Hey all,
Well i was tinkering around with warden and its scanning functions and i managed to unpack it and learn what API's it uses. Here are the enumerated DLLs which it uses functions from. I will highlight in RED what some if not all of the important functions are for how warden detects your cheating. (might be a lot of text but you can skim to the red color)
I'll be coding a little app/dll that will load with WoW when the game is launched that will turn off wardens functions completely. I'm contemplating releasing it here to the public but then blizz will just patch my method way too fast. I'll discuss it with the admins of this board before i release anything.
(code included, if you don't know what these functions do don't ask)
KERNEL32.dll
------------
Code:
function ReadProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer;
lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL;
stdcall; external 'kernel32.dll' name 'ReadProcessMemory' index 577;
function OpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
external 'kernel32.dll' name 'OpenProcess' index 530;
function GetVersionEx(var lpVersionInformation: TOSVersionInfo): BOOL;
stdcall; external 'kernel32.dll' name 'GetVersionExA' index 400;
function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): THandle;
stdcall;
external 'kernel32.dll' name 'CreateToolhelp32Snapshot' index 81;
function LCMapStringW(Locale: LCID; dwMapFlags: DWORD; lpSrcStr: PWideChar;
cchSrc: Integer; lpDestStr: PWideChar; cchDest: Integer): Integer;
stdcall; external 'kernel32.dll' name 'LCMapStringW' index 478;
function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL;
stdcall; external 'kernel32.dll' name 'Process32First' index 546;
function Process32Next(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL;
stdcall; external 'kernel32.dll' name 'Process32Next' index 548;
function GetCurrentProcess: THandle; stdcall;
external 'kernel32.dll' name 'GetCurrentProcess' index 266;
function GetLastError: DWORD; stdcall;
external 'kernel32.dll' name 'GetLastError' index 302;
function CloseHandle(hObject: THandle): BOOL; stdcall;
external 'kernel32.dll' name 'CloseHandle' index 31;
function GetCurrentThreadId: DWORD; stdcall;
external 'kernel32.dll' name 'GetCurrentThreadId' index 269;
function GetCommandLine: PAnsiChar; stdcall;
external 'kernel32.dll' name 'GetCommandLineA' index 219;
function HeapFree(hHeap: THandle; dwFlags: DWORD; lpMem: Pointer): BOOL;
stdcall; external 'kernel32.dll' name 'HeapFree' index 443;
function HeapAlloc(hHeap: THandle; dwFlags, dwBytes: DWORD): Pointer; stdcall;
external 'kernel32.dll' name 'HeapAlloc' index 437;
function GetProcessHeap: THandle; stdcall;
external 'kernel32.dll' name 'GetProcessHeap' index 342;
function TerminateProcess(hProcess: THandle; uExitCode: UINT): BOOL; stdcall;
external 'kernel32.dll' name 'TerminateProcess' index 716;
function UnhandledExceptionFilter(const ExceptionInfo: TExceptionPointers):
Longint; stdcall;
external 'kernel32.dll' name 'UnhandledExceptionFilter' index 732;
function SetUnhandledExceptionFilter(lpTopLevelExceptionFilter:
TFNTopLevelExceptionFilter): TFNTopLevelExceptionFilter; stdcall;
external 'kernel32.dll' name 'SetUnhandledExceptionFilter' index 697;
IsDebuggerPresent()
function GetProcAddress(hModule: HMODULE; lpProcName: LPCSTR): FARPROC;
stdcall; external 'kernel32.dll' name 'GetProcAddress' index 340;
function GetModuleHandle(lpModuleName: PAnsiChar): HMODULE; stdcall;
external 'kernel32.dll' name 'GetModuleHandleA' index 315;
procedure ExitProcess(uExitCode: UINT); stdcall;
external 'kernel32.dll' name 'ExitProcess' index 141;
function TlsGetValue(dwTlsIndex: DWORD): Pointer; stdcall;
external 'kernel32.dll' name 'TlsGetValue' index 723;
function TlsAlloc: DWORD; stdcall;
external 'kernel32.dll' name 'TlsAlloc' index 721;
function TlsSetValue(dwTlsIndex: DWORD; lpTlsValue: Pointer): BOOL; stdcall;
external 'kernel32.dll' name 'TlsSetValue' index 724;
function TlsFree(dwTlsIndex: DWORD): BOOL; stdcall;
external 'kernel32.dll' name 'TlsFree' index 722;
function InterlockedIncrement(var Addend: Integer): Integer; stdcall;
external 'kernel32.dll' name 'InterlockedIncrement' index 460;
procedure SetLastError(dwErrCode: DWORD); stdcall;
external 'kernel32.dll' name 'SetLastError' index 669;
function InterlockedDecrement(var Addend: Integer): Integer; stdcall;
external 'kernel32.dll' name 'InterlockedDecrement' index 457;
procedure Sleep(dwMilliseconds: DWORD); stdcall;
