Analysis of Ros-Bot's new Hiding Mechanism

[Torpedoes]

As some of you may know, DemonBuddy has recently reported that Warden has been updated with functionality that scans all external processes interacting with Diablo 3 and hearthstone. This includes successful detection of both TurboHud and Ros-Bot.

As a long-time user of Ros-Bot I was immediately concerned about my future botting endeavors. Not yet clear on whether a ban would actually happen, the developers of Ros-Bot have decided to take a proactive approach and incorporate a mechanism of hiding itself from the game client.

Unfortunately, they have been very quiet on the specifics, mentioning only that the Ros-Bot process is hidden from the game by means of injection. Naturally I wanted to know exactly what was happening since all injections end up getting banned at one point or another (see PQR, Buddy, and others).

Knowing that there is only one realistic method of hiding a process from another, I immediately downloaded the latest version of Ros-Bot (1.1.37576) and noticed that there were no additional DLL’s in the main directory. Surly they must get their code into the client somehow. So I fired up my test account and put a breakpoint on WriteProcessMemory. Immediately following that, the breakpoint hit and I had my first few results.

It looked like Ros-Bot dynamically generated a DLL based on certain addresses it found within the client. It probably uses an assembler to do this. Next, it allocated enough memory to store this module and in a series of six writes, it copied the entire module over, section by section, starting with the header and ending with the metadata xml. After each write the region was marked as read + execute.

Code:

Write Sizes
===========
1: 1F8
2: DE00
3: 6400
4: C00
5: 200
6: 200
===========
153F8 Bytes

I went ahead and dumped the resulting DLL (base64 version available here) for further analysis. Without diving in too deep I found a couple interesting things. First, the DLL appeared to make use of the MinHook library. Second the DLL did something with CreateToolhelp32Snapshot and some other functions. And third, the following string:

Code:

C:\Users\Baptiste\Documents\VS\AieBot\trunk\Release\Hider.pdb

After copying the DLL, one final write was performed, consisting of 20 bytes with the code below. This code was written to a newly allocated page which was also marked as read + execute. This page was later removed before the bot actually started. Here’s a screenshot.

Code:

PUSH 0
PUSH 1
PUSH Start_of_DLL
CALL DWORD PTR [ESP + 10]
RET

Obviously, the question was, did any of this actually work? With all these writes I’m a bit puzzled as to how it would work in the first place since no active code appears to be replaced. But anyhow, I went ahead and conducted a quick test. EDIT: The code above is probably written as an entry point for CreateRemoteThread, then removed to remove any evidence of it while the game is paused - perhaps through a debugger?

I wrote a DLL which would sleep for 20 seconds and then print the PID’s and names of all processes running on the system using the CreateToolhelp32Snapshot and EnumProcesses functions. I then injected the DLL directly into Diablo 3 and started Ros-Bot. Unfortunately Ros-Bot.exe was still visible. So either the test was bad or this system just doesn’t work.

Either way I look forward to following this more as it unfolds. In the meantime I would hold off on any botting until this is resolved. Also keep in mind that I am by no means an expert but I do my best to interpret the information I see. Please let me know if any of this information is incorrect.

EDIT: More research revealed that this is a well known method of injecting a DLL. Here's some information with regards to detecting manual DLL injections.

[gumen]

Hi

Check the answer here: https://www.ros-bot.com/comment/88347#comment-88347
If you wanna have some sort of a technical discussion, send me a message.

