Safety about the hook to NtProtectVirtualMemory

[wanyancan]

I've seen the HideModule by Shynd at GD to detour NtProtectVirtualMemory and NtQueryVirtualMemory together with CloakDll by Darawk. Although there're a few small bugs, the whole codes are nearly perfect after little repair (at least to my requirement).

However, it seems that after detour, the query to the memory address (or the address of NtQueryVirtualMemory etc.) will fail and if the warden found out that it can't be read at that address (which it's supposed to be able to) , will it assume that itself is under attack and ban the account ? Has anyone ever be banned due to "can't be proven innocent" ?

Was the previously ban wave related to this problem? (Cypher/kynox, could you confirm that ? I believe you guys have used to detour these two functions, or is still using them without any issue? :confused

[flo8464]

Afaik Cypher's hook on NtQueryVirtualMemoryEx got bypassed by simply mapping a new instance of ntdll.
Take a look at his blog/LuaFoo-thread.

Just in case this thread will be read by Warden experts, what speaks against hooking Warden's functionality directly?

[wanyancan]

I didn't realize this before. Then probably hook LoadLibrary as well. Warden needs to manual map his dll I'm afraid... :P Endless..

Is there any more description about finding the detection codes of warden in detail? Then we can stop guessing and make things much easier to handle.

[Cypher]

I didn't realize this before. Then probably hook LoadLibrary as well. Warden needs to manual map his dll I'm afraid... :P Endless..

Is there any more description about finding the detection codes of warden in detail? Then we can stop guessing and make things much easier to handle.

Hooking LoadLibrary wouldn't help at all. They memory-map the file rather than loading it as an image, because all they need to do is pull out code.

You'd need to hook the file mapping APIs (or the section object APIs).

EDIT:

There's another (obvious and much easier to implement) solution, but I'll leave you to figure it out on your own.

[DrGonzo]

If you BP LoadLibrary() during login it will break when loading 3 .auth files, are those warden modules?

[flo8464]

If you BP LoadLibrary() during login it will break when loading 3 .auth files, are those warden modules?

Warden is never stored on your harddisk, so I highly doubt it gets loaded via LoadLibrary()

[Cypher]

Warden is effectively 'manually mapped' into WoW, LoadLibrary is not used.

[DrGonzo]

(Assuming the information at Warden Explorer is still accurate)

Warden *is* stored on your HD in wowcache.wdb

Also, I've found the VFT referenced in the first post on Warden Explorer so it seems that w3 and wow use the same Base class for warden(login?) so I was curious if the .auth files are equivalent to .mod files for W3. This stuff is called from the battle.net dll if im not mistaken.

Ok, based on what you guys have said, that it's not warden any ideas on what it is? How many executable files does Blizzard send to the client during login? I've seen up to 3 of these modules loaded. Lol.

I've uploaded one to senduit | Share easily. as an example. The first 3 DWORDs in the file are: start: 38600000, stop: 3860F000, size: 0000F000 (address range of memory it was dumped from), the file itself follows. The game client saves them to your HD at C:\Documents and Settings\%username%\Local Settings\Application Data\Blizzard Entertainment\Battle.net\Cache\XX\XX\XXXXXXXXXXXXX.auth

[kynox]

Those auth files are only Battlenet's modules. I figured that was kinda obvious, with the whole directory structure.

[DrGonzo]

Right, I've just never seen anyone talk about them (another group of executable modules pushed to the client from Blizzard) or what their role would be. IE why they're separate and not part of the game client itself.