Home > Games, Programming, Windows > WoWMimic API Hook List

WoWMimic API Hook List

May 15th, 2009
Goto comments Leave a comment

Here is a list of functions WoWMimic hooks.

Version .44

VirtualQuery

GetCursorPos

SetCursorPos

FindWindowW

FindWindowA

FindWindowExW

FindWindowExA

EnumWindows

EnumChildWindows

Version .43
VirtualQuery
GetCursorPos
SetCursorPos
Its obvious that I’m the cause of the .44 update, but what they don’t seem to realize is twofold:
  1. Warden can follow their hooked code path and hash their function. Obviously its going to have a unique signature. If you find the WoWMimic hook then just ban for it.
  2. Warden can also bypass all their hooks entirely by just doing manual syscall code for each major OS version. That is a very easy thing to do, and no amount of usermode hooking will be able to stop it. (Kernelmode is the only option)

Not only that, but they’re missing half the funcitons they need to hook. All warden needs to do is call VirtualQueryEx and they’ve bypassed the hook. It astounds me how stupid the WoWMimic team is. Lastly, afaik it’s possible to manually walk the VAD tree (I have never attempted it but have seen code that can do it). No amount of API hooking can protect you from that either.

To the WoWMimic devs:
Tip: Unless you decide to elevate to the kernel (which still won’t protect you from stack traces) or actively attack warden (which is a LOT of work and still impossible to get 100% right, even if you’re an expert), you’re screwed. It’s that simple. At the very least, if you’re going to do usermode protection, at least do a decent job, your current half-assed attempt is just plain sad.
Author: Cypherjb Categories: Games, Programming, Windows Tags: , , , , , ,
  1. Blackbook
    May 15th, 2009 at 01:22 | #1
    Reply | Quote

    Ha…still quite funny - but you should stop now. There are a lot of ex-gliders using mimic now, so for the sake of the community you should stop.

  2. 1814
    May 15th, 2009 at 01:57 | #2
    Reply | Quote

    Cypher just did it again!

  3. kynox
    May 15th, 2009 at 02:04 | #3
    Reply | Quote

    @Blackbook

    We are not part of the community.

  4. Eradicator
    May 15th, 2009 at 04:48 | #4
    Reply | Quote

    I’ll second what 1814 said. I hope Untouchable comes back to try to argue against this.

    “Cypher just did it again!”

  5. amadmonk
    May 15th, 2009 at 06:40 | #5
    Reply | Quote

    The only truly safe options are:

    1) Go kernel and obfuscate the hell out of any injected stacks, and/or
    2) Don’t use public bots. Period.

    Everything else carries risk; it’s just a matter of degree. Honestly, I’m banking on the Warden devs being lazy and unwilling to mass ban innocent people who just happen to be running the “wrong” antivirus software, or whatever.

  6. Cypherjb
    May 15th, 2009 at 06:49 | #6
    Reply | Quote

    @amadmonk
    Actually its very easy to eliminate all the false positives, but like you said, it all rests on how lazy the warden guy is.

  7. Purity
    May 18th, 2009 at 00:46 | #7
    Reply | Quote

    Blackbook :
    Ha…still quite funny - but you should stop now. There are a lot of ex-gliders using mimic now, so for the sake of the community you should stop.

    Why? wouldn’t the community want a safer bot to begin with? the more someone nit picks it the more things “should” get fixed/improved.

    It seems so far their track records isn’t that great

  8. pandyer
    July 1st, 2009 at 18:10 | #8
    Reply | Quote

    Interact(Object_Base_Adress, Handle_Windows_WoW)
    how to use it ??
    Mailed to me the answer thanks.
    [email protected]

  9. Cypherjb
    July 1st, 2009 at 18:29 | #9
    Reply | Quote

    @pandyer
    Fuck off moron.

  1. No trackbacks yet.