Apparently unsafe memory reading and/or input implementation

[Skavi]

Greetings everyone. I've written a simple tool (C#) that reads memory from WoW and sends keystrokes into its window and it got me banned (a throwaway account) - 3rd party software. I've used ReadProcessMemory and PostMessage functions, could those be easily detected? While reading I also used the function OpenHandle, could the handle get me detected? I heard something about hijacking a handle but never tested it myself. I have always thought that injecting a .dll is more dangerous thus kept using ReadProcessMemory and PostMessage to stay "safe" but apparently it's not enough. Maybe someone could point me to a direction which would help me to stay more evasive? Thanks in advance.

[xalcon]

As long as you dont do any special counter measures, all of your listed win32 api calls are easily detected.

* OpenHandle: You can easily get a list of open handles to a process. While this is not an immediate give-away (a lot of services open handles to other processes), its a starting point for blizzard.
* Read/WriteProcessMemory: Not as easy to detect, but not really hard either. Still a candidate for False-Positives since genuine apps might use this to inject their payload into running processes.
* PostMessage: Probably the easiest to detect and a bit harder to work around. When a process is working with the Windows Messaging Queue, it can use the GetCurrentInputMessageSource API to get an INPUT_MESSAGE_SOURCE object. This object contains information about the source of this event (i.e. is it injected or does it come from a hardware device?).
GetCurrentInputMessageSource function (winuser.h) - Win32 apps | Microsoft Docs
INPUT_MESSAGE_SOURCE (winuser.h) - Win32 apps | Microsoft Docs
INPUT_MESSAGE_ORIGIN_ID (winuser.h) - Win32 apps | Microsoft Docs

Regarding OpenHandle and RPM/WPM: I'm not sure if handle hijacking would get you anywhere due to the rather specific requirements the handle needs to meet.
I dare to say that DLL Injection is just as safe as RPM/WPM these days, considering all the invasive external services like screen overlays, anti-malware apps, sandboxes, etc.

I think you were detected due to all reasons combined. Using just RPM/WPM or PostMessage alone shouldn't get you banned due to false positives. I.e. the input mapper WoWMapper (used to play wow with a gamepad with the addon ConsolePort) uses postmessage and I have yet to see any ban reports for using that tool.

Personally, I just use an arduino micro for hardware input simulation. I'm injecting myself into the wow process (using a simple technique that doesnt require a codecave, WPM and friends). The injected code doesnt contain any botting logic. It's just a dumb agent that gets memory requests from an external service. This limits me to one wow client per PC, but I got my hands onto some really cheap hardware (~40fps at minimum details) so it's not an issue for me.

[PhoenixVip1337]

do you use PostMessage with a random delay ?
what exactly was the bot ? grind ? fish ? healbot ?

you speak about WriteProcessMemory;
do you use it exactly? in which case ?

for targeting ? for CTM ? for Direction change ?

[Skavi]

@xalcon Thanks for info, it sheds some light on how these thing may look on blizzard's end.
@PhoenixVip1337 I have a delay, yes. I don't write to the memory, I used to write for CTM a couple of years ago and even my trial accounts got banned after some tests. Since then I have only been reading memory and all input was through PostMessage, it's a simple farming bot (grind + skinning). Been working just fine until recently. :confused:

[PhoenixVip1337]

@skavi i use c++ and PostMessageW me to; because for me; you have no luck if u get ban;
3rd party software; i don't think they lost time to scan ur "application" if is private; that have no chance ^^'; probably it's possible the bot banned only by report ? or bot play a lot of time never disconnect xD or some friend report you!

[Skavi]

@PhoenixVip1337 do they really have to scan the app ? I thought they might have some mechanisms to catch that automatically...

[PhoenixVip1337]

they i think they don't detectt APP; but the rotation of bot; or same road; or same mechanisms with same timer; same time for loot; or same postMessage with same delay (cycle dps); or something like that; + report of players ...

[zakkord]

You got reported by other people and banned after a manual review. There is no "detections"

[Unbaar]

So how long were you using this before you were banned?

As others mentioned, the #1 source of getting banned is player reports, not detecting your private hack. Were you in a guild? Did you message other players and talk?

[Skavi]

As far as I know reports basically draw attention, then it has to be reviewed by blizzard. But blizzard won't ban you for 3rd party software without hard evidance. I had used this tool for about a year and if I ever got a ban it was "abuse of economy" ban, this one is the first one for 3rd party software.
@zakkord I bet there are "detections", remember the latest times of hb when you could run the bot for 5 min then close it and then get a ban some weeks later. The similar thing happened when I was exploring memory editing in wow on trial accounts, it couldn't look suspicious for someone to report me and yet something triggered and those accounts got a ban for 3rd party software.
I was just wondering if someone could direct me to some of the "special counter measures" concepts that could be implemented in order to make my tool less noticeable.

[charles420]

i personally inject a dll into a system process that has a handle to wow and do my memory reading / writing from there reason for it was for a extra layer to hide from sig scans and not opening a new handle if i ever decided to mass releases it , also on that note just because you do that does not make it per say harder for them to detect you look at eac but both my bots i currently use that method / old school open handle read write still have not been banned i also dont bot 24-7 same profiles same rotations logoff it player follows for x amount of time respond to wispers with me randomly checking on it and so on

[air999]

Don't bot 24x7

[Skavi]

@air999 But don't they have to make sure ? Get some hard proofs? Abuse of economy is fine, it's a pretty vague offense, but 3rd party software is quite straightforward. I remember hard botters/farmers that never got banned despite being reported and I thought it was because blizzard couldn't proof they were bots (I know they never show you the proofs for obvious reasons but I really did think they had some)

[air999]

They scan for known patterns. They scan process memory, window titles, dlls, device drivers. But I doubt you will get ban for private dll injection.

[Unbaar]

They scan for known patterns. They scan process memory, window titles, dlls, device drivers. But I doubt you will get ban for private dll injection.

Where did you learn that they're scanning device drivers?