Warden

From wowdev

Revision as of 05:32, 1 September 2008 by Kynox (talk | contribs) (→‎Current methods of attack)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Page is based on WoW 2.4.3 01/11/08 by kynox

Current methods of attack

Hashing module names
- Due to the fact that the module names are hashed(SHA1) and then combined with a key(HMAC-SHA1), the hashes change per request, so i have no definite hashes.
Hashing regions of memory

Offset		Size		Description
0x420541	0xA		WS2_32.Send check
0x48A2CC	0x6	
0x48A2F0	0x5	
0x48D4A0	0xC		AddChatMessage
0x490430	0xC		SendChatMessage
0x49DBB2	0x7	
0x4AA9C2	0x5		FrameXML Signature Check
0x5CDC20	0x6	
0x61535A	0x9	
0x681778	0x5	
0x7B9D42	0x6	
0x7BAA98	0xC	
0x8C8398	0x8		Maximum Wall Climb
0x8C845C	0x8	
0x8F7AC8	0x8		Jump Velocity
0xB93714	0x8

Hashing relative offsets in modules/sections
Hashing driver names
- IPSect
- Afde32u
- Afde32uu
- HideEx
Determining if certain LUA strings are loaded
- OoOoOoooo0oOO
- BG_DESERTER

Countermeasures

Some countermeasures I'm willing to make public are:

VirtualQuery - Hooking VirtualQuery, you can prevent Warden from reading data from your module.
Module32First/Next - You can either use these API to hide your module.
- An alternative to this is just to remove your module from the PEB linked list.

Retrieved from "https://wowdev.wiki/index.php?title=Warden&oldid=1454"