Protected Processes in Vista - Useful against warden?

[Dyndrilliac]

Shortly before I took my sebatical from the online programming/gamehacking scene, Alex Ionescu published an article (link) about how protected processes, though limited in functionality, are effectively immune to all sorts of activity that most A/V scanners and other such protective software use to detect bad activity using hooks and other such low-level system interaction. I haven't heard anything about it though, and doing a google search resulted in old articles that were not of much use, instead referring primarily to a different idea he had regarding possible use of the PMP to make effective rootkits.

I may consider starting a project based on the idea if I can figure out whether it's a wild goose chase or not.

[sd333221]

Code:

 I may consider starting a project based on the idea if I can figure out whether it's a wild goose chase or not.

Actually the WoW-bot MMoGlider already uses this technique to hide itself from warden.
It is indeed possible

[Dyndrilliac]

Is that the only one you know of? Why haven't more projects adopted the technique if it works?

Edit: I did a google search for this "MMoGlider", and it doesn't seem to have the anti-detection schema I was talking about. For example, (link) in the FAQ it claims on the website that WoW's anti-cheating system could possibly detect it following an update, but if this were the case I don't see how it could be running as a protected process (In order for updated cheat data to effect it's detection Warden would have to be able to "find" and "invade" it's process). Not to mention, I don't see how Warden would be able to detect a bot without being able to specifically search the bot's acvtive process, because a bot doesn't -change- any game data, and therefore searching the games memory would be a waste of time for Warden.

[sd333221]

in the FAQ it claims on the website that WoW's anti-cheating system could possibly detect it following an update

It is a legal issue. This hack has been warden-proof since many ages, Blizzard already tried to force the webpage down by their lawsuits then it has been renamed from "WoWGlider" to "MMOGlider"...
Why should they do that if it is detectable :D

but if this were the case I don't see how it could be running as a protected process (In order for updated cheat data to effect it's detection Warden would have to be able to "find" and "invade" it's process). Not to mention, I don't see how Warden would be able to detect a bot without being able to specifically search the bot's acvtive process, because a bot doesn't -change- any game data, and therefore searching the games memory would be a waste of time for Warden.

The program starts World of Warcraft on Vista without admin privileges and itself with admin privileges, therefore Warden cannot access it anymore. (UAC Security). And like you already understood it doesn't change the game and therefore is nearly undetectable, especially with vista

Greetings

[Dyndrilliac]

UAC does not stop the things which make bots or hacks work. UAC is a top level layered security feature to prevent specific types of file system operations. Warden, like most A/V software uses low-level process operations which primarily affect the file as it's mapped into memory and standard operations from the kernel interface and the user API. Furthermore, having administrative privileges would not make a difference. This is because programs traditionally have been writable to hold any attainable level of privilege on Windows. This is where protected processes come into play; A protected process is immune to lowlevel system operations even when ordered by a user level administrator. This is because all the security for these processes is located within the kernel, and without proper access to kernel-mode privileges and access to kernel mode system memory the security can't be removed.

[sd333221]

Didn't get what you wanted to say then.
UAC is good enough to protect a process from the Win32 API's like
WriteProcessMemory/ReadProcessMemory, etc.

Greetings

[Dyndrilliac]

No.... it isn't. Like I said, UAC is for FILE SYSTEM operations. Not memory. It alerts you if things are being moved or altered. Hacks only alter the memory that's been copied into RAM, and so there is nothing to be alerted about.

[Belphegor]

No.... it isn't. Like I said, UAC is for FILE SYSTEM operations. Not memory. It alerts you if things are being moved or altered. Hacks only alter the memory that's been copied into RAM, and so there is nothing to be alerted about.

You can verify this just by running a few simple test's with a memory searcher.

[sd333221]

No.... it isn't. Like I said, UAC is for FILE SYSTEM operations. Not memory. It alerts you if things are being moved or altered. Hacks only alter the memory that's been copied into RAM, and so there is nothing to be alerted about.

You are wrong...

If it was like that i could write something to another process and make it access the file system by changing EIP, or simply using WriteProcessMemory to detour a function.

Inform yourself first, Microsoft is not stupid

[Dyndrilliac]

Do you realize how many low level system operations like that happen every second? Do you even use Vista? I can certainly tell you (I have Vista Home Premium, and UAC enabled) UAC does not work in the manner you describe, oltherwise I would be flooded with permission requests. Thousands of permission requests. No, Microsoft is not an organization of fools and village idiots. They would never make such a vital layer of the underlying system flood admins with thousands of permission requests per second.

[sd333221]

Do you even use Vista?

Yes

They would never make such a vital layer of the underlying system flood admins with thousands of permission requests per second.

Not every permission Violation causes a popup....

Example:

Look at the SendMessage function.

SendMessage Function ()

Microsoft Windows Vista and later. When a message is blocked by UIPI the last error, retrieved with GetLastError, is set to 5 (access denied).
Applications that need to communicate using HWND_BROADCAST should use the RegisterWindowMessage function to obtain a unique message for inter-application communication.
The system only does marshalling for system messages (those in the range 0 to (WM_USER-1)). To send other messages (those >= WM_USER) to another process, you must do custom marshalling.

As you see, Vista blocks the API to avoid InterProcess Communication.

Furthermore not many calls to WriteProcessMemory happen....
(AntiVir even asks for Permission if WriteProcessMemory is called and it doesn't ask very often on my system)

I won't discuss any further with you.
Vista also blocks dangerous API's like OpenProcess, that's simply a fact.
But it only blocks it if they are used from a lower privelege level to a higher one.

And OpenProcess or SendMessage is not a File Operation, is it?

[Dyndrilliac]

Lol. You silly persoon. What you are saying is disproved with a simple matter of randomy choosing any 10 currently running processes to open with a debugger of your choice with UAC enabled and verbose system messages. When I do this, I don't get a single alert. Vista may have _some_ measure of control over low level operation situations, but it has nothing to do with UAC nor is as intricate as you believe. Further, notice how the so-called "evidence quote" you posted has no mention of UAC or exactly to what degree and which API's are blocked.

[ZoiD]

WardenClient isn't equipped to do external process scanning anymore while the game is running; been like this for awhile actually.. So hiding or cloaking a process using any number of techniques is redundant. Blizzard could reactivate their old WardenClient implementation, it seems unlikely though.. The scan technique was never used for Starcraft, Warcraft III, or Diablo II; only World of Warcraft. After which WoW hackers became aware of these anti-cheat techniques and made their hacks immune to external process scans. Blizzard have since removed process scanning to detect hack applications running in the background.

[Dyndrilliac]

Ah, thanks. That's the kind of response I've been looking for. I haven't played a Blizzard game in earnest in a long time and wondered what the situation was like. I'm glad that to see that gamehacking still doesn't equate out to making a rootkit.