[General] Warden basics/history

[lolp1]

I've been asked a lot by people the past three weeks about wardin basics. Just kind of compiled a list of responses all in one I've said to people in a readable format. Resources relating to old warden discussions are found at the end of the thread, can be removed if not allowed. Thanks.

Disclaimer: Some or much of this info could be wrong. I'm no expert or even close. Just my basic understanding of how the warden works and some misconceptions/history on it I recall. Credits for info go on forever. Darawk, herzog_zwei , LordTerror, netter, mousepad, Antirush, lord2800, Gary13579, Shepherd, Vampirewolve, Rhin, the list goes forever..


The warden is just a system to download and execute code. It's basic idea works like this :

1. Blizzard sends a warden module to your client via server, which contains code which can pretty much do what ever they feel like.
2. The only hard-coded part of warden on the clients end will handle/execute these modules sent to your client from the server.



A few things to know more than above that are important imo:
1. The server request a response from your warden module currently loaded every 30-60 seconds, if you respond incorrectly or not at all you will be kicked off everything right away.

2. When going after a hack, they will often spam you with large sets of modules. So far since 2010 on WoW afaik, a set has been 137 total modules, keep in mind any of which can contain detection code, and normally most of them do not.

3. Any module can be streamed and executed at any interval of time they choose. If a new set of 137 modules is introduced(any of which could contain detection code for you), one new one streamed every 5 hours, it'll take 30 days+ to collect all of them, if I understand right. I know in d2, before a major banwave they turned some new modules on for a small amount of servers, then reverted, before finally turning that module which contained detection on everywhere.

4. Even if you fully analyze all of them on the 30th day, and are confident all 137 new modules are safe and do not contain code which would detect you, the same day a 137 new ones can show up.. leaving you permanently unable to load the hack if you want to be safe if you fear a warden module could detect you.

5. Some times they make it even harder.. they can[and have?] stream different modules to different users instead of the same module to all every 5 hours, making it very hard to properly collect all the models anyways..


So now what do you do about warden!? Not much I can say here.. but I will list one thing that might relate (A = The attempt B = why it wont work)

A) You could try to reverse the the info on how the hardcoded part of warden handles and responds to the request given from the modules(has been done before), then when you see a request, respond properly. One would guess this would be safe unless they did a update/patch.. but..

B) Any time they wish they can update the hard-coded stuff on the fly, via ExtraWork or the likes. Server sends you a packet, your client downloads for example xx.mpq(WoD does not use .mpq now afaik? either way) with ExtraWork.dll inside of it, ExtraWork.dll is then loaded and now the hard coded warden stuff is changed on the fly. Now it handles responses differently, so when you try to do the response the module ask for that would have been correct five minutes ago, it will be wrong, kicking you off with in 30-60 seconds.

Note: You can not really just 'ignore ExtraWork. Same issue as above, every legit user not ignoring it gets the new client side warden part, and when warden request a response it gladly sends the proper one back. The users cheating send the wrong response, due to not getting the update from ExtraWork.
---------------------------------
Below not to be taken as fact. Just what it appears the situation is to me. Generate your own criticism and discussion.
In the end, it seems to me personally you will have to manage to be completely invisible to any possible warden detection method[and similar methods blizz could employee] conceivable or have be impractical to detect your hack for them at least to be safe as a public hack, due to it being completely dynamic.

Is this possible for a bot as advanced as HB that recently got detected? No clue, I suck at any thing like that and just know basic warden stuff from reading mostly.

Random warden history I remember I found kinda interesting(take with a grain of salt):

There were some back and forth battles in the d2 days with warden/hack developers I recall. Netters maphack got detected with VirtualQuery, he then added a VirtualQuery hook, then they again banned it by bypassing his VirtualQuery hook. I actually have the analysis he posted still on a random archive:

Code:

MOV EAX,DWORD PTR DS:[EDX+1]// Gets the NtQueryVirtualMemory sysnum. 
ADD EDX,5 // Adds 5 bytes (jump first instruction, in which my 1-byte hook is written to) 
JMP EDX // Jump the hook. 
CMP BYTE PTR DS:[EAX],0CC // Checks for his[netters] NtQueryVirtualMemory hook.

