"2.Updated bot's security against warden"
Naturally, I took this as a challenge, and lets just say, it was disappointing.
To 'protect' themselves from Warden they are using a DR hook on GetProcAddress. What they don't seem to realize is that they're still 100% detectable. Whilst Warden does indeed get its function pointers via GetProcAddress, it doesn't need to. All their hooks can by bypassed by simply enumerating the module's target EAT manually in order to find the functions needed to detect Mimic.
GetThreadContext and VirtualQuery are the two obvious contenders. The former to detect the hooks, the latter to detect the module.
They are also using a DR hook on an engine function in order to detect GM chat. Totally unnecessary, but hey, what can you really expect from their developers.
At any rate, both their DR hooks and their module are STILL detectable, because they fail at API hooking. I don't know when they intend to hire someone competent, but they should probably make it sooner than later, because right now they're just asking to be banned.
Detailed information snippets:
0:061> ~0 rM 20dr0=004ac5e5 dr1=767e1202 dr2=00000000dr3=00000000 dr6=00000000 dr7=00000100GDI32!NtGdiDdDDIPresent+0x15:768fe823 83c404 add esp,40:061> dt 767e1202GetProcAddressStubSymbol not found.0:061> x kernel32!GetProcAddress*767e120f kernel32!GetProcAddress =767e1202 kernel32!GetProcAddressStub =0:061> u kernel32!GetProcAddressStubkernel32!GetProcAddressStub:767e1202 8bff mov edi,edi767e1204 55 push ebp767e1205 8bec mov ebp,esp767e1207 5d pop ebp767e1208 eb05 jmp kernel32!GetProcAddress (767e120f)767e120a 90 nop767e120b 90 nop767e120c 90 nop
0 comments:
Post a Comment