Possible to get bustet while ReadProcessMemory?

[Cypher]

To the OP: no, you can't realistically be banned for ReadProcessMemory. WriteProcessMemory is a different matter, and running any app with a known signature or running code in process is a completely different matter.

On keystrokes... WoW could simply block injected keystrokes (in a lot of different ways). If key injection becomes a big enough problem, that's what I suspect they'd do, and it would eliminate 90% of the stealthy (out of process) bots out there (it would also break 90% of the multiboxers, but they might consider that a tactical loss in return for stamping out a bigger problem). You could still spoof keystrokes with a dummy HID driver, but writing/running a custom driver is non-trivial (else I'd still be using my old kernel rootkit and far less paranoid about some stuff).

WoW could still detect injected keystrokes even with a dummy HID, but they'd have to run a driver, which I doubt they will ever do (especially now with all of the difficulties and cost associated with running drivers in Vista+). The costs and risks of writing and deploying a driver (across N different platforms and OS'es) is non-trivial, and the payoff (detecting the very small group of people sufficiently technically advanced to run a dummy HID keystroke/mouse injector) probably just isn't worth it.

So, in theory they COULD detect anything that's running at the same privilege level as them (IOPL 3) . There are some "tricks" they can use to detect hacks running at a higher privilege level (IOPL 0 -- kernel), but these tricks are unreliable. The reality is that they likely won't go beyond simple ring 3 tricks.

Mostly, if they want to step up their detection game, I would recommend that they implement a heuristics-based flagging system (where certain patterns of behavior flag an account for human review, and then a human makes the ban decision).

Ultimately, their concern is commercial; as long as the botters and boxers (I'm both, myself) don't drive away too much business, I really doubt Blizz cares. I doubt that they'd adopt a mechanism that produced too many false-positives, as that would be Bad For Business.

Imo if they want to step up their detection game they need to add basic shit like stack traces, more generalized memory scans, lower their dependencies on the Win32 API, check for DRs, etc etc.

Just simple stuff that all the copypasta bots take for granted and would get ****ed hard if shit like that was added.

[lanman92]

Wouldn't stack tracing hit the performance of WoW hard? Unless they just did random scans... But that would barely be effective.

[Cypher]

Wouldn't stack tracing hit the performance of WoW hard? Unless they just did random scans... But that would barely be effective.

No, because it would only need to be done on a handful of functions, and then it's just a bunch of pointer arithmetic, zero noticeable perf impact afaik.

[Shynd]

Wouldn't stack tracing hit the performance of WoW hard? Unless they just did random scans... But that would barely be effective.

Think how often the normal user calls Interact by right-clicking an object; hint: not very often. If they implemented a stack trace on just that one function, there'd be no performance hit and they'd be able to detect and ban almost every single bot, both leveling and farming.

[schlumpf]

Even if they'd do it all the time. My apps run with a function-call-logger recording EVERY call (okay, some aren't) to a file. I feel no big impact on performance and I have a really bad machine.

[amadmonk]

Imo if they want to step up their detection game they need to add basic shit like stack traces, more generalized memory scans, lower their dependencies on the Win32 API, check for DRs, etc etc.

Just simple stuff that all the copypasta bots take for granted and would get ****ed hard if shit like that was added.

Yeah, if I were them I'd ban multiboxing, because a lot of the shit that shouldn't work but does (mostly un-focused input) has no plausible reason for working except that disabling it would break the boxers.

Also, frankly, the whole LUA thing is a giant, wet, gaping hole just looking to be exploited (as you gang discovered). I wonder if they changed their model and didn't support 3rd party LUA, how many customers would cancel? It would sure break the hell out of another huge chunk o' bots.

Or maybe the could customize the LUA they're running so that the stack object that gets passed around is somehow crypto-secure.

It's an interesting thought experiment... Ultimately the old computer security adage holds true: he who has physical control, owns the box. It's just a matter of time...

[Cypher]

Yeah, if I were them I'd ban multiboxing, because a lot of the shit that shouldn't work but does (mostly un-focused input) has no plausible reason for working except that disabling it would break the boxers.

