Hookshark results for bots

[Jaerin]

So I thought I would take a look and see what could be seen with Hook shark on the bots I have available to me. Below are the screenshots of those results.

Each of these were scanned while sitting at the login screen with nothing active, but the bot attached to the process. Combine this information with the list of scans in the other Warden thread and you can see for yourself if your bot of choice is detected or not currently.

Judge for yourself:

Immortal Bot w/ maphack + minimap ESP turned on


Immortal Bot w/ maphack + minimap ESP turned off


HellBuddy


Demonbuddy

[sp0t]

DB, ftw... As far as detection goes. Lol

[GilesSmith]

Really good & interesting stuff - speaks for itself even without understanding the technicalities of those hooks etc. Thanks for sharing!

[Cypher]

Another thing worth checking is how the bot is doing their code injection.

I haven't looked at the D3 bots personally, but I know that there were a scary amount of WoW bots that were injecting DLLs, then unlinking themselves from the PEB because whoever wrote it thought that made their DLL invisible. Nope.avi. Even if you manually map though, you still need some form of polymorphism to avoid Warden hashing your code (because even if you disable their memory region checks they can still get you by slipping code into the game engine to avoid using Warden to detect you at all -- i.e. how LuaNinja got pinched, and other bots/hacks have been detected with code slipped into the client in a similar manner).

That's not to say that you're 'undetectable' then (you'll still want a 'tripwire'-esque system), but at least then the Warden guy actually needs to put in some work, otherwise you're just begging to be blacklisted.

[MaiN]

Try to compare this to some legit applications such as Fraps and Steam (launch Diablo via Steam so you get the steam overlay).

[belowme81]

Try to compare this to some legit applications such as Fraps and Steam (launch Diablo via Steam so you get the steam overlay).

I would love to see this as well.

[Cypher]

Try to compare this to some legit applications such as Fraps and Steam (launch Diablo via Steam so you get the steam overlay).

Last time I checked, Steam and Fraps were both extremely invasive. They're known 'good' programs though so it doesn't matter. They typically get whitelisted by anti-cheat software (e.g. PB).

I know that you know that though, so I think I may be missing the point...

[Beaving]

So, I guess it would be good to hook to Fraps or Steam in order to prevent detection? Of course given that the software developers of those programs don't provide a constant stream of file hashes.

[Cypher]

So, I guess it would be good to hook to Fraps or Steam in order to prevent detection? Of course given that the software developers of those programs don't provide a constant stream of file hashes.

Pretty sure PunkBuster still detects and kicks you for that. Warden simply doesn't care (unless you're public, at which point hooking Fraps etc won't help you).

[Miksu]

Very interesting thread REP+ OP

[sw1777817]

I remember playing a F2P game that used Xtrap and they were kicking people for having xfire open.
what had happened was some people had used the xfire interface to load their hacks in.... well xtrap figured it out and was keeping people from logging in to the game with xfire open.....
I can't remember where I was reading that some people were trying to use both the fraps and steam overlay stuff (even messing with teamspeak/skype stuff) to pass thru stuff to the programs....