Preventing detection of CLR/.NET DLLs?

[Kanyle]

This isn't related to WoW but another MMORPG called Conquer Online (terrible, I know). Anyhow, it seems like they specifically look for CLR/.NET DLLs in the game process and disconnects and bans you if they find that the CLR is being hosted in the game process.

Basically I want to know what methods a process can use to check for this? I assume they're just enumerating DLLs to look for mscoree.dll etc, but I could be wrong. Injecting a native DLL does not get me banned.

If they're enumerating DLLs they must not be using Toolhelp32 though, as I've already tried hooking Module32First/Next without success.

Any suggestions?

[573737534947]

There is EnumProcessModules for example. Then they could call their functions deeper worst case with syscalls, though at least syscalls strike me as unlikely. LdrQueryProcessModuleInformation is worth your consideration for instance. Then they could be using a different approach like pattern scanning. On that front you could start with injecting your module and covering it with a memory bp. See if something reads from it.

[TOM_RUS]

Blizzard's Warden enumerates memory pages with VirtualQuery(Ex?) and then hashes small amount of bytes starting at specific offset. But that is used for detecting hack modules, not system ones.

[Master674]

Blizzard's Warden enumerates memory pages with VirtualQuery(Ex?) and then hashes small amount of bytes starting at specific offset. But that is used for detecting hack modules, not system ones.

I think it was VirtualQuery for WoW and VirtualQueryEx for Diablo Warden.

[Kanyle]

I still can't quite figure out what's getting me detected. I've tried hooking Module32First/Next as well as VirtualQueryEx. I have even tried "unlinking" those modules from the PEB LoaderData list just to see if it had an effect, but I'm still getting disconnected + banned.

They are not using psapi, and it isn'tbecause of my hooks either, as I am certain they don't look for modifications to anything other than their own module(s), and I'm not patching any of their code.

Client uses a ton of anti-debugging shit, too. I'm getting banned shortly after debugging it even with ollydbg plugins.

Might just drop the .NET library idea and go with D

[Bananenbrot]

I still can't quite figure out what's getting me detected. I've tried hooking Module32First/Next as well as VirtualQueryEx. I have even tried "unlinking" those modules from the PEB LoaderData list just to see if it had an effect, but I'm still getting disconnected + banned.

They are not using psapi, and it isn'tbecause of my hooks either, as I am certain they don't look for modifications to anything other than their own module(s), and I'm not patching any of their code.

Client uses a ton of anti-debugging shit, too. I'm getting banned shortly after debugging it even with ollydbg plugins.

Might just drop the .NET library idea and go with D

+1 for D I'd be interested in how it works for you.

[kosacid]

its maybe looking at what`s attached to the exe stuff like xfire that patch into the game pass anything else fails its easy to do and effective you can try calling your dll the same name as xfire hook see if it passes

[Jadd]

+1 for D I'd be interested in how it works for you.

I'd be interested to learn D but the naming conventions for their std functions is so unpleasant to read IMO. It makes me want to not use it.

[Bananenbrot]

I'd be interested to learn D but the naming conventions for their std functions is so unpleasant to read IMO. It makes me want to not use it.

Yeah, there are some of them which aren't that well named.
Some others aren't even expressive enough to unambigously infer what they do, e.g. the recent discussion on "TypeTuple".

Ranges beat everything else though. std.algorithm is already pleasing to use and compile time is just incredibly short with dmd.
They are using it as a scripting language at Remedy Games and were amazed by the quick turnaround times, although it compiles to bare metal.

Another gem would be Rust, but I refuse to touch it until 1.0.