external 'kernel32.dll' name 'Sleep' index 708;
function SetHandleCount(uNumber: UINT): UINT; stdcall;
external 'kernel32.dll' name 'SetHandleCount' index 665;
function GetStdHandle(nStdHandle: DWORD): THandle; stdcall;
external 'kernel32.dll' name 'GetStdHandle' index 361;
function GetFileType(hFile: THandle): DWORD; stdcall;
external 'kernel32.dll' name 'GetFileType' index 297;
procedure GetStartupInfo(var lpStartupInfo: TStartupInfo); stdcall;
external 'kernel32.dll' name 'GetStartupInfoA' index 359;
procedure DeleteCriticalSection(var lpCriticalSection: TRTLCriticalSection);
stdcall; external 'kernel32.dll' name 'DeleteCriticalSection' index 91;
function GetModuleFileName(hModule: HINST; lpFilename: PAnsiChar;
nSize: DWORD): DWORD; stdcall;
external 'kernel32.dll' name 'GetModuleFileNameA' index 313;
function FreeEnvironmentStrings(p1: PAnsiChar): BOOL; stdcall;
external 'kernel32.dll' name 'FreeEnvironmentStringsA' index 194;
GetEnvironmentStrings()
function FreeEnvironmentStringsW(p1: PWideChar): BOOL; stdcall;
external 'kernel32.dll' name 'FreeEnvironmentStringsW' index 195;
function WideCharToMultiByte(CodePage: UINT; dwFlags: DWORD;
lpWideCharStr: LPWSTR; cchWideChar: Integer; lpMultiByteStr: LPSTR;
cchMultiByte: Integer; lpDefaultChar: LPCSTR;
lpUsedDefaultChar: PBOOL): Integer; stdcall;
external 'kernel32.dll' name 'WideCharToMultiByte' index 770;
function GetEnvironmentStringsW: PWideChar; stdcall;
external 'kernel32.dll' name 'GetEnvironmentStringsW' index 284;
function HeapDestroy(hHeap: THandle): BOOL; stdcall;
external 'kernel32.dll' name 'HeapDestroy' index 441;
function HeapCreate(flOptions, dwInitialSize, dwMaximumSize: DWORD): THandle;
stdcall; external 'kernel32.dll' name 'HeapCreate' index 439;
function VirtualFree(lpAddress: Pointer; dwSize, dwFreeType: DWORD): BOOL;
stdcall; external 'kernel32.dll' name 'VirtualFree' index 754;
function QueryPerformanceCounter(var lpPerformanceCount: TLargeInteger): BOOL;
stdcall;
external 'kernel32.dll' name 'QueryPerformanceCounter' index 556;
function GetTickCount: DWORD; stdcall;
external 'kernel32.dll' name 'GetTickCount' index 391;
function GetCurrentProcessId: DWORD; stdcall;
external 'kernel32.dll' name 'GetCurrentProcessId' index 267;
procedure GetSystemTimeAsFileTime(var lpSystemTimeAsFileTime: TFileTime);
stdcall;
external 'kernel32.dll' name 'GetSystemTimeAsFileTime' index 375;
procedure LeaveCriticalSection(var lpCriticalSection: TRTLCriticalSection);
stdcall; external 'kernel32.dll' name 'LeaveCriticalSection' index 479;
procedure EnterCriticalSection(var lpCriticalSection: TRTLCriticalSection);
stdcall; external 'kernel32.dll' name 'EnterCriticalSection' index 112;
function VirtualAlloc(lpvAddress: Pointer; dwSize, flAllocationType,
flProtect: DWORD): Pointer; stdcall;
external 'kernel32.dll' name 'VirtualAlloc' index 751;
function HeapReAlloc(hHeap: THandle; dwFlags: DWORD; lpMem: Pointer;
dwBytes: DWORD): Pointer; stdcall;
external 'kernel32.dll' name 'HeapReAlloc' index 446;
function HeapSize(hHeap: THandle; dwFlags: DWORD; lpMem: Pointer): DWORD;
stdcall; external 'kernel32.dll' name 'HeapSize' index 447;
function WriteFile(hFile: THandle; const Buffer; nNumberOfBytesToWrite: DWORD;
var lpNumberOfBytesWritten: DWORD; lpOverlapped: POverlapped): BOOL;
stdcall; external 'kernel32.dll' name 'WriteFile' index 783;
function LoadLibrary(lpLibFileName: PAnsiChar): HMODULE; stdcall;
external 'kernel32.dll' name 'LoadLibraryA' index 480;
procedure InitializeCriticalSection(var lpCriticalSection:
TRTLCriticalSection); stdcall;
external 'kernel32.dll' name 'InitializeCriticalSection' index 454;
function GetCPInfo(CodePage: UINT; var lpCPInfo: TCPInfo): BOOL; stdcall;
external 'kernel32.dll' name 'GetCPInfo' index 208;
function GetACP: UINT; stdcall;
external 'kernel32.dll' name 'GetACP' index 202;
function GetOEMCP: UINT; stdcall;
external 'kernel32.dll' name 'GetOEMCP' index 327;
ADVAPI32.dll // few things here, but not important <
USER32.dll
----------
Code:
function GetWindowTextW(hWnd: HWND; lpString: PWideChar;
nMaxCount: Integer): Integer; stdcall;
external 'user32.dll' name 'GetWindowTextW' index 358;
function GetWindowText(hWnd: HWND; lpString: PAnsiChar;
nMaxCount: Integer): Integer; stdcall;
external 'user32.dll' name 'GetWindowTextA' index 355;
function EnumWindows(lpEnumFunc: TFNWndEnumProc; lParam: LPARAM): BOOL;
stdcall; external 'user32.dll' name 'EnumWindows' index 211;