How does Warden detect injections/hooks?

**Syltex** · 08-09-2010

Hello

I read that if u stay private you can inject how much you want.
But why is it different between private and public?
Why cant private be detected and why does public onces?
We all use the same Lua adress to inject?

Got a theory about it, that warden guy downloads the bot/hack and looks @ the MD5 and sends the order to detect the MD5 to warden?

**whitekidney** · 08-09-2010

A private bot is more likely not to be added to warden's "hitlist"

and afaik (i masy be wrong) warden ddoesnt detect injections, but what you do after you inject.

**Syltex** · 08-09-2010

Originally Posted by whitekidney

A private bot is more likely not to be added to warden's "hitlist"

and afaik (i masy be wrong) warden ddoesnt detect injections, but what you do after you inject.

How come mimics and eBot got detected? Wasent it injection?

**-Ryuk-** · 08-09-2010

Originally Posted by Syltex

How come mimics and eBot got detected? Wasent it injection?

They got detected via injecting yes... but, not for injecting the dll - they check for what you do with the dll. They cant ban you because you injected a dll because fraps and many other legit programs do this. That being said, im sure im going to be corrected if im wrong ^^

**Syltex** · 08-10-2010

Originally Posted by -Ryuk-

They got detected via injecting yes... but, not for injecting the dll - they check for what you do with the dll. They cant ban you because you injected a dll because fraps and many other legit programs do this. That being said, im sure im going to be corrected if im wrong ^^

Hm, im using EndSceen hook & injection for Lua, but im only using ASM to inject for lua.
Isnt that pretty safe then?

**Cheatz0** · 08-10-2010

Originally Posted by Syltex

Hm, im using EndSceen hook & injection for Lua, but im only using ASM to inject for lua.
Isnt that pretty safe then?

Am i wrong in assuming that you are using the ahook dll? If so, that is pretty public and would be quite easy to detect. If not, you should be relatively safe with only hooking endscene, and not modifying/patching other parts of memory.

**-Ryuk-** · 08-10-2010

Originally Posted by Syltex

Hm, im using EndSceen hook & injection for Lua, but im only using ASM to inject for lua.
Isnt that pretty safe then?

Private hook? or using a public one like EasyHook/aHook?

If is private; have fun, do you you like. Just beware if a public one is using the same method you can still get banned. if its a public one, I think you need to get working on your own

**Syltex** · 08-10-2010

Originally Posted by -Ryuk-

Private hook? or using a public one like EasyHook/aHook?

If is private; have fun, do you you like. Just beware if a public one is using the same method you can still get banned. if its a public one, I think you need to get working on your own

Im using a hook/injection made by (cant remeber his name, but he posted in the mem section)

This will inject(lua) hook (endsceen)

Code:

; get address of EndScene
$pDevice = _MemoryRead("0x" & hex($pDevicePtr_1), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + $pDevicePtr_2), $wow, "dword")
$pScene = _MemoryRead("0x" & hex($pEnd), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pScene + $oEndScene), $wow, "dword")
; injected code
Global $injected_code 

; check if already hooked   
$orig = _MemoryRead( "0x" & hex($pEndScene), $wow, "byte[64]" )

; autoit is garbage
$orig_ptr = DllStructCreate("byte[64]")
DllStructSetData( $orig_ptr, 1, $orig )

; check for push xxxxxxxx/ret/nop
; 0x68, 0xC3, 0x90
if DllStructGetData( $orig_ptr, 1, 1 ) == 104 and _
   DllStructGetData( $orig_ptr, 1, 6 ) == -61 and DllStructGetData( $orig_ptr, 1, 7 ) == -112 Then
   
  $injected_code = _MemoryRead( "0x" & hex($pEndScene + 1), $wow, "dword" ) 
else
  ; allocate memory to store injected code
  $injected_code = _MemVirtualAllocEx( $wow[1], 0, 2048, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE )

