[Question] About Warden

[RottenKitten]

Sorry for my stupid question guys, if it was mentioned somewhere.

Can warden detect memory read? Is it possible only to detect memory write?

So, basically: Are using memory reading and window's SendInput fully safe for a bot?

[sitnspinlock]

it could. but in it's current form does not.

[Bananenbrot]

Keyboard messages sent vie SendInput have an 'injected' flag set. WoW could easily check for that, but could never use it as a ban reason.

[yossarian87]

it could. but in it's current form does not.

How could they possibly detect memory reading?

[sitnspinlock]

How could they possibly detect memory reading?

there are a few ways to detect memory reading of your userspace process. maybe you should look into it. and no, I don't mean a global api hook ;p

[yossarian87]

there are a few ways to detect memory reading of your userspace process. maybe you should look into it. and no, I don't mean a global api hook ;p

Maybe I'm clueless but I spent a half hour googling everything I could think of and I never found anything about detecting memory reads between processes. I realize that kernel code could probably do it quite easily but my understanding was that WoW didn't run any kernel code. Maybe you can clue me in? I'm more than just a little curious about how to do this in user space.

[sitnspinlock]

actually you know what, I ran out of spoons. Here is a book

http://technet.microsoft.com/en-us/s...rnals/bb963901

[SwInY]

actually you know what, I ran out of spoons. Here is a book

Windows Internals Book

PMSL

Quote of the day for sure.

[RottenKitten]

So i can conclude that it's safe enough

[mckemo]

So i can conclude that it's safe enough

it is safe because you could have a virtualization running. if your ram is virtualized, then an another program could have this done and monitor this. so they can never use it as a ban reason

[sitnspinlock]

i wrote a quick proof of concept for you. You can download it and tinker with it, it is safe. all of the work is done within the process itself, no weirdo global api hooks and as I said, it does not read or write outside of its own address space. The application does not have a user interface thus when you run it, it may appear to not be running at all.

this is just simply a concept of how a program limited to usermode only can get a grasp on what has access to it. A great deal of anti-virus software will generally read out virtual memory from every running process on startup so that could easily set it off.

Now granted you could maybe suspend the main thread (since it is a single threaded program) and do some dumping but keep in mind that any decent anti-tampering mechanisms are going to be measuring time deltas, this little program however does not do that

You can download it here readmem

In order for it to function properly it must be run with administrative access rights.

[Frosttall]

i wrote a quick proof of concept for you. You can download it and tinker with it, it is safe. all of the work is done within the process itself, no weirdo global api hooks and as I said, it does not read or write outside of its own address space. The application does not have a user interface thus when you run it, it may appear to not be running at all.

this is just simply a concept of how a program limited to usermode only can get a grasp on what has access to it. A great deal of anti-virus software will generally read out virtual memory from every running process on startup so that could easily set it off.

Now granted you could maybe suspend the main thread (since it is a single threaded program) and do some dumping but keep in mind that any decent anti-tampering mechanisms are going to be measuring time deltas, this little program however does not do that

You can download it here readmem

In order for it to function properly it must be run with administrative access rights.

Thank you, but what about programs, which run in kernelmode? Is that program still able to detect the access?

Additional shouldn't you forget, that WoW runs without Administrator rights, so we don't have to worry atm.

[sitnspinlock]

Thank you, but what about programs, which run in kernelmode? Is that program still able to detect the access?

Additional shouldn't you forget, that WoW runs without Administrator rights, so we don't have to worry atm.

actually it does, it just isn't explicit. wow reads virtual memory out of each process in the desktop session on startup.

for example, open cheat engine -> then start wow

[anon38]

actually it does, it just isn't explicit. wow reads virtual memory out of each process in the desktop session on startup.

Sorry dude - but I'm not buying that. If it did that, then every user running on Windows Vista or newer with UAC turned on would be prompted for administrative privileges every time he/she ran WoW and the WoW forums would be full of people bitching about it.

[sitnspinlock]

so then, you suppose they detect cheat engine running by enumerating image names?

i'm being sarcastic.

you do not need to explicitly "run as admin" for an application to acquire SeDebugPrivilege, as long as the application is run in the context of an administrator account.. and not say.. a normal user on some network in the workplace or something.