[Question] What makes hooking WoW unsafe

[mathix]

Hello, I've seen multiple people saying they're not sure whether or not their code is "safe", and I understand that Blizzard scans certain addresses and such for detection, but what I don't understand is how one hook or injection can be unsafe and what one should avoid to make an unsafe hook or injection. If someone could explain this to me I'd be grateful.

[cenron]

Hello, I've seen multiple people saying they're not sure whether or not their code is "safe", and I understand that Blizzard scans certain addresses and such for detection, but what I don't understand is how one hook or injection can be unsafe and what one should avoid to make an unsafe hook or injection. If someone could explain this to me I'd be grateful.

From what I understand about this subject matter is that warden watches a list of addresses. This list can contain things such Current Player XYZF POS, but this can also include functions. Now certain function don't get monitored because there are a lot of legit programs that hook those functions so wow would constantly through out false positives ( example is the D3D functions )

Now other functions are not common to be hooked and only a hack/bot program would probably hook them ( Like the WoW Warden Functions ). So these function addresses are watch for hooks. The reason you can tell a hook happens is because the first few bytes of the function get changed from whatever they are to JMP 0xDEADBEEF. This change changes the known hash of the function and gets flagged as hack/bot.

So your hooks are safe as long as you don't try to HOOK and alter these monitored functions.

Now Ill probably be told I am wrong and slapped, but that is my understanding of this.

[namreeb]

The danger is if your hook modifies some memory (with a JMP hook or INT3 hook, etc.) and it is an address Warden is scanning (because perhaps there is a public hack out there which hooks the same function in the same location), it will find your hook.

[mathix]

So what you're saying is that if I were to use an EndScene hook to do lua strings, I'd be safe? But if I did a JMP or INT3 hook I'd be banned if I tried to acces certain functions?

[JuJuBoSc]

They also can check for specific mapped modules, they may check the call stack (like lua_pcall) to see if the function was called outside of wow memory region, check a memory region hash, in most of case if your tools are private, there is not much issue, until you use something already detected.

[Corthezz]

So what you're saying is that if I were to use an EndScene hook to do lua strings, I'd be safe? But if I did a JMP or INT3 hook I'd be banned if I tried to acces certain functions?

Ehm?!! Dont hook scanned functions. This contains:
Functions checked by memory hash
Functions where a few bytes are scanned
Functions which are checked for the location they were called from

[mathix]

Ehm?!! Dont hook scanned functions. This contains:
Functions checked by memory hash
Functions where a few bytes are scanned
Functions which are checked for the location they were called from

So the functions that warden are scanning is off limits of course, now when that's said can I use a Lua DoString function and still be safe if I just don't use the functions warden scans?

[xalcon]

nothing is completely safe. With the current incarnation of warden its unlikely that calling FrameScript__Execute from endscene would cause any trouble - but this can change tomorrow, next month or never.

[hamburger12]

As long as you don't write into bytes that are scanned by warden, your hack should be safe. If wanna call functions inside the wow process via remote asm then a endscene hook is a good start. To avoid the lua_pcall stuff you could inject your own lua dll and use the pcall instead ;-). But like juju mentioned they got some "new" technics how they try to catch bots. But for that stuff is also a workaround ...

[DarkLinux]

They also can check for specific mapped modules, they may check the call stack (like lua_pcall) to see if the function was called outside of wow memory region, check a memory region hash, in most of case if your tools are private, there is not much issue, until you use something already detected.

Do you know how much of the call stack they dump? Would it not be easy just to create a code cave and call functions from inside the main module? But I guess they could start checking page types or checking for page faults.

[MaiN]

Do you know how much of the call stack they dump? Would it not be easy just to create a code cave and call functions from inside the main module? But I guess they could start checking page types or checking for page faults.

They do not check lua_pcall, they check lua_load, and they assume they are called from lua_loadbuffer, so they check 2 functions up (for the function calling lua_loadbuffer).

[DarkLinux]

They do not check lua_pcall, they check lua_load, and they assume they are called from lua_loadbuffer, so they check 2 functions up (for the function calling lua_loadbuffer).

So calling wows functions are still safe by the sounds of it. Was thinking they could look at the location of the lua chunck being loaded but not all lua code is in the wow exe. So was Blizzard just targeting one bot calling the lua functions directly? Any reason you would call the lua functions over wow wrappers?

[MaiN]

So calling wows functions are still safe by the sounds of it. Was thinking they could look at the location of the lua chunck being loaded but not all lua code is in the wow exe. So was Blizzard just targeting one bot calling the lua functions directly? Any reason you would call the lua functions over wow wrappers?

WoW's functions have lots of fluff (assuming you mean FrameScript_GetText). Furthermore, afaik, it does not allow you to return multiple values at the same time. And in my opinion the

Code:

DoString("SomeVariable = abc()");
string val = GetText("SomeVariable");

approach is not very pretty. Compare that to:

Code:

string val = GetValue("return abc()", 0);

But yes, they could've caught lots of different projects had they gone for FrameScript_GetText instead. But they went specifically after us.