GodlyGamr said:
Not necessarily. Essentially, warden checks for dll injection, which is how all previous maphacks are made and is pretty much the norm for this kind of program interaction.
This is only one way warden checks. I found this on Gamemunchers take it for whatever ya make of it!
good job netter but you all can read that from the wowsharp team:
The warden that is sent to my machine is not detecting the alpha. I can't explain what happened, even after several hours in the debugger. I can, however, tell you what I know.
The warden dumps all the DLL's using a ToolHelp API call. This is a common way to do this, and da_teach's wow!hider code subverts this by removing the wowhider DLL from the list of modules. This cannot be the source of detection.
The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that doesn't do anything and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard is like the Gestapo. Da_teach's wowhider program evades this check by returning an empty string whenever the window title belongs to WoW!xxx anything. But, I am not totally convinced it wasn't this check that caught us. For example, if you have a window open that is titled "C:/mystuff_4_wow!sharp/bin" - this window title is read by warden, and is not protected by WoW!Hider currently. This could, in theory, explain why only some users were caught, based on which windows were open at the time you were testing.
Next, warden opens every process running on your computer. The alpha version subverted the method used by warden which was
GetProcessNext. Thus, during the process queries, the wowbot and wowinmate programs should have been skipped. Although it seems this isn't how warden detected us, I would like to tell you everything I found. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do?
![StFu]N[DiE](/data/avatars/m/117/117396.jpg?1366521220){kind=avatar}
Then it gets un-exciting for a long time ;P
