Warden Wiki Page

[Namoknan]

Why does it only work on single core? I tought it changes the way Virtuall Adresses are calculated to physikal ones in the Kernel, so where's the problem with multicore?

It will probably work, but dual cores work independent from each other. If adress space is accessed at the same time by the cores BSOD is very likely

[Cypher]

Why does it only work on single core? I tought it changes the way Virtuall Adresses are calculated to physikal ones in the Kernel, so where's the problem with multicore?

There's a TLB in each core.

In no means I want to attack your theory Cypher, I did not take a look at this specific driver memory modification thingy
But I guarantee you Ring 0 memory modification is possible on multi core systems. POC can be seen in "Memory Hacking Software by L.Spiro". BSOD is howeva likely, but chances are pretty low

....

I never said it wasn't possible to modify memory from the kernel. I said it wasn't possible to 'cloak' memory modifications in that fashion. Learn to read.

PS. I 'guarantee' you you're an idiot.

It will probably work, but dual cores work independent from each other. If adress space is accessed at the same time by the cores BSOD is very likely

No, it won't work.

Furthermore, the driver only works on x86 and won't work on anything other than XP (2k3 should be a small update, Vista a very large one).

[Jadd]

Why?? Lol.

[Cypher]

Why?? Lol.

Why what??

Learn to use full sentences.

[Kuiren]

Stickied oh wut.

[kynox]

Stickied oh wut.

Woop wooop woop

[Cypher]

Shoot da whoop.

[Jadd]

Why what??

Learn to use full sentences.

If you can't understand that, well..

Eh screw it I know how smart you are, I meant 'why would you make this'.

[Cypher]

If you can't understand that, well..

Eh screw it I know how smart you are, I meant 'why would you make this'.

I figured that's what you meant but there are other things it could've been referring too.

And it was made to show the retards who insist on posting speculation on Warden despite having no idea what they're on about that Warden does not infact go through your pr0n and steal your credit card numbers.

It also points people in the right direction to bypass Warden.

[Anotherfox]

0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher

It's the Blizz Authenticator.

[peachesandcream]

I am not a techno person by anymeans but this was very informative

[jagged software]

Very nice as always kynox. Thank you.

[amadmonk]

So, you CAN cloak yourself effectively from the kernel (although then you have to hide your driver, but that's a different can of worms; I think there was a BlackHat demo of a completely driverless SSDT hook a while back). You can tweak the memory protection settings on code pages and swap out the thread context in realtime to produce "virtual" hooks, as well as tweaking descriptor mappings and totally owning the exception handling mechanism. You can also do super cool stuff like double-mapping pages and so on, but honestly that doesn't really gain you much (it's just essentially a faster, but more fragile, ReadProcessMemory). Finally, with SSDT hooking you can essentially 100% (ok, 99.9999%) cloak yourself and any other process/window/whatever you care about from non-driver user mode processes. You can put any process/thread you want into its own little virtualized "jail" where it sees nothing but what you want it to see. That's the essence of what my kernel rootkit back in my XP days did. Never got detected, but I had to give it up when I went to Vista...

That being said, 99% of the rest of what Cypher said is dead-on: it's enormously harder on multi-core boxes (although disabling interrupts at the right point and knowing when to flush the lookasides helps a lot) and very prone to BSOD's at bad times (if you want to go down this route, take my advice; set up a Virtual PC to do your dev work on, or you'll spend all your time rebooting). Most of it is completely impossible (or, at least, as yet impossible) on Vista and esp. Vista 64 due to kernel change.

Last but not least, it's serious overkill. Warden's algorithms are based off of hashing and signatures. Honestly, if you know enough to write a kernel stealth driver, it's child's play to evade Warden pretty much forever (it's so much easier too, because one mistake doesn't take your whole system down). You can play the kind of paranoid mind-games I play (thanks Cypher for making me wonder what happens if they refresh RVA's from the on-disk image... grr), but tbh you don't need to.

If you can code, don't use a public bot. That's pretty much all you need to stay off the radar (and I get the impression that Blizzard doesn't really give a crap about lone coders; they care more about the Gliders and WoWRadar's of the world).

[DaemonOnFire]

Isn't everything proof of concept only?

Right.

We can not proof what blizz is putting into warden and wow, maybe they just have fun seeing us trying to cloak our hacks.....
I do not think that a company which earns millions over millions makes a game that can be hacked that easily without any notice of the owners.

[Cypher]

So, you CAN cloak yourself effectively from the kernel (although then you have to hide your driver, but that's a different can of worms; I think there was a BlackHat demo of a completely driverless SSDT hook a while back). You can tweak the memory protection settings on code pages and swap out the thread context in realtime to produce "virtual" hooks, as well as tweaking descriptor mappings and totally owning the exception handling mechanism. You can also do super cool stuff like double-mapping pages and so on, but honestly that doesn't really gain you much (it's just essentially a faster, but more fragile, ReadProcessMemory). Finally, with SSDT hooking you can essentially 100% (ok, 99.9999%) cloak yourself and any other process/window/whatever you care about from non-driver user mode processes. You can put any process/thread you want into its own little virtualized "jail" where it sees nothing but what you want it to see. That's the essence of what my kernel rootkit back in my XP days did. Never got detected, but I had to give it up when I went to Vista...

That being said, 99% of the rest of what Cypher said is dead-on: it's enormously harder on multi-core boxes (although disabling interrupts at the right point and knowing when to flush the lookasides helps a lot) and very prone to BSOD's at bad times (if you want to go down this route, take my advice; set up a Virtual PC to do your dev work on, or you'll spend all your time rebooting). Most of it is completely impossible (or, at least, as yet impossible) on Vista and esp. Vista 64 due to kernel change.

Last but not least, it's serious overkill. Warden's algorithms are based off of hashing and signatures. Honestly, if you know enough to write a kernel stealth driver, it's child's play to evade Warden pretty much forever (it's so much easier too, because one mistake doesn't take your whole system down). You can play the kind of paranoid mind-games I play (thanks Cypher for making me wonder what happens if they refresh RVA's from the on-disk image... grr), but tbh you don't need to.

If you can code, don't use a public bot. That's pretty much all you need to stay off the radar (and I get the impression that Blizzard doesn't really give a crap about lone coders; they care more about the Gliders and WoWRadar's of the world).

Yes you can. But not on x64. PatchGuard will rape your ass. Sure you can bypass patchguard, but its no trivial task.

Right.

We can not proof what blizz is putting into warden and wow, maybe they just have fun seeing us trying to cloak our hacks.....
I do not think that a company which earns millions over millions makes a game that can be hacked that easily without any notice of the owners.

YOU can't. But others can. It's called reverse engineering...