|  |
WoW Memory Editing WoW Memory Editing for learning purposes only.
This section is more advanced than others on MMOwned Read the section specific rules, infractions will be given out if u break them!That is including the expectations! - If you don't meet them then don't post |
 | | 
09-21-2008
|  | Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep) | | | Join Date: Aug 2007
Posts: 54
Reputation: 3 | | Quote:
Originally Posted by Xarg0  Why does it only work on single core? I tought it changes the way Virtuall Adresses are calculated to physikal ones in the Kernel, so where's the problem with multicore? | It will probably work, but dual cores work independent from each other. If adress space is accessed at the same time by the cores BSOD is very likely |
Donate to remove ads, get your "DONATOR title, and get access to the MMOwned community's elite Shoutbawx.
09-21-2008
|  | Kynox's sister's pimp Legendary User | | | Join Date: Apr 2006 Location: ntdll.dll
Posts: 4,167
Nominated 63 Times in 4 Posts  TOTM/W Award(s): 1 Reputation: 1074 Points: 55,433, Level: 35 | Level up: 12%, 3,267 Points needed |    | | Quote:
Originally Posted by Xarg0 Why does it only work on single core? I tought it changes the way Virtuall Adresses are calculated to physikal ones in the Kernel, so where's the problem with multicore? |
There's a TLB in each core. Quote:
Originally Posted by Namoknan In no means I want to attack your theory Cypher, I did not take a look at this specific driver memory modification thingy
But I guarantee you Ring 0 memory modification is possible on multi core systems. POC can be seen in "Memory Hacking Software by L.Spiro". BSOD is howeva likely, but chances are pretty low | ....
I never said it wasn't possible to modify memory from the kernel. I said it wasn't possible to 'cloak' memory modifications in that fashion. Learn to read.
PS. I 'guarantee' you you're an idiot. Quote:
Originally Posted by Namoknan It will probably work, but dual cores work independent from each other. If adress space is accessed at the same time by the cores BSOD is very likely |
No, it won't work.
Furthermore, the driver only works on x86 and won't work on anything other than XP (2k3 should be a small update, Vista a very large one).
|
09-29-2008
|  | Contributor | | | Join Date: May 2008 Location: QLD, Australia
Posts: 617
Nominated 13 Times in 3 Posts Reputation: 299 Points: 11,383, Level: 13 | Level up: 30%, 917 Points needed | | | | Why?? Lol.
__________________ IMMA FIRIN' MAH FOOBARZ!!
Last edited by Jadd; 10-01-2008 at 06:54 AM.
|
09-29-2008
| | Kynox's sister's pimp Legendary User | | | Join Date: Apr 2006 Location: ntdll.dll
Posts: 4,167
Nominated 63 Times in 4 Posts TOTM/W Award(s): 1 Reputation: 1074 Points: 55,433, Level: 35 | Level up: 12%, 3,267 Points needed | | | Quote:
Originally Posted by JetlagJad Why?? Lol. |
Why what??
Learn to use full sentences. |
09-29-2008
|  | ﴾͡๏̯͡๏﴿ SupraM0d ﴾͡๏̯͡๏﴿ | | | Join Date: Nov 2006 Location: In yo mind.
Posts: 1,126
Reputation: 605 Points: 13,060, Level: 14 | Level up: 59%, 540 Points needed | | | | Stickied oh wut. |
09-29-2008
|  | Warden's Mediator Legendary User | | | Join Date: Dec 2006 Location: Raping your Stack
Posts: 773
Nominated 2 Times in 1 Post Reputation: 794 Points: 28,073, Level: 24 | Level up: 52%, 827 Points needed | | | Quote:
Originally Posted by Kuiren Stickied oh wut. | Woop wooop woop |
09-30-2008
| | Kynox's sister's pimp Legendary User | | | Join Date: Apr 2006 Location: ntdll.dll
Posts: 4,167
Nominated 63 Times in 4 Posts TOTM/W Award(s): 1 Reputation: 1074 Points: 55,433, Level: 35 | Level up: 12%, 3,267 Points needed | | | | Shoot da whoop. |
10-01-2008
| | Contributor | | | Join Date: May 2008 Location: QLD, Australia
Posts: 617
Nominated 13 Times in 3 Posts Reputation: 299 Points: 11,383, Level: 13 | Level up: 30%, 917 Points needed | | | Quote:
Originally Posted by Cypher
Why what??
Learn to use full sentences.
|
If you can't understand that, well..
Eh screw it I know how smart you are, I meant 'why would you make this'.
__________________ IMMA FIRIN' MAH FOOBARZ!! |
10-03-2008
| | Kynox's sister's pimp Legendary User | | | Join Date: Apr 2006 Location: ntdll.dll
Posts: 4,167
Nominated 63 Times in 4 Posts TOTM/W Award(s): 1 Reputation: 1074 Points: 55,433, Level: 35 | Level up: 12%, 3,267 Points needed | | | Quote:
Originally Posted by JetlagJad
If you can't understand that, well..
Eh screw it I know how smart you are, I meant 'why would you make this'.
|
I figured that's what you meant but there are other things it could've been referring too.
And it was made to show the retards who insist on posting speculation on Warden despite having no idea what they're on about that Warden does not infact go through your pr0n and steal your credit card numbers.
