Info for people writing "out-of-process" bots

[Cypher]

Quote:

Originally Posted by suicidity

That's something Completely different, Getting caught for something that they can check for no matter what doesn't decide whether you're out of process or in-process. It just means you were dumb enough to get caught for changing you shouldn't have.

Once you can be detected by an "in-process" check you are by definition "in-process" imo. The fact that your bot is private and the chances of getting caught are greatly lowered is irrelevant. The fact of the matter is that it's still very possible.

[suicidity]

I just find that being caught, and being in-process shouldn't be confused or conflicted.

You can do ANY checks, in or out of process checks, to see if there are hacks or a bot in use; but that shouldn't determine whether you're in-process.

A memory edit can be passive, you're not calling anything you're simply changing memory. Whether that memory is checked or not is irrelevant. That's a matter of saving your ass from anti-cheats.

But by your terminology, say WoW scanned for some bot that I may or may not have; Said bot only uses 1 in-process function for the sake of debate. Now if Warden successfully found said bot, wouldn't that make me automatically "out of process" because there check was looking out of process to find the bot; Or would I be "in-process" because there check was indeed in their process, and not mine.

My point is, Anti-cheat methods cannot be disputed with the "in or out of process" discussion. Although I strongly agree that calling another processes' functions or modifying another processes' functions, whether it be by hook or not, definitely puts you in-process.

[Cypher]

Quote:

Originally Posted by suicidity

I just find that being caught, and being in-process shouldn't be confused or conflicted.

You can do ANY checks, in or out of process checks, to see if there are hacks or a bot in use; but that shouldn't determine whether you're in-process.

A memory edit can be passive, you're not calling anything you're simply changing memory. Whether that memory is checked or not is irrelevant. That's a matter of saving your ass from anti-cheats.

But by your terminology, say WoW scanned for some bot that I may or may not have; Said bot only uses 1 in-process function for the sake of debate. Now if Warden successfully found said bot, wouldn't that make me automatically "out of process" because there check was looking out of process to find the bot; Or would I be "in-process" because there check was indeed in their process, and not mine.

My point is, Anti-cheat methods cannot be disputed with the "in or out of process" discussion. Although I strongly agree that calling another processes' functions or modifying another processes' functions, whether it be by hook or not, definitely puts you in-process.

I'm not sure how much clearer I can make my stance.

If you can be detected via in-process scans then you are pretty much by definition in-process.

What you are proposing is a totally different and irrelevant scenario. An obvious straw-man argument. No one is confusing "being caught" and "being in-process". Or if they are, you are the one causing that confusion.

"A memory edit can be passive, you're not calling anything you're simply changing memory. Whether that memory is checked or not is irrelevant. That's a matter of saving your ass from anti-cheats."

No, it can't be passive. It is by definition the complete opposite of 'passive', you are actively interfering with the target process, you are no longer passive because you are modifying its state and potentially its behaviour. That is NOT passive in the sense in which I am enforcing the word in this thread (which is the strictest and most technically relevant sense, due to the fact I don't want to cause confusion by bringing up the exact issue you have brought up).

Whilst on a practical level you are correct, this is not a practical lesson, this is a theoretical lesson, and on a theoretical level you are wrong. You can't argue with the definition of the word simply because you don't like it.

If you want to discuss whether memory edits can be considered passive or not on a practical level, that's fine, but please take it to another thread, because the idea here is to remain technically pure so as not to confuse the newbies and those without the knowledge to make an informed decision about what's 'safe' and what isn't.

[suicidity]

Quote:

Originally Posted by Cypher

Once you can be detected by an "in-process" check you are by definition "in-process" imo.

Quote:

Originally Posted by Cypher

If you can be detected via in-process scans then you are pretty much by definition in-process.

You're the one that formed my post, of my opinion. No need to attempt an attack at me, unless you're threatened by opinion.

[Cypher]

Quote:

Originally Posted by suicidity

You're the one that formed my post, of my opinion. No need to attempt an attack at me, unless you're threatened by opinion.

I'm not threatened and I'm not 'attacking you' (in fact, you bringing that up is kind of amusing given how defensive your post is). I also fail to see the relevance of the passages you quoted.

Nevertheless...

You were trying to say that memory writes can be passive. They by definition can NOT be in the sense that I'm using the word in this thread. Because modifying memory modifies the state of the game. Ergo it is not a 'passive' action...

Sorry I'm really not sure how much clearer I can make this. I feel like I'm just repeating myself to you.

Whilst I understand what you're trying to say, any memory writes you make are technically detectable. Again, this discussion is a theoretical one not a practical one, if you want a practical discussion than make a new thread and I'll be happy to entertain the idea.

EDIT;

To clarify:
In this particular discussion, it is not opinion, it is fact.
It would be opinion if it was a practical discussion, but again, this is a theoretical discussion, so it's different.

[Ellesar1]

@suicidity:

There are in fact some inconsistencies in your opinion.

Quote:

If you're calling a function in a process apart from yours, you're basically outsourcing the work and is obviously no longer passive;

if you register a new function which just returns a constant value via lua_pushcclosure / lua_setfield to WoW's lua engine, it won't be detected and ban you.

however, you are "no longer passive" according to your definition since a function was called to perform this work.

Now:
imagine that you don't call the function. Instead, you just write the memory which the function would change, 1:1 from an outer process.

Since it is not detected (you are doing the same as the function would do. function is not detected, so this is not either).

