ReadProcessMemory and detections ?

**olaxwth** · 04-16-2016

Hi guys,

I just entered myself into the Reverse Engineering world recently and I need to practice.
I don't really know much about Warden etc, I guess it can do some pattern or signatures scans.
Do you guys know if it runs on ring0, I don't have the skills to figure it myself?

What would be the detection rates for a "External Simple Raiding Bot" with no hooking/injection that use theses functions:

OpenProcess.
ReadProcessMemory.
SendMessage (or any functions that push keys without injecting/hooking).

And if its "detectable" is there any way to protect myself against the warden ? But I imagine it's a lot more harder than making a simple bot and reading memory ^^, I'm a professional software engineer, so my job is to works and levelup on unknown technologies ;D, feel free to PM me if you'r interested to work with me on this.

Thanks for help and sorry for english non-native

**namreeb** · 04-16-2016

Warden does not run in ring0. It is an encrypted dll with the PE headers stripped off that is loaded on request by the server. It runs exclusively within the wow process. Warden does not detect any of the remote process functions you mentioned. It is theoretically possible that they can extend it to detect that, but it is highly unlikely. Warden hasn't changed much since it was first created. It is also possible, and slightly more likely (though still very unlikely overall) that they could add an easter egg into the client to detect this. While I think that that is the most likely scenario, it is also very unlikely.

TLDR version: it is reasonably safe to use all of those three functions.