
- Module32First/Next - You can either use these API to hide your module.
- An alternative to this is just to remove your module from the PEB linked list.