Cheers

[WiNiFiX]

I noticed something that the Ros-Bot team may want to look into - when Ros-Bot starts and attaches to Diablo then api-ms-win-core-synch-l1-2-0.DLL starts aswell - this may be nothing to worry about but it only occurs with RosBot - Demonbuddy does not have this issue.
I was however not able to see the EXE listed under the running modules like Torpedoes, but I may have been looking at it funny

Code:

        void EnumProcessModules(uint procId)  // Diablo III process Id
        {
            var snapshot = CreateToolhelp32Snapshot(SnapshotFlags.Module | SnapshotFlags.Module32, procId);
            MODULEENTRY32 mod = new MODULEENTRY32() { dwSize = (uint)Marshal.SizeOf(typeof(MODULEENTRY32)) };
            if (!Module32First(snapshot, ref mod))
                return;

            List<string> modules = new List<string>();
            do
            {
                log.AppendText(mod.szModule + Environment.NewLine);  // List all processes in Diablo 3.
                modules.Add(mod.szModule);
            }
            while (Module32Next(snapshot, ref mod));
        }

Full Code @ https://codeshare.io/winifix

[Torpedoes]

I was however not able to see the EXE listed under the running modules like Torpedoes, but I may have been looking at it funny

I can't guarantee that my test was conducted correctly. It could work, but perhaps not in the way I was testing.

[WiNiFiX]

I can't guarantee that my test was conducted correctly. It could work, but perhaps not in the way I was testing.

Would you please share your code because I think it may be a mistake on my part, when i use "Sys-internals Process Explorer" it does find Ros-Bot.exe running as/under Diablo III.exe

[KillerJohn]

Based on the past 15 years, fighting against Warden is kinda pointless. This is only my subjective opinion though

[Torpedoes]

Based on the past 15 years, fighting against Warden is kinda pointless. This is only my subjective opinion though :)

Hey KillerJohn, thanks for all the great work you've put into TurboHUD. And you're also right about Warden.

Would you please share your code because I think it may be a mistake on my part.

Sure. Here's the source code for the DLL I wrote which, when injected into Diablo 3, prints out the processes returned by both CreateToolhelp32Snapshot and EnumProcesses. The actual console printing functions have been removed and replaced with comments for simpler understanding and integration into your own framework. Plus I don't want to share my console code :-P

Code:

#include <Windows.h>
#include <tlhelp32.h>
#include <Psapi.h>
static HINSTANCE gInst;

void PerformFunction (void)
{
    HANDLE snap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);

    if (snap == INVALID_HANDLE_VALUE)
        return;

    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof
        (PROCESSENTRY32);

    if (!Process32First (snap, &pe32))
        { CloseHandle (snap); return; }

    do
    {
        // OUTPUT: pe32.th32ProcessID
        // OUTPUT: pe32.szExeFile

    } while (Process32Next (snap, &pe32));

    CloseHandle (snap);

    DWORD list[4096], size = 0;
    if (!EnumProcesses (list, sizeof (list), &size))
        return;

    DWORD count = size / sizeof (DWORD);
    for (DWORD i = 0; i < count; ++i) {
        // OUTPUT: list[i]
    }
}

DWORD WINAPI Entry (LPVOID param)
{
    Sleep (20000); PerformFunction();

    while (true)
    {
        Sleep (10);
        if (GetAsyncKeyState (VK_F12))
            break;
    }

    FreeLibraryAndExitThread (gInst, 0);
    return 0;
}

BOOL WINAPI DllMain (HINSTANCE inst,
      DWORD reason, LPVOID reserved)
{
    if (reason == DLL_PROCESS_ATTACH)
    {
        gInst = inst;
        CreateThread (NULL, NULL, Entry,
                      NULL, NULL, NULL);
    }

    return TRUE;
}

[bastiflew]

Hi,

Don't inject anything in diablo 3 process unless you know what you are doing. Warden scans modules, and you will be banned doing this.
This is a bad idea to inject the above code.

[Torpedoes]

Don't inject anything in diablo 3 process unless you know what you are doing. Warden scans modules, and you will be banned doing this.
This is a bad idea to inject the above code.

You do realize that the code above is for research purposes only, right? intended for people that know what they're doing... But either way you probably wouldn't get banned cause it's not doing anything anyways. There are plenty of legitimate tools that inject themselves into games, like Steam Overlay. You won't get banned for just loading a DLL.