It also points people in the right direction to bypass Warden. |
12-22-2008
| | Sergeant Major | | | Join Date: Apr 2008 Location: UK
Posts: 152
Reputation: 58 | | Quote: |
0xB93714 0x8 Unknown Login Check (Parental restrictions??) // Cypher
| It's the Blizz Authenticator. |
02-12-2009
|  | Private | | | Join Date: Feb 2009 Location: maryland
Posts: 5
Reputation: 1 | | | I am not a techno person by anymeans but this was very informative |
02-21-2009
| | Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep) | | | Join Date: Feb 2009
Posts: 48
Reputation: -4 | | | Very nice as always kynox. Thank you. |
05-14-2009
|  | Site Donator | | | Join Date: Apr 2008
Posts: 303
Reputation: 62 Level up: 31%, 488 Points needed | | | | So, you CAN cloak yourself effectively from the kernel (although then you have to hide your driver, but that's a different can of worms; I think there was a BlackHat demo of a completely driverless SSDT hook a while back). You can tweak the memory protection settings on code pages and swap out the thread context in realtime to produce "virtual" hooks, as well as tweaking descriptor mappings and totally owning the exception handling mechanism. You can also do super cool stuff like double-mapping pages and so on, but honestly that doesn't really gain you much (it's just essentially a faster, but more fragile, ReadProcessMemory). Finally, with SSDT hooking you can essentially 100% (ok, 99.9999%) cloak yourself and any other process/window/whatever you care about from non-driver user mode processes. You can put any process/thread you want into its own little virtualized "jail" where it sees nothing but what you want it to see. That's the essence of what my kernel rootkit back in my XP days did. Never got detected, but I had to give it up when I went to Vista...
That being said, 99% of the rest of what Cypher said is dead-on: it's enormously harder on multi-core boxes (although disabling interrupts at the right point and knowing when to flush the lookasides helps a lot) and very prone to BSOD's at bad times (if you want to go down this route, take my advice; set up a Virtual PC to do your dev work on, or you'll spend all your time rebooting). Most of it is completely impossible (or, at least, as yet impossible) on Vista and esp. Vista 64 due to kernel change.
Last but not least, it's serious overkill. Warden's algorithms are based off of hashing and signatures. Honestly, if you know enough to write a kernel stealth driver, it's child's play to evade Warden pretty much forever (it's so much easier too, because one mistake doesn't take your whole system down). You can play the kind of paranoid mind-games I play (thanks Cypher for making me wonder what happens if they refresh RVA's from the on-disk image... grr), but tbh you don't need to.
If you can code, don't use a public bot. That's pretty much all you need to stay off the radar (and I get the impression that Blizzard doesn't really give a crap about lone coders; they care more about the Gliders and WoWRadar's of the world).  |
05-14-2009
| | Banned | | | Join Date: May 2009 Location: Germany, EU
Posts: 83
Reputation: 8 | | Quote:
Originally Posted by schlumpf Isn't everything proof of concept only? | Right.
We can not proof what blizz is putting into warden and wow, maybe they just have fun seeing us trying to cloak our hacks.....
I do not think that a company which earns millions over millions makes a game that can be hacked that easily without any notice of the owners. |
05-14-2009
| | Kynox's sister's pimp Legendary User | | | Join Date: Apr 2006 Location: ntdll.dll
Posts: 4,167
Nominated 63 Times in 4 Posts TOTM/W Award(s): 1 Reputation: 1074 Points: 55,433, Level: 35 | Level up: 12%, 3,267 Points needed | | | Quote:
Originally Posted by amadmonk So, you CAN cloak yourself effectively from the kernel (although then you have to hide your driver, but that's a different can of worms; I think there was a BlackHat demo of a completely driverless SSDT hook a while back). You can tweak the memory protection settings on code pages and swap out the thread context in realtime to produce "virtual" hooks, as well as tweaking descriptor mappings and totally owning the exception handling mechanism. You can also do super cool stuff like double-mapping pages and so on, but honestly that doesn't really gain you much (it's just essentially a faster, but more fragile, ReadProcessMemory). Finally, with SSDT hooking you can essentially 100% (ok, 99.9999%) cloak yourself and any other process/window/whatever you care about from non-driver user mode processes. You can put any process/thread you want into its own little virtualized "jail" where it sees nothing but what you want it to see. That's the essence of what my kernel rootkit back in my XP days did. Never got detected, but I had to give it up when I went to Vista...
That being said, 99% of the rest of what Cypher said is dead-on: it's enormously harder on multi-core boxes (although disabling interrupts at the right point and knowing when to flush the lookasides helps a lot) and very prone to BSOD's at bad times (if you want to go down this route, take my advice; set up a Virtual PC to do your dev work on, or you'll spend all your time rebooting). Most of it is completely impossible (or, at least, as yet impossible) on Vista and esp. Vista 64 due to kernel change.
Last but not least, it's serious overkill. Warden's algorithms are based off of hashing and signatures. Honestly, if you know enough to write a kernel stealth driver, it's child's play to evade Warden pretty much forever (it's so much easier too, because one mistake doesn't take your whole system down). You can play the kind of paranoid mind-games I play (thanks Cypher for making me wonder what happens if they refresh RVA's from the on-disk image... grr), but tbh you don't need to.
If you can code, don't use a public bot. That's pretty much all you need to stay off the radar (and I get the impression that Blizzard doesn't really give a crap about lone coders; they care more about the Gliders and WoWRadar's of the world). |
Yes you can. But not on x64. PatchGuard will rape your ass. Sure you can bypass patchguard, but its no trivial task.  Quote:
Originally Posted by DaemonOnFire Right.
We can not proof what blizz is putting into warden and wow, maybe they just have fun seeing us trying to cloak our hacks.....
I do not think that a company which earns millions over millions makes a game that can be hacked that easily without any notice of the owners. |
YOU can't. But others can. It's called reverse engineering... | | |
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | |
All times are GMT -4. The time now is 10:53 PM.
|
