Warden info?

[amadmonk]

'mkay, it's been too long since I've actively hacked WoW, and I am going to need some pointers from the more active folks.

When I last left the scene, I was able to completely stealth my activities via a rootkit that I wrote (using SSDT and IDT hooking). Using this, I was pretty close to 100% confident that my code wouldn't get caught. I used a custom shared memory window to read from WoW's address space at almost 100% speed (using shared mem eliminates the IPC costs that ReadProcessMemory incurs, but figuring out how to do it without using the page file was a bitch).

Since then -- and that was obviously like two or three years ago, since with Vista 64 and PatchGuard and signed drivers, my rootkit technique is pretty much toast -- Warden has gotten much, much more sophisticated. To be honest, I've gotten sort of afraid of it -- ascribing to it, in my mind, almost mystical powers of detection. I know that it examines running processes, window titles, and checksums WoW's address space.

So, what else does it do? If I'm going to go back to my old method of detours and code caves, what do I need to do to stealth myself? Unlink any loaded modules from the PEB LDR list -- a given. What else? I assume I'll need to detour the Warden call and re-stealth myself whenever a Warden packet comes through. Anything else? Should I detour VirtualQuery so that my block of allocated memory doesn't show up, or is there a more sophisticated way to stealth VirtualAllocEx'ed blocks these days?

Simply put, I've had my hand out of the game too long, and I wanna get back in. Any info on Warden and countermeasures would be appreciated. I'm tired of being skeert of Warden; it's time to make it my bitch again. 6):

(I tried to get an emulator running for 100% detection-free hacking practice, but although I got it built and running, it seems like nothing really works with 3.1.1 -- I couldn't log in to the world server. Damn.)

[Apoc]

It's not really any smarter. Just more scans. Use search next time.