In-process WoWMimic Detection
The following is code that will detect if WoWMimic is running using fully in-process checks. That means that you can lock it down with guest mode, hide the window, etc all you want, this will still work, because we’re operating entirely inside WoW.exe’s address space.
Before we begin, huge thanks to Kynox for unpacking Melete (WoWMimic’s injected DLL).
WoWMimic needs a way for its DLL to communicate with its application component, it does this through shared memory. Here is the disassembled function responsible for setting this up. I have commented the virtualized API calls to make it apparent what is going on:
___:1002F630 ; =============== S U B R O U T I N E =======================================
___:1002F630
___:1002F630 ; Attributes: bp-based frame
___:1002F630
___:1002F630 sub_1002F630 proc near ; CODE XREF: DllMain(x,x,x)+45p
___:1002F630
___:1002F630 var_24 = dword ptr -24h
___:1002F630 var_20 = dword ptr -20h
___:1002F630 var_1C = dword ptr -1Ch
___:1002F630 var_10 = dword ptr -10h
___:1002F630 var_8 = dword ptr -8
___:1002F630 var_4 = dword ptr -4
___:1002F630
___:1002F630 push ebp
___:1002F631 mov ebp, esp
___:1002F633 push 0FFFFFFFEh
___:1002F635 push offset dword_10070488
___:1002F63A push offset __except_handler4
___:1002F63F mov eax, large fs:0
___:1002F645 push eax
___:1002F646 sub esp, 14h
___:1002F649 push ebx
___:1002F64A push esi
___:1002F64B push edi
___:1002F64C mov eax, dword_10072054
___:1002F651 xor [ebp+var_8], eax
___:1002F654 xor eax, ebp
___:1002F656 push eax
___:1002F657 lea eax, [ebp+var_10]
___:1002F65A mov large fs:0, eax
___:1002F660 xor ebx, ebx
___:1002F662 mov [ebp+var_24], ebx
___:1002F665 mov [ebp+var_1C], ebx
___:1002F668 xor esi, esi
___:1002F66A mov [ebp+var_20], esi
___:1002F66D mov [ebp+var_4], ebx
___:1002F670 push offset a0xa0c82e ; “0xA0C82E”
___:1002F675 push ebx
___:1002F676 push 2
___:1002F678 call near ptr 3E0000h ; OpenFileMappingW
___:1002F67D nop
___:1002F67E mov edi, eax
___:1002F680 mov [ebp+var_1C], edi
___:1002F683 cmp edi, ebx
___:1002F685 jz short loc_1002F6D8
___:1002F687 push 0Ch
___:1002F689 push ebx
___:1002F68A push ebx
___:1002F68B push 2
___:1002F68D push edi
___:1002F68E call near ptr 3E0370h ; MapViewOfFile
___:1002F693 nop
___:1002F694 mov esi, eax
___:1002F696 mov [ebp+var_20], esi
___:1002F699 cmp esi, ebx
___:1002F69B jz short loc_1002F6D8
___:1002F69D push ebx
___:1002F69E push ebx
___:1002F69F mov eax, [esi]
___:1002F6A1 push eax
___:1002F6A2 push offset loc_1002F570
___:1002F6A7 push ebx
___:1002F6A8 push ebx
___:1002F6A9 call near ptr 21092Eh ; CreateThread
___:1002F6AE nop
___:1002F6AF mov dword_100730C0, eax
___:1002F6B4 cmp eax, ebx
___:1002F6B6 jz short loc_1002F6D8
___:1002F6B8 mov ecx, [esi+10h]
___:1002F6BB mov dword_100730C4, ecx
___:1002F6C1 mov edx, [esi+20h]
___:1002F6C4 mov dword_100730C8, edx
___:1002F6CA mov [ebp+var_24], 1
___:1002F6D1 mov [esi], ebx
___:1002F6D3 call sub_10058CD0
___:1002F6D8
___:1002F6D8 loc_1002F6D8: ; CODE XREF: sub_1002F630+55j
___:1002F6D8 ; sub_1002F630+6Bj …
___:1002F6D8 mov [ebp+var_4], 0FFFFFFFEh
___:1002F6DF call sub_1002F701
___:1002F6E4 mov eax, [ebp+var_24]
___:1002F6E7 mov ecx, [ebp+var_10]
___:1002F6EA mov large fs:0, ecx
___:1002F6F1 pop ecx
___:1002F6F2 pop edi
___:1002F6F3 pop esi
___:1002F6F4 pop ebx
___:1002F6F5 mov esp, ebp
___:1002F6F7 pop ebp
___:1002F6F8 retn
___:1002F6F8 sub_1002F630 endp
bool IsMimicInjected(){HANDLE MimicIPC = OpenFileMapping(FILE_MAP_READ,FALSE,”0xA0C82E”);if (!MimicIPC)return false;// You could do even more to check here by inspecting the memory// mapped file but that is unnecessary.CloseHandle(MimicIPC);return true;}
Awesome copypasta for wardenguy
I think it was Terry Pratchett who said that, when running from a dragon, you don’t have to be the fastest runner. Just be faster than the slowest one.
In other words, I’m happy if Cypher feeds blizz shit like this; it keeps them from doing more insidious shit.
dude why not just work for mimic youd make a shit load more money than you would helping the warden bell ends detecting it
If you can’t beat ‘em, join ‘em. You should just go work for Mimic. LOL. I’m sure they would pay you a lot more then your current job…if you have one since this obviously took a lot of your free time? I doubt you’re getting paid for any of this, so that’s what I would do. You should always be paid for your work. Good luck on the next move.