Quote:

A memory edit can be passive, you're not calling anything you're simply changing memory.

we didn't call any functions, we did only change some memory, so we are passive now according to this definition.


Conclusion: How can the same effect be "passive" and "active" at the same time?

[xzidez]

How can possible something like CHANGING MEMORY IN PROCESS be.. out of process?. thats just stupid. As soon as you "touch" something inside the process you are there .. inside..touching.. :P

[Cypher]

Quote:

Originally Posted by xzidez

How can possible something like CHANGING MEMORY IN PROCESS be.. out of process?. thats just stupid. As soon as you "touch" something inside the process you are there .. inside..touching.. :P

Pretty much, lol. It goes against the definition of the terms.

[flo8464]

Quote:

if you register a new function which just returns a constant value via lua_pushcclosure / lua_setfield to WoW's lua engine, it won't be detected and ban you.

Registering a custom lua function is imo extremly dangerous.
What speaks against iterating the lua function list and just ban everyone with functions registered which aren't allowed by the server?

Quote:

however, you are "no longer passive" according to your definition since a function was called to perform this work.

Yes

Quote:

Now:
imagine that you don't call the function. Instead, you just write the memory which the function would change, 1:1 from an outer process.

Since it is not detected (you are doing the same as the function would do. function is not detected, so this is not either).

You allocate memory in that process, you create a remote thread in that process...2 things which should be easy to detect, if they want.

Quote:

Quote:
A memory edit can be passive, you're not calling anything you're simply changing memory.
we didn't call any functions, we did only change some memory, so we are passive now according to this definition.

EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE - EDITING MEMORY IS ACTIVE

[Robske]

Quote:

Originally Posted by Ellesar1

Quote:

we didn't call any functions, we did only change some memory, so we are passive now according to this definition.

Quote:

Robske is a god.

I'm now a god according to this definition.

[suicidity]

Quote:

Originally Posted by Ellesar1

@suicidity: There are in fact some inconsistencies in your opinion.

You should re-read a couple times; The part where I clearly say a memory edit CAN be passive. You're putting words in mouth, and making it out like I said all memory edits ARE passive.

Editing memory and Calling a function are 2 completely different things.

Now instead of trying to enforce a perfect world, why don't you let a forum do it's purpose and allow discussion; I'm not here to start another thread for my opinion on the matter. Not only that, look at how many times other 'opinions' were referenced.

[Apoc]

Here, I'll make it as simple as I can.

If all you use is the equiv of ReadProcessMemory, then you are, indeed, passive.

However, the moment you use anything equivalent to WriteProcessMemory; you are no longer passive. That's regardless of 'calling functions', etc.

Also; if you inject ANYTHING (that includes even a single byte) into the target process, you are no longer passive. (That means; injection bots are obviously NOT PASSIVE NO MATTER WHAT)

Is that easier to understand?

[SKU]

I demand pictures, Apoc!

[flukes1]

Quote:

Originally Posted by suicidity

You should re-read a couple times; The part where I clearly say a memory edit CAN be passive. You're putting words in mouth, and making it out like I said all memory edits ARE passive.

Editing memory and Calling a function are 2 completely different things.

Now instead of trying to enforce a perfect world, why don't you let a forum do it's purpose and allow discussion; I'm not here to start another thread for my opinion on the matter. Not only that, look at how many times other 'opinions' were referenced.

That's fine, but you're wrong. Memory edits cannot be passive.

Theoretically, anything you do that interacts with the WoW process is detectable in some way. That includes reading, writing, injecting, and hooking.

Reading memory is the least detectable of the 3, because you don't make any modifications to WoW's memory space. This is why we call it "passive". Thus WoW cannot do any kind of memory scanning or loaded module enumeration to find you. It can, however, use a few other methods - these include process list enumeration, window title enumeration, hooking every process's calls to ReadProcessMemory, etc. Most of these will only ever work if Blizzard has knowledge of your app (i.e. if it's public). It's worth noting, however, that Warden doesn't currently do any of these scans - although you'd be foolish to assume this won't change.

Writing memory is an active action because you are actively making changes within WoW's address space. Again, let me reiterate: writing memory is NEVER passive. Warden can checksum certain special memory regions and can also test values at certain addresses. For example, it can tell if you've manually changed your character's run speed. The argument that only certain memory writes are active stems from the fact that Warden only scans a strictly defined set of memory locations. This is true, but doesn't mean writing outside of those locations is passive.

[MaiN]

Quote:

Originally Posted by Apoc

Here, I'll make it as simple as I can.

If all you use is the equiv of ReadProcessMemory, then you are, indeed, passive.

However, the moment you use anything equivalent to WriteProcessMemory; you are no longer passive. That's regardless of 'calling functions', etc.

Also; if you inject ANYTHING (that includes even a single byte) into the target process, you are no longer passive. (That means; injection bots are obviously NOT PASSIVE NO MATTER WHAT)

Is that easier to understand?

Well.. Originally it was about in-process/out of process if I'm not mistaken. I think using the word "passive" in this context is pretty confusing - of course a passive bot does not interfere with the process in any way.. It's... Passive. I believe that the original discussion was about if writing some values would make you in-process - I agree that writing to the memory will always make your bot active, but in some cases I don't think it will make your bot in-process.
My point is I don't think that an out of process bot is the same as a passive bot. I do however believe that if you classify as an in-process bot, then you are also an active bot no matter what.

EDIT: Aha, I know see that suicidity did use the word passive. So I agree with you other guys - when you write memory you aren't passive anymore (but you can still be out of process in some cases).