Possible to get bustet while ReadProcessMemory?

[gissuf]

Hey

simple questions here:
Will warden (or something else) bust me if i'm trying to ReadProcessMemory(); something from the WoW-Process?

Cuz I think, im reading only, I will never change something in the memory. Or am I completely wrong?

How can i make it safe to read the process memory? (coding Delphi)

Thanks a lot

[ramey]

Yeah, it is safe to read wow's memory. Warden will not do a thing to you

[gissuf]

ok, thanks.

can anyone confirm that? (of course, i trust you, but two diffrent views of the facts may safe my account xD)

second question:
maybe, Im thinking too simple but:
I can read all informations from WoW for coding a bot. like: health of mob, health of player, spell cds, where are mobs, where I am, etc. without getting bustet throuth warden?

if i got all those informations, i can analyze them an react to them with simple keycommands. (over keyboard driver, so i haven't to send keys to WoW window (is it dangerous?!?! (send key to WoW directly))

an then bäms I got a wonderful bot, without any chance to get banned.

is it really that easy? (expect of coding it, only in a view of security against banning)

[Cypher]

Warden runs in ring3 (user mode).

There, that should answer all your questions about what is 'safe' and what isn't.

[gissuf]

hey

unfortunately im not a nerd as you are. (correctly written?)

of course im reading a lot to get as many information as possible.
but here, with WoW, I do not want to risk anything. (something? *confused*)

so can you tell me, in only a few sentence where the limits are with "manipulating" WoW?

where is there a risk to get banned, if I read memory? if I write memory? if I send keys to WoW windows? I if dance in front of my com?

only a few rules if it is possible.

thanks a lot

[ramey]

You can write to most memory places without risking anything, you have zero problem with reading memory. Please, go google ring3

[tanis2000]

- Warden is not checking for memory being read.
- If you write something into wow's memory there are chances you will get busted if you do that in a place that is being monitored by Warden.
- If you send keypresses to wow's window it will not trigger Warden
- If you dance in front of your computer there are good chances me or someone else from this forum will come and beat you hard on your head with whatever heavy we can find

[Cypher]

- Warden is not running with high enough privileges to allow checking for memory being read, it is simply 'not possible' with its current implementation.
- If you write something into wow's memory there are chances you will get busted if you do that in a place that is being monitored by Warden.
- If you send keypresses to wow's window it will not trigger Warden but this may change in the future. It is easy to detect 'spoofed' input when it's not done correctly.
- If you dance in front of your computer there are good chances me or someone else from this forum will come and beat you hard on your head with whatever heavy we can find

Fixt. Modifications in bold.

[tanis2000]

If you send keypresses to wow's window it will not trigger Warden but this may change in the future. It is easy to detect 'spoofed' input when it's not done correctly.

I doubt they will ever change the current behavior regarding keypresses. Some time ago I read that Blizzard actually supports multiboxing even on a single PC as long as someone is in front of the keyboard, thus it would make no sense for them to check where input comes from if they want to keep it as it is now.

[Cypher]

I doubt they will ever change the current behavior regarding keypresses. Some time ago I read that Blizzard actually supports multiboxing even on a single PC as long as someone is in front of the keyboard, thus it would make no sense for them to check where input comes from if they want to keep it as it is now.

Notice I said "may change". I never said it was probable, I said it was possible, and that point still stands. Also, so what if multiboxing is allowed? If a user is running a single copy of WoW, and it's in the background and receiving input, that's suspicious. Flag and investigate.

Besides, multi-boxers get investigated all the time. WoW already checks to see if it's the foreground window before processing some messages (take a look at their message processing code). What's to stop them taking that code, and adding a bit extra to just flag a user if they're doing something suspicious?

[evil2]

hmm.. i only see a problem with "repeating key patterns".

there are so many sys/3p programs messing around with keyboard status/signals,
no way to check if the keypress came really from a human :-)

[Cypher]

hmm.. i only see a problem with "repeating key patterns".

there are so many sys/3p programs messing around with keyboard status/signals,
no way to check if the keypress came really from a human :-)

Yes there is if it's implemented incorrectly (as it usually is).

[evil2]

Yes there is if it's implemented incorrectly (as it usually is).

code or behavior? :-)

i can't think of anyway to check if this keypress came from a "program specific written for botting" or a key remaper/virtual keyboard/strange keyboard driver/key extender/key scrambler/etc.

isn't this one of the big problems in online poker protection?

[ramey]

code or behavior? :-)

i can't think of anyway to check if this keypress came from a "program specific written for botting" or a key remaper/virtual keyboard/strange keyboard driver/key extender/key scrambler/etc.

isn't this one of the big problems in online poker protection?

Code.. I thought that was pretty obvious

[amadmonk]

To the OP: no, you can't realistically be banned for ReadProcessMemory. WriteProcessMemory is a different matter, and running any app with a known signature or running code in process is a completely different matter.

On keystrokes... WoW could simply block injected keystrokes (in a lot of different ways). If key injection becomes a big enough problem, that's what I suspect they'd do, and it would eliminate 90% of the stealthy (out of process) bots out there (it would also break 90% of the multiboxers, but they might consider that a tactical loss in return for stamping out a bigger problem). You could still spoof keystrokes with a dummy HID driver, but writing/running a custom driver is non-trivial (else I'd still be using my old kernel rootkit and far less paranoid about some stuff).

WoW could still detect injected keystrokes even with a dummy HID, but they'd have to run a driver, which I doubt they will ever do (especially now with all of the difficulties and cost associated with running drivers in Vista+). The costs and risks of writing and deploying a driver (across N different platforms and OS'es) is non-trivial, and the payoff (detecting the very small group of people sufficiently technically advanced to run a dummy HID keystroke/mouse injector) probably just isn't worth it.

So, in theory they COULD detect anything that's running at the same privilege level as them (IOPL 3) . There are some "tricks" they can use to detect hacks running at a higher privilege level (IOPL 0 -- kernel), but these tricks are unreliable. The reality is that they likely won't go beyond simple ring 3 tricks.

Mostly, if they want to step up their detection game, I would recommend that they implement a heuristics-based flagging system (where certain patterns of behavior flag an account for human review, and then a human makes the ban decision).

Ultimately, their concern is commercial; as long as the botters and boxers (I'm both, myself) don't drive away too much business, I really doubt Blizz cares. I doubt that they'd adopt a mechanism that produced too many false-positives, as that would be Bad For Business.