Why Pixel Botting is Detected

[Vicer]

This communication is for the 99.999% of people on this site who are not technical.

Tech Details:

Starting form Windows 8 there's the GetCurrentInputMessageSource function. You can use it, and check the originId enum for the following value:

IMO_INJECTED - The input message has been injected (through the SendInput function) by an application that doesn't have the UIAccess attribute set to TRUE in its manifest file.

Q&A:

Q) What does the above mean?
A) If your bot is using keysend or click commands it will be detected in Windows 8 or higher if the game has implemented the code above.

Q) How does the game detect this?
A) The game client runs a procedure with the above functions. The result is reported back to the game server/db. Your account is flagged as a botter, you get banned/suspended at some point.

Q) Is there a work around?
A) Yes, there are a few. You actually just read one.

Good luck and have fun.

[Hazzbazzy]

For those who prefer the TLDR:

Set the UIAccess flag to TRUE, under the requestedExecutionLevel section, in your solution's Application Manifest. If you're using Visual Studio, see here: Adding an application manifest file.

Code:

 <requestedExecutionLevel level="asInvoker" uiAccess="true"/>

[Razzue]

"why pixel Botting is detected"

Yet out of all my Botting acounts, the only ones to still survive are in fact pixel bots .. kek

[Xaxoxuxu]

For those who prefer the TLDR:

Set the UIAccess flag to TRUE, under the requestedExecutionLevel section, in your solution's Application Manifest. If you're using Visual Studio, see here: Adding an application manifest file.

Code:

 <requestedExecutionLevel level="asInvoker" uiAccess="true"/>

How would that help? The messages are still injected LLHKF_INJECTED (right?)

[Spacechemist]

This is more a issue of an hierarchy concept, just like executing something under administrator privileges, the execution level you use makes you capable of executing things under "the OS hood" or "above the OS", though this is not the most clear explanation, basically a warden could help himself with different libraries that Windows/NET Framework provides and could easily detect your method of using them against him.

[Hazzbazzy]

How would that help? The messages are still injected LLHKF_INJECTED (right?)

Well in theory it shouldn't be an issue if the UIAccess flag is set, and the .exe is signed. However, I did try this an hour or so ago and the SendInput still resolves as "IMO_INJECTED" when queried with he function.

[Xaxoxuxu]

Well in theory it shouldn't be an issue if the UIAccess flag is set, and the .exe is signed. However, I did try this an hour or so ago and the SendInput still resolves as "IMO_INJECTED" when queried with he function.

Is this the detection method they use? I can't think of external applications that could possibly be legit and use SendInput ?

[Hazzbazzy]

Is this the detection method they use? I can't think of external applications that could possibly be legit and use SendInput ?

I wasn't looking for the detection method I was looking for a POC. I cannot emulate a hardware keypress with SendInput, even with the UIAccess flag set to true and the application being (self)signed.

[ChimpeonFan]

Personally I think Blizzard simply looks for known pixel bots in memory or on the hard drive. If you keep a pixel bot completely private, Blizzard never gets to hear about it and you won't get banned (although I've not tested this personally). It is only when the pixel bot gets popular in the public domain (like Chimpeon did) will it become detected by Blizzard. There are ways to circumvent detection - using the pixel bot on a PC remote from WOW being one... Chimpeon 101 - Using Chimpeon on a Remote PC

[KKira]

Solution: Use Arduino and simulate real keyboard input, no need to over-complicate an easy work around.

[fonillius]

Solution: Use Arduino and simulate real keyboard input, no need to over-complicate an easy work around.

Yes, very simple method! thx
at same go i made artificial-intelligence-one-button-bot with arduino

[aerichardso3]

Has anyone found a solution to this, minus purchasing and coding a physical button pressing bot?

[LegitSale]

What bot isnt detected? lol

[kamil234]

I’m using python with win32 api that translates C functions into python. Is it certain it will use the same sendkey APIs? How can i test the response from GetCurrentInputMessageSource without writing a C program?

All im really doing, is pressing 1 key at a random interval over and over to snipe limited items from vendors. (The buying is handled by a macro, completely within WOW’s own function)

What is the likelyhood that i’d get caught? I’m not using injection or focus window or anything of that nature.

[REGELE33]

there is an academic paper on cheats and stuff.. you guys should read it and be amazed of what they can do without scanning anything in your computer. if you manage to make a bot using real hardware input it will get detected