WardenMonitor

[caytchen]

Hello everyone,

there seems to be a distinct lack of any actual hands on Warden information, so here is something quickly thrown together to change that. Basically, it will hook the SMSG_WARDEN_DATA packet handler, decrypt any incoming packets, and then parse the 0x02 packet for information on the scans Warden performs. This in no way disables Warden (you wouldn't bother reading network traffic to do that), its just to give you a sense of what Warden actually scans/searches for and get rid of all the FUD that seems to surround it - off to a happy and bright future.. eh excuse me, I've gotten distracted. For details see the source code.

Related notes:
Yes, its C#. Yes, you're expected to have a launcher/injector/whatever to inject and run it. No, there is no fancy GUI, everything is printed to an log file, including decrypted packet dumps. See Private Paste - Pastie for an example.
Also, the heuristic stuff will usually process 50+ packets first before it will start to spit out actual scan information, and it doesn't detect every type of scan because of inherent limitations and lazyness on my part. Theres room for improvement, though. Especially since, in retrospect, the check type byte values seem to be constant, so detecting them might not even be necessary. They might, however, change in the future so I guess it's not completely useless.
This is based completely on public information and some limited reversing in IDA.

Source is available at wardenmonitor - Project Hosting on Google Code

[~Unknown~]

Great work!

[JuJuBoSc]

Just tested, work as expected +rep for really clean and understandable code!