-
Member
Does Wow Anti Cheat (warden or whatever) Use Kernel Mode module
(originally posted in the 'WoW Bots Questions & Requests' section, but seems that technical questions belong to here. So I repost it here)
-------------------------------------------------------------------------------------------
I started playing wow recently and decided to write my own bot for it. So I'm totally new to the architecture of its anti cheat (warden or whatever) and just started studying it.
I found this article (but outdated, of course)
Deceiving Blizzard Warden – HackMag
Is the general outline of the AC architecture described in the article still valid in BFA (ver 8 client)?
Specifically, does it use any kernel mode code to detect cheats? Since my plan is to use kernel code if necessary but heard that it is not really that sophisticated and simple inspection by Process Explorer doesn't show any kernel module (unless hidden by some sophisticated methods)
Last edited by SailorMars; 08-08-2018 at 02:11 AM.
-
★ Elder ★
Originally Posted by
SailorMars
(originally posted in the 'WoW Bots Questions & Requests' section, but seems that technical questions belong to here. So I repost it here)
-------------------------------------------------------------------------------------------
I started playing wow recently and decided to write my own bot for it. So I'm totally new to the architecture of its anti cheat (warden or whatever) and just started studying it.
I found this article (but outdated, of course)
Deceiving Blizzard Warden – HackMag
Does the general outline of the AC architecture described in the article is still valid in BFA (ver 8 client)?
Specifically, does it use any kernel mode code to detect cheats? Since my plan is to use kernel code if necessary but heard that it is not really that sophisticated and simple inspection by Process Explorer doesn't show any kernel module (unless hidden by some sophisticated methods)
Its fully working in user mode. No need for drivers etc.
-
Active Member
They are very passionate about user-mode only AC techs. So it poses nearly no threat to kernel mode hacks and just sink to kernel for your own cheat, dude!
-
Member
Originally Posted by
zys924
They are very passionate about user-mode only AC techs. So it poses nearly no threat to kernel mode hacks and just sink to kernel for your own cheat, dude!
Any ideas why they insist on user-mode only? Is it because the internal data structures are complicated and any useful bots require injection into the wow process and call their routines?
-
Active Member
Originally Posted by
SailorMars
Any ideas why they insist on user-mode only? Is it because the internal data structures are complicated and any useful bots require injection into the wow process and call their routines?
They do not want to load any drivers for unknown reasons. Blizzard games are all like this. They are very confident with their "sophisticated" usermode anti-cheat
-
Member
Originally Posted by
zys924
They are very passionate about user-mode only AC techs. So it poses nearly no threat to kernel mode hacks and just sink to kernel for your own cheat, dude!
And my idea of a kernel mode cheat is going to be like a user mode external cheat (except, of course, that it is undetectable from usermode), i.e. without injecting into their process, purely memory reading and key press emulation. Will this limit the functionality my bot ?
-
Active Member
Originally Posted by
SailorMars
And my idea of a kernel mode cheat is going to be like a user mode external cheat (except, of course, that it is undetectable from usermode), i.e. without injecting into their process, purely memory reading and key press emulation. Will this limit the functionality my bot ?
There is no essential difference as to "external" and "internal". It is only a matter of how well you understand how to get your memory operation right.
Even your external operation can easily be detected by kernel handle tracing, which means if you open a handle to the process, then you are doomed. However, if you play well, internal operation can be very powerful while 100% stealthy.
So forget about the debate about these two simple concepts. Focus on your actual impl
-
Member
Originally Posted by
zys924
There is no essential difference as to "external" and "internal". It is only a matter of how well you understand how to get your memory operation right.
Even your external operation can easily be detected by kernel handle tracing, which means if you open a handle to the process, then you are doomed. However, if you play well, internal operation can be very powerful while 100% stealthy.
So forget about the debate about these two simple concepts. Focus on your actual impl
you mentioned kernel handle tracing. But from what I understand, a handle in my user-mode process is just an index to a table residing in kernel memory (which contains the actual pointer to the kernel object like the wow's EPROCESS that my process opened). Is kernel handle tracing possible in wow user-mode only AC at all?
-
Active Member
You need to get kernel rights to get kernel handle. But who knows when Blizzard will do this? I am just naming a common approach of modern AC techs as an example.
Also, if you look at overwatch, which is also user-mode AC example, it adopts quite a bit of approaches to detect unauthorized memory reading, such as trapped page with memory shifting tech. What I essentially mean is "staying externally" is not a safe harbour. It only limits your potential to do things (you have to write everything in ASM).
Last edited by zys924; 08-08-2018 at 02:46 AM.
-
Post Thanks / Like - 1 Thanks
tutrakan (1 members gave Thanks to zys924 for this useful post)