If I remember right, after this he did some good ol polymorphic stuff on his hook to prevent that. This brought on the next detection method, which was them asking the players client to give a list of all chat messages present w/ return memory region req's [according to herzog_zwei's post]. Since netters maphack loaded a chat msg, they detected that msg and flagged.

Same method caught mousepads maphack, except I think herzog said mousepad had actually made his message invisible to warden. I think it was still caught because it still showed an empty[no string] chat line, which was not possible normally in the client. herzog mentioned extraline checks would have caught it as well.
Interesting history, I think the warden actually activated inactive d2 code which activated other parts of warden.

If bored and wanna google some old general warden info, check out post/threads/articles(specifically on mousepad forums, blizzhackers) by herzog_zwei, Darawk, lord2800, lordterror, pretty much anyone from the list at the start has some fun to read post).

Interesting threads/discussions on warden from older days.
OwnedCore - World of Warcraft Exploits, Hacks, Bots and Guides. - OwnedCore News (tons of info in general hidden here )
Blizzhackers ? View topic - Warden discussion and FAQ
Blizzhackers ? View topic - warden thread
Mousepad's Doom II Forums :: Search [ search warden terms, or above names]

[Jadd]

Warden is irrelevant.

The last special scan in a warden module was a glider scan in 2008. The glider module was swapped 10 minutes after login for one single scan and then the server swapped back to the standard modules. Afterwards the warden project was abandoned. The last "update" to warden was the ASLR compatibility patch 6? years ago.

Every targeted detection since then was hidden directly in the client.

Good reminder - not sure why everyone is so concerned about Warden all of a sudden..

[lolp1]

Good reminder - not sure why everyone is so concerned about Warden all of a sudden..

I personally have no concerns. Just posted a general history and basic workings that I recall out of personal interest in the topic I've had and the questions I've been asked the past few weeks - I thought others might find it kind of interesting to, particularly the specific battles between blizzard and hack makers in the past and how they've evolved their detection methods and tactics and tools over the years.

Although, I find it highly unlikely the warden is a forever dead project and still of no threat in world of warcraft. Just because it's not used right now and has not been used for new detection on WoW in some time, it has been used and updated several times since the 2008 mentioned above in different titles of blizzard(starcraft 2 , diablo 3). It's still a threat if used to it's full potential and I'm not really aware of any guaranteed solutions to avoid it for specially for popular public hacks which use powerful tools and not just basic key emulations and such.

[andy012345]

Harko is right, Warden is irrelevant now, all the bot makers are monitoring Warden and what it is doing.

As a simplistic view of Warden, it's just a bunch of DLLs with the PE headers removed, the client maps them in and calls them with the arguments sent by the server.

This can be monitored, and this is why the detections are being added to the client, as it's much more effective.

Edit: Removed encryption part, I can't even remember if they're encrypted, I haven't looked at a module for a number of years.

[lolp1]

I'm a little confused by the meaning implied by "Warden is irrelevant now". Do you(andy012345), or the other two posters harko and Jadd care to further elaborate?

When you guys say that, are you saying that warden is irrelevant because the current implementation/usage of it has been 'countered' for years now but could be relevant if used better by blizzard, or are you saying that warden is irrelevant all together regardless if they used it to its full potential or not and is permanently null regardless?

To directly address you andy012345, I had a few questions I was wondering if you could answer then, or anyone who feels free to educate.

Harko is right, Warden is irrelevant now, all the bot makers are monitoring Warden and what it is doing.

As a simplistic view of Warden, it's just a bunch of DLLs with the PE headers removed, the client maps them in and calls them with the arguments sent by the server.

This can be monitored, and this is why the detections are being added to the client, as it's much more effective.

Edit: Removed encryption part, I can't even remember if they're encrypted, I haven't looked at a module for a number of years.

They're encrypted.If some ones hack has code that is monitoring warden at all, I'm going to assume they do not think their hack is completely not invisible to any potential warden stuff, otherwise why bother monitoring it?

With that said, in what way could warden be monitored to make it totally irrelevant and exclude the possibly of it detection's? Simply tracking the modules does not solve anything, considering they can update them at any time, with anything they want to do. Even if you managed to grab every single module to date in existence and unload if a new one is noticed, it does you no good considering if they cared they could simply spam you with new ones.. making your hack permanently disabled.

Assuming you've manage to reverse the client-side warden module handling and have the luxury to know how response the modules request on the fly every time or what it is checking for and knowing none of it is targeted to you on the fly, you still do not solve anything really, right? If they cared to bother, they could decide to force an update on the fly at any time with something like ExtraWork and you will not know the new response it request for. So simply pushing a new module into the stream, and ExtraWork at the same time would cause you to incorrectly respond and get kicked.

So is it that warden has simply been ignored in WoW for 5 years(odd considering it's been used in recentish times on other titles of theirs) and is just doing nothing but ancient stuff which as-is is countered as of now if they do not use it better, or that warden is simply shut down you think forever and completely as a threat for some methods not shared in the public for obvious reasons?

[lolp1]

If you post something like "I do this and this and this" Blizzard can simply fix the loopholes and in the worest case exploit it to counter the anti-detection.

Fair enough. different interpretation of "warden is irrelevant". If this is the case, I still would not really consider it irrelevant. Simply being currently able to avoid warden as-is does not make it irrelevant to me. Maybe being able to physically hide everything your hack does from any possible warden stuff would make it irrelevant to me.

One example to why I find it very hard time calling warden irrelevant is Apocs post in blizzhackers back in 2012. If I recall right, his post then was him saying that blizzard is unable to make a detection on them with the client, so they were forced into trying to sue them in his eyes. Yet, in this thread below that say warden updated (july 2014) and they were concerned, as well as recent detection that just happened.

I personally find it very hard to believe they've not had the capability to detect them for a long time now and did not choose to pursue the lawsuit instead for I'm guessing cost:gain reasons to accomplish the same goal of shutting down the bot. After bosslands first suit victory, with in weeks honorbuddy banwave hits? Sounds to me like a choice on their end to operate how they have, not lack of capability to detect.
https://www.thebuddyforum.com/the-bu...22-2014-a.html

In your first post you wrote "a whole batch of new modules requires 30+ days".

I explained it poorly, then, my fault. Warden modules do not require 30 days, or 5 days. They can do what ever they want with it really on the fly at any time and interval.

Last year Honorbuddy had 3? Tripwire events because they detected new warden modules, the second tripwire event was after 7? days. It was impossible that they had all new modules but how did they know it were new ones? Did they got all modules somehow instantly? Or how did they do it? I am sure the developer who recompiled the modules would like to know the answer to this question but the Honorbuddy guys would be stupid to post it

What does knowing when a new module hits you and setting off tripwire do? Simply spamming new modules frequently disables your hack/bot anyways in that case. These post from hawker(2014 late) seems to show this apply's to even HB.

Today July 27 2014 at 0345 UTC, a Warden module was seen that caused some concern. The changes appear to be innocuous so we are re-opening auth. As I said earlier this week, it will be late August before we can report to you, our users, what we think is going on. For now all we can say is that Warden is being worked on.

Another new module a few hours ago and again we had to go offline to make checks. We are back now.

Its been over a month. The good news is that Blizzard does not appear to have done anything that targets our bots. The bad news is that they are working on Warden after leaving it unchanged for 3 years.

It appears they did not do the full blown module spam they've done in the past to help counter some antidetection systems in the past. Either that or they evaluated the warden once again and considered it to be an unlikely threat, once again ignoring or dealing with any new modules with out being forced to unload. However at any time it would seem to be that could change in an instant.