Also, frankly, the whole LUA thing is a giant, wet, gaping hole just looking to be exploited (as you gang discovered). I wonder if they changed their model and didn't support 3rd party LUA, how many customers would cancel? It would sure break the hell out of another huge chunk o' bots.

Or maybe the could customize the LUA they're running so that the stack object that gets passed around is somehow crypto-secure.

It's an interesting thought experiment... Ultimately the old computer security adage holds true: he who has physical control, owns the box. It's just a matter of time...

People like addons too much for them to remove it.

But there are quite a few steps they could easily take to mitigate the potential damage caused. I can think of quite a few barriers they could use to raise the bar and keep out the copypasta retards.

Pointer encryption/encoding.
Compiling their Lua scripts to bytecode rather than leaving them in plaintext.
etc etc

[evil2]

If you send keypresses.... It is easy to detect 'spoofed' input when it's not done correctly.
... if it's implemented incorrectly (as it usually is).

can you please give an example, thank you

[flo8464]

can you please give an example, thank you

I guess the easiest example would be checking if WoW is the active window.

[Xarg0]

can you please give an example, thank you

GetAsyncKeyState, GetCursorPos, IsWindowEnabled, IsWindowVisible

[evil2]

GetAsyncKeyState, GetCursorPos, IsWindowEnabled, IsWindowVisible

ah ok.. that's why i ask "behavior or code?" before,
all these points are still under the behavior category for me ;-)

[amadmonk]

GetAsyncKeyState, GetCursorPos, IsWindowEnabled, IsWindowVisible

Some more fun: check for key messages (WM_xxxKEYDOWN, WM_xxxKEYUP, etc.) that have "impossible" timing -- IE, keydown and keyup with 0ms time between them, or keydown and keyup with always exactly the same interval (50ms exactly?)

This is overly paranoid, but it doesn't take much work to put a sleep between down/up states, and to add some random "fuzz" to the time. Still wouldn't fool GetAsyncKeyState, and definitely not window enabled/visible.

However, I doubt that these will ever become bannable since that would basically catch or break all multiboxing tools like keyclone etc.

[amadmonk]

People like addons too much for them to remove it.

But there are quite a few steps they could easily take to mitigate the potential damage caused. I can think of quite a few barriers they could use to raise the bar and keep out the copypasta retards.

Pointer encryption/encoding.
Compiling their Lua scripts to bytecode rather than leaving them in plaintext.
etc etc

By pointer encryption, do you mean storing statics with like an XOR on them, and then running them through the complementary XOR before use?

That would definitely fool the copy paste folks and the Cheat Engine type people for a while, but I think it would be hard to implement client-wide. They'd have lots of the same problems I ran into when working on my encrypted call gate; keeping the state of the encryption sane is non-trivial... If they had pointers to structures that contained pointers (which of course they do), they'd either have to encrypt/encode THOSE pointers too, or the solution would only really mildly obfuscate the statics.

[Cypher]

By pointer encryption, do you mean storing statics with like an XOR on them, and then running them through the complementary XOR before use?

That would definitely fool the copy paste folks and the Cheat Engine type people for a while, but I think it would be hard to implement client-wide. They'd have lots of the same problems I ran into when working on my encrypted call gate; keeping the state of the encryption sane is non-trivial... If they had pointers to structures that contained pointers (which of course they do), they'd either have to encrypt/encode THOSE pointers too, or the solution would only really mildly obfuscate the statics.

Yes I did mean that. I know it would be a pain to implement but it would certainly screw the copy-pasters.

[undrgrnd59]

Blizzard wouldn't want to ban all of the botters, especially not the majority (the copy-pasters)!

They love botters. Botters have multiple accounts and pay multiple subscription fees every month. Botters get 1-2 good ban waves a year and generally come right back buying even more new accounts.

Blizzard plays the role of moderating bot use, not eliminating it. I mean hell, it's not like they don't have the money to do whatever they want. With Glider and Innerspace out of the way (for the most part) there really aren't that many botters out there anymore, not as many as there used to be anyway.