[source] C# Warden scanner

**Wildbreath** · 03-05-2014

After research a DarkLinux sources i ported scanner to C# with some changes.
It works, but sometime crashes with random err codes (dunno why).
(I included a executebuffer crap, delete it if not need, just only for testing)

And yes, just remove patches before call original function and apply after - protection.

PHP Code:


using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Threading;

namespace OffSpring
{
    class Scan
    {
        [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
        public delegate IntPtr WardenDelegate(IntPtr ptr, uint adress, uint len);

        [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
        public delegate void LuaExecuteBufferDelegate(string lua, string fileName, uint pState);
        private static LuaExecuteBufferDelegate LuaExecute;
        
        private static uint baseAddress = (uint)Process.GetCurrentProcess().MainModule.BaseAddress;
        private static uint moduleSize = (uint)Process.GetCurrentProcess().MainModule.ModuleMemorySize;
        
        public Scan()
        {
            LuaExecute = Memory.Instance.RegisterDelegate<LuaExecuteBufferDelegate>(baseAddress + 0x50229);
            SearchWarden(new byte[] { 0x74, 0x02, 0xF3, 0xA5, 0xB1, 0x03, 0x23, 0xCA });
        }

        private static void makeDetour(uint ptr)
        {
            Memory.Instance.Detours.RemoveAll();
            Memory.Instance.Detours.CreateAndApply(Memory.Instance.RegisterDelegate<WardenDelegate>(ptr + 0xE), new WardenDelegate(WardenCave), "WardenHook");
        }

        #region pattern scan
        private unsafe void SearchWarden(byte[] Signature)
        {
            uint currentAddr = baseAddress;
            uint Max = 0;
            int index = 0;
            uint old;
            Win32.MEMORY_BASIC_INFORMATION mbi = new Win32.MEMORY_BASIC_INFORMATION();

            do
            {
                Win32.VirtualQuery(ref currentAddr, ref mbi, sizeof(Win32.MEMORY_BASIC_INFORMATION));

                if ((mbi.RegionSize <= 0x9000) && (mbi.State == 4096) && (mbi.Type == 131072))
                {
                    if (Win32.VirtualProtect(currentAddr, mbi.RegionSize, 0x40, out old))
                    {
                        if (currentAddr < Max)
                            return;
                        else
                            Max = currentAddr;

                        for (int x = (int)currentAddr; x < (currentAddr + mbi.RegionSize); x++)
                        {
                            if (*(byte*)x == Signature[index])
                                index++;
                            else
                                index = 0;

                            if (index >= Signature.Length)
                            {
                                makeDetour((uint)(x - Signature.Length + 1));
                                return;
                            }
                        }
                    }
                }
                currentAddr += mbi.RegionSize;
            } while (true);
        }

        #endregion

        private static IntPtr WardenCave(IntPtr ptr, uint adress, uint len)
        {
            if (adress < baseAddress + moduleSize)
            {
                LuaExecute("print('found: |cffff00000x" + (adress - baseAddress).ToString("X") + "|r, length: |cff00ff00" + len.ToString() + "b|r')", "mylua.lua", 0);
            }
            return (IntPtr)Memory.Instance.Detours["WardenHook"].CallOriginal(ptr, adress, len);
        }
    }
}

**OMLinux** · 03-05-2014

Originally Posted by Wildbreath

After research a DarkLinux sources i ported scanner to C# with some changes.

Good job. Could you provide link to DarkLinux's original?

**WindGod** · 03-05-2014

Could you please share your sourcecode,If it's possible.Thanks.

**redcatH** · 03-05-2014

Complete code？？

**namreeb** · 03-05-2014

What version of wow is this for?

**Wildbreath** · 03-06-2014

Originally Posted by namreeb

What version of wow is this for?

actual, 5.4.7 17956. and yes, i fixed crashes (was removed a invalid patch, scanning works as intended)
also remove a mbi.RegionSize, mbi.State and mbi.Type check.

**r00tman** · 03-09-2014

Originally Posted by OMLinux

Good job. Could you provide link to DarkLinux's original?

DarkLiNuX Tech - EverScan ? An Open Source Warden Scanner

**Wildbreath** · 03-18-2014

it works as charm, but sometime got crash wow without any seen errors. (warden module entry found and it's readmemory hooked, but when a hook called - wow crashing)
i think it occured if warden is down (or sleep?) anyone known methods to check it?
pattern is 74 02 F3 A5 B1 03 23 CA 74 02 F3 A4 5F 5E C3 55, right?

upd: solved. was using a wrong offset to first warden function

Shout-Out

User Tag List

Thread: [source] C# Warden scanner

Thread Tools

Search Thread

[source] C# Warden scanner

Similar Threads

[Tool] EverScan - An Open Source Warden Scanner

[Question] Warden Scanner and hooking

[Release] WardenMon : A Warden Scanner

warden scanner.

[Bot:Source] Acidic Bot Source Code

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino