Does Wow Anti Cheat (warden or whatever) Use Kernel Mode module

**SailorMars** · 07-25-2018

(originally posted in the 'WoW Bots Questions & Requests' section, but seems that technical questions belong to here. So I repost it here)
-------------------------------------------------------------------------------------------
I started playing wow recently and decided to write my own bot for it. So I'm totally new to the architecture of its anti cheat (warden or whatever) and just started studying it.

I found this article (but outdated, of course)
Deceiving Blizzard Warden – HackMag

Is the general outline of the AC architecture described in the article still valid in BFA (ver 8 client)?

Specifically, does it use any kernel mode code to detect cheats? Since my plan is to use kernel code if necessary but heard that it is not really that sophisticated and simple inspection by Process Explorer doesn't show any kernel module (unless hidden by some sophisticated methods)

**doityourself** · 07-25-2018

Originally Posted by SailorMars

(originally posted in the 'WoW Bots Questions & Requests' section, but seems that technical questions belong to here. So I repost it here)
-------------------------------------------------------------------------------------------
I started playing wow recently and decided to write my own bot for it. So I'm totally new to the architecture of its anti cheat (warden or whatever) and just started studying it.

I found this article (but outdated, of course)
Deceiving Blizzard Warden – HackMag

Does the general outline of the AC architecture described in the article is still valid in BFA (ver 8 client)?

Specifically, does it use any kernel mode code to detect cheats? Since my plan is to use kernel code if necessary but heard that it is not really that sophisticated and simple inspection by Process Explorer doesn't show any kernel module (unless hidden by some sophisticated methods)

Its fully working in user mode. No need for drivers etc.

**zys924** · 07-26-2018

They are very passionate about user-mode only AC techs. So it poses nearly no threat to kernel mode hacks and just sink to kernel for your own cheat, dude!

**SailorMars** · 08-06-2018

Originally Posted by zys924

They are very passionate about user-mode only AC techs. So it poses nearly no threat to kernel mode hacks and just sink to kernel for your own cheat, dude!

Any ideas why they insist on user-mode only? Is it because the internal data structures are complicated and any useful bots require injection into the wow process and call their routines?

**zys924** · 08-07-2018

Originally Posted by SailorMars

Any ideas why they insist on user-mode only? Is it because the internal data structures are complicated and any useful bots require injection into the wow process and call their routines?

They do not want to load any drivers for unknown reasons. Blizzard games are all like this. They are very confident with their "sophisticated" usermode anti-cheat

**SailorMars** · 08-07-2018

Originally Posted by zys924

They are very passionate about user-mode only AC techs. So it poses nearly no threat to kernel mode hacks and just sink to kernel for your own cheat, dude!

And my idea of a kernel mode cheat is going to be like a user mode external cheat (except, of course, that it is undetectable from usermode), i.e. without injecting into their process, purely memory reading and key press emulation. Will this limit the functionality my bot ?

**zys924** · 08-07-2018

Originally Posted by SailorMars

And my idea of a kernel mode cheat is going to be like a user mode external cheat (except, of course, that it is undetectable from usermode), i.e. without injecting into their process, purely memory reading and key press emulation. Will this limit the functionality my bot ?

There is no essential difference as to "external" and "internal". It is only a matter of how well you understand how to get your memory operation right.

Even your external operation can easily be detected by kernel handle tracing, which means if you open a handle to the process, then you are doomed. However, if you play well, internal operation can be very powerful while 100% stealthy.

So forget about the debate about these two simple concepts. Focus on your actual impl

**SailorMars** · 08-08-2018

Originally Posted by zys924

There is no essential difference as to "external" and "internal". It is only a matter of how well you understand how to get your memory operation right.

Even your external operation can easily be detected by kernel handle tracing, which means if you open a handle to the process, then you are doomed. However, if you play well, internal operation can be very powerful while 100% stealthy.

So forget about the debate about these two simple concepts. Focus on your actual impl

you mentioned kernel handle tracing. But from what I understand, a handle in my user-mode process is just an index to a table residing in kernel memory (which contains the actual pointer to the kernel object like the wow's EPROCESS that my process opened). Is kernel handle tracing possible in wow user-mode only AC at all?

**zys924** · 08-08-2018

You need to get kernel rights to get kernel handle. But who knows when Blizzard will do this? I am just naming a common approach of modern AC techs as an example.

Also, if you look at overwatch, which is also user-mode AC example, it adopts quite a bit of approaches to detect unauthorized memory reading, such as trapped page with memory shifting tech. What I essentially mean is "staying externally" is not a safe harbour. It only limits your potential to do things (you have to write everything in ASM).