Info for people writing "out-of-process" bots

[Cypher]

Quote:

Originally Posted by suicidity

You should re-read a couple times; The part where I clearly say a memory edit CAN be passive. You're putting words in mouth, and making it out like I said all memory edits ARE passive.

Editing memory and Calling a function are 2 completely different things.

Now instead of trying to enforce a perfect world, why don't you let a forum do it's purpose and allow discussion; I'm not here to start another thread for my opinion on the matter. Not only that, look at how many times other 'opinions' were referenced.

You're wrong. Memory edits are BY DEFINITION not passive. There's nothing to ****ing discuss. So either take it somewhere else or I'm requesting a lock and a clean, because you're ruining the entire point of this thread.

The point of this thread was NOT to discuss ridiculous semantics in a context that is totally irrelevant, the point of this thread was to address the issue of people thinking they're 'passive' and Warden safe just because they call engine functions or use CTM or w/e without injecting a DLL.

So, again, either take it somewhere else, or just be quiet, because you're wrong, you can't argue with the definition of the word.

As soon as you write memory you are interfering with the remote process and that's an 'active' activity, not a passive one.

P.S. Everyone here who has a decent amount of experience under their belt seems to disagree with you soooooo... I dunno.... Take that as you will.

[suicidity]

Quote:

Originally Posted by MaiN

I agree that writing to the memory will always make your bot active, but in some cases I don't think it will make your bot in-process.

That is what I meant, That is what I was trying to make a point of. Does or doesn't it automatically make your bot "in-process" because you changed memory.

So I may have used the word Passive without your technical meaning behind it; but what I was posing was it shouldn't automatically mean that your bot is "in-process" because you change memory by external means. Like writing the angle of your character for example..

[Cypher]

Quote:

Originally Posted by suicidity

That is what I meant, That is what I was trying to make a point of. Does or doesn't it automatically make your bot "in-process" because you changed memory.

So I may have used the word Passive without your technical meaning behind it; but what I was posing was it shouldn't automatically mean that your bot is "in-process" because you change memory by external means. Like writing the angle of your character for example..

Writing your character's facing would be detectable on the server by looking at movement packets.

[suicidity]

That's not the question, you're missing it again and this is what I said before; Detection and it being in-process should be mixed together.

So for this particular case, Does it put you in process? Earlier you said an in-process check would in your opinion put you "in-process", well this wouldn't be an in-process check so I would imagine that wouldn't hold water anymore?

edit offtopic: I literally JUST woke back up and noticed you posted, that's a scary coincidence.

[Cypher]

Quote:

Originally Posted by suicidity

That's not the question, you're missing it again and this is what I said before; Detection and it being in-process should be mixed together.

So for this particular case, Does it put you in process? Earlier you said an in-process check would in your opinion put you "in-process", well this wouldn't be an in-process check so I would imagine that wouldn't hold water anymore?

edit offtopic: I literally JUST woke back up and noticed you posted, that's a scary coincidence.

It can still be detected by Warden, it would just be 'easier' to detect on the server.

So no, I'm not changing my opinion. It still puts you in-process.

[suicidity]

So no matter what, if you 'can be/was' detected you're automatically in-process?

[Cypher]

Quote:

Originally Posted by suicidity

So no matter what, if you 'can be/was' detected you're automatically in-process?

I've already friggin explained this. You're taking the entire thing in circles.

[Only registered and activated users can see links. ]

[suicidity]

Was just confirming before I drew conclusions.

[Cypher]

Quote:

Originally Posted by suicidity

Was just confirming before I drew conclusions.

Your original question was a strawman though. It has nothing to do with whether you can be detected, it has to be with HOW you can be detected.

[Robske]

Not aimed at the above discussion.

I'm wondering how others think about (.NET) CLR hosting and the infamous EndScene hook. There's no argue here that both are examples of in-process tampering. But how do they stand against WoW? (and it's anti-cheat software, Warden) Both can be used in perfectly legal applications such as AV and benchmarking software.

According to what Cypher said in the first post (quoted below), Can a library/application that relies only on CLR hosting and an EndScene hook be seen as "out-of-process"? (This means no calls to engine functions, no WriteProcMem etc)
Edit: Same thing other wording: Can a library/application that relies on CLR hosting and an EndScene hook be detected by warden other than module enumeration (without the risk of false positives)?

Quote:

The whole point of an out-of-process bot is that you stay 100% passive so that you can't be detected unless Warden starts doing its out-of-process scans again.

[Cypher]

Quote:

Originally Posted by Robske

Not aimed at the above discussion.

I'm wondering how others think about (.NET) CLR hosting and the infamous EndScene hook. There's no argue here that both are examples of in-process tampering. But how do they stand against WoW? (and it's anti-cheat software, Warden) Both can be used in perfectly legal applications such as AV and benchmarking software.

According to what Cypher said in the first post (quoted below), Can a library/application that relies only on CLR hosting and an EndScene hook be seen as "out-of-process"? (This means no calls to engine functions, no WriteProcMem etc)
Edit: Same thing other wording: Can a library/application that relies on CLR hosting and an EndScene hook be detected by warden other than module enumeration (without the risk of false positives)?

Sorry but it seems ridiculous to me to throw away their memory hashing scans, that's how they'd most likely detect it.

However they still have their API hook scans, so they could just hash your hook sub.

So in answer to your question:
Yes, they can.

[kynox]

Quote:

Originally Posted by Robske

Not aimed at the above discussion.

I'm wondering how others think about (.NET) CLR hosting and the infamous EndScene hook. There's no argue here that both are examples of in-process tampering. But how do they stand against WoW? (and it's anti-cheat software, Warden) Both can be used in perfectly legal applications such as AV and benchmarking software.

According to what Cypher said in the first post (quoted below), Can a library/application that relies only on CLR hosting and an EndScene hook be seen as "out-of-process"? (This means no calls to engine functions, no WriteProcMem etc)
Edit: Same thing other wording: Can a library/application that relies on CLR hosting and an EndScene hook be detected by warden other than module enumeration (without the risk of false positives)?

The executable is in memory, and as such, so are the CLR opcodes. Memory hashing would work just fine in this instance.

Quote:

However they still have their API hook scans, so they could just hash your hook sub.

Except the hook stub is actually a jump into the .NET runtime