Blizzard and hackers' war 6: Evolution of warden and plug-ins (1)

Document directory

• Avoid DLL Scanning
• Process Scanning Bypass
• Escape window enumeration (enumwindows)
• . Mod Digital Signature

The warden mechanism allows blizzard to update the cheating detection code without updating the client. In fact, Warden's detection mod and plug-ins have evolved since D2 was upgraded to 1.11. This article describes how plug-ins can circumvent the three methods used by. Mod in the previous article: DLL scanning, process scanning, and window scanning.

Avoid DLL Scanning

As mentioned above, plug-ins are generally used as a common DLL for remote injection to the game process, therefore, the earliest detection method of warden mod is to search the name of a specific DLL loaded in the game process (through module32first/module32next ). So how can we avoid this kind of detection? One simple method is to intercept module32first/module32next. However, the Windows 9x platform and NT platform are also different because of the many DLL enumeration methods, this method is troublesome. An advanced approach is to maintain a module linked list in the peb (process environment block) structure by using all modules loaded in the process, simply disconnecting the plug-in module from the linked list can achieve stealth. Of course, this method can only be used in Windows NT based systems (including NT/2 k/XP/2K3 ). The next step is to compile the DLL Loading Code for manual loading, so that it will not exist in the peb's blockchain table, and of course it will not be found by module32first/module32next. It seems difficult to manually load the DLL, But there is actually a ready-made source code on the Internet.Remote run LibraryI can do it. I was the first to use the famous back door software.Back Orifice 2000. In an earlier version of easymap, the disconnected module linked list method was used.Manualmap of darawkManually load.

Process Scanning Bypass

Another method for checking the plug-in by. mod is process scanning (process32first/process32next ). The plug-in usually has a loader responsible for injecting the real plug-in module into the game process, or some plug-ins (based on the autoit bot, etc.) are simply an independent process, therefore, it is necessary to prevent these processes from being scanned. An effective way to avoid process scanning is to minimize the running time of the plug-in process (easymap/easyplay uses this policy), but this is only effective for Loader processes without interfaces. Another method is process hiding. There are many methods to hide processes.Remote run LibraryThis is the practice of d2hackmap. Another method is similar to DLL hiding. You can directly manipulate the physical memory by opening the "" device "" physicalmemory kernel object, remove the plug-in process from the linked list of system activity processes-of course, this method can only be used in Windows NT based systems. You can even write a KMD (kernel mode driver), but this is a little tricky.

In fact, another simple method to avoid process scanning is to restrict the permissions of the game process and directly cause process32first/process32next to fail to be called. This can be done with some ready-made software. I remember it in wow! Processguard was one of the most widely discussed items when Sharp was first named ban. In addition, I think it is more convenient to compile xec.exe, a small tool in sysinternals's pstools. Psexec.exe a great function is to run a program with the minimum possible permissions. The command is very simple:

Export xec.exe-l-d "D: gamesdiablo iidiablo ii.exe"-W

By the way, we recommend that you use this method to run your browser, so that you can avoid the possibility of using rogue software.

Escape window enumeration (enumwindows)

It is also necessary to avoid window scanning for a GUI plug-in process (such as d2hackmap. Since the enumwindows method mainly detects some fixed window title or window class strings, it is feasible to randomize these strings.

. Mod Digital Signature

Because. mod is variable at any time, it is essential to identify which. mod is safe. Practice and previously mentioned dealing with version-checking.dll and extrawork. the DLL method is the same: analyze the intercepted. mod. moD detection method implements the corresponding anti-detection, then calculate its signature, and add the signature to the security. go to the MOD list. In this way, the plug-in can calculate its signature and compare it with the security list before the. mod operation, and the module can stop working in time in case of danger or delay.
The algorithm used by d2maphack is MD5. Easymap/easyplay has been using CRC for a long period of time! A bit of cryptographic knowledge can understand that CRC is obviously not a qualified signature algorithm-it is easy to make two different. Mod have the same CRC. Easymap/easyplay has been vulnerable for a long time, but Blizzard has never used it. Later, in the reminder of others, Netter finally realized this problem, switched to the SHA-256 (I and other hackers have mentioned MD5 in theory is not safe, so Netter chose SHA-256 ). The following is a possible attack sequence for the MD5 Signature of maphack:

1. Make two warden mod, where. mod1 is safe (that is, maphack cannot be detected) and. mod2 can detect maphack.
2. Calculate the MD5 hash of. mod2.
3. Use. mod1 as the prefix to find a collision so that MD5 (. mod1 + collision) = MD5 (. mod2 ).
4. Send. mod1 + collision to the client.
5. User Analysis. mod2 found that it is secure, so it is added to the security list.
6. Send. mod2 to the client.
7. The signature check considers it safe so that the player is captured.