  ; Generate the STUB to be injected
  $Asm = AsmInit()
  AsmReset($Asm)
  ; save regs
  AsmAdd($Asm, "pushad")
  AsmAdd($Asm, "pushfd")
  ; check if theres something to be run
  AsmAdd($Asm, "mov esi, " & hex( $injected_code + 256 ) & "h")
  AsmAdd($Asm, "cmp dword [esi], 0" )
  AsmAdd($Asm, "jz $+73" ) ; label exit:
  ; UpdateCurMgr
  AsmAdd($Asm, "mov edx, [" & hex($OM_CLIENT_CONNECTION) & "h]")
  AsmAdd($Asm, "mov edx, [ edx + " & hex( $OM_OFFSET_1 ) & "h]")
  AsmAdd($Asm, "mov eax, fs:[2Ch]")
  AsmAdd($Asm, "mov eax, [eax]")
  AsmAdd($Asm, "add eax, 0x10")
  AsmAdd($Asm, "mov [eax], edx")
  ; DoString
  AsmAdd($Asm, "mov esi, " & hex( $injected_code + 1024 ) & "h")
  AsmAdd($Asm, "push 0" )
  AsmAdd($Asm, "push esi" )
  AsmAdd($Asm, "push esi" )
  AsmAdd($Asm, "mov eax, " &$offset& "h" )
  AsmAdd($Asm, "call eax" )
  AsmAdd($Asm, "add esp, 0Ch" )
  ; check if theres something to be returned on
  AsmAdd($Asm, "mov esi, " & hex( $injected_code + 512 ) & "h")
  AsmAdd($Asm, "cmp dword [esi], 0" )
  AsmAdd($Asm, "jz $+2D" ) ; label exit: 

  ; copy return string
  AsmAdd($Asm, "mov esi, eax")
  AsmAdd($Asm, "mov edi, " & hex( $injected_code + 768 ) & "h")
  AsmAdd($Asm, "copy:")
  AsmAdd($Asm, "lodsb")
  AsmAdd($Asm, "stosb")
  AsmAdd($Asm, "cmp al, 0")
  AsmAdd($Asm, "jnz @copy")
  ; clean state busy flag
  AsmAdd($Asm, "exit:")
  AsmAdd($Asm, "xor eax, eax")
  AsmAdd($Asm, "mov edi, " & hex( $injected_code + 256 ) & "h")
  AsmAdd($Asm, "stosd")
  AsmAdd($Asm, "mov edi, " & hex( $injected_code + 512 ) & "h")
  AsmAdd($Asm, "stosd")
  ; restore regs
  AsmAdd($Asm, "popfd")
  AsmAdd($Asm, "popad")

  ; copy injected code
  _MemoryWrite( "0x" & hex( $injected_code ), $wow, AsmGetBinary($Asm), "byte[" & $Asm[2] & "]" )

  ; create hook jump
  $jmpto = AsmInit()
  AsmReset( $jmpto )
  AsmAdd( $jmpto, "push " & hex( $injected_code ) & "h" )
  AsmAdd( $jmpto, "ret")
  AsmAdd( $jmpto, "nop")

  ; save original instructions
  _MemoryWrite( "0x" & hex($injected_code + $Asm[2]), $wow, $orig, "byte[64]" )
    
  ; disasm original bytes
  $DecodeArray = DllStructCreate("byte[" & $sizeofDecodedInst * 64 & "]")
  $ret = distorm_decode(0,  DllStructGetPtr($orig_ptr), 64, $Decode32Bits, DllStructGetPtr($DecodeArray), 64)

  ; parse until we can jump back
  $sumsize = 0
  If $ret[0] == $DECRES_SUCCESS Then
    For $i = 0 To $ret[1] ; number of decoded instructions
      ; get size of 1 instruction
      $instr = DllStructCreate($tagDecodedInst, DllStructGetPtr($DecodeArray) + ($i * $sizeofDecodedInst))
      $sumsize += DllStructGetData($instr, "size")

      ; check if we copied enough instructions
      if $sumsize >= $jmpto[2] Then
      
        ; create jump back stub
        $jmpback = AsmInit()
        AsmReset( $jmpback )
        AsmAdd( $jmpback, "push " & hex($pEndScene + $sumsize) & "h" )
        AsmAdd( $jmpback, "ret")
        AsmAdd( $jmpback, "nop")

        ; write jump back 
        _MemoryWrite( "0x" & hex($injected_code + $Asm[2] + $sumsize), $wow, AsmGetBinary($jmpback), "byte[" & $jmpback[2] & "]" )
        ExitLoop
      Endif	
    Next
  Endif
    
  ; write jump hook
  _MemoryWrite( "0x" & hex($pEndScene), $wow, AsmGetBinary($jmpto), "byte[" & $jmpto[2] & "]" )

**Cheatz0** · 08-10-2010

Way too tired too look through it now, but assuming it's just a normal detour you should be relatively safe.

Shout-Out

User Tag List

Thread: How does Warden detect injections/hooks?

Thread Tools

Search Thread

How does Warden detect injections/hooks?

Similar Threads

How does Overwatch's Warden (anticheat) work, and what can be done to bypass it?

Does warden detect packet analyzing tools? [details inside]

Does Warden/WoW Detect Speedhacking?

[Question] How does WoW detect memory editing?

Maplestory detects Automouse clicker - so does warden?

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino