WoWMimic API Hook List
May 15th, 2009
Here is a list of functions WoWMimic hooks.
Version .44
VirtualQuery
GetCursorPos
SetCursorPos
FindWindowW
FindWindowA
FindWindowExW
FindWindowExA
EnumWindows
EnumChildWindows
Version .43
VirtualQueryGetCursorPosSetCursorPos
Its obvious that I’m the cause of the .44 update, but what they don’t seem to realize is twofold:
- Warden can follow their hooked code path and hash their function. Obviously its going to have a unique signature. If you find the WoWMimic hook then just ban for it.
- Warden can also bypass all their hooks entirely by just doing manual syscall code for each major OS version. That is a very easy thing to do, and no amount of usermode hooking will be able to stop it. (Kernelmode is the only option)
Not only that, but they’re missing half the funcitons they need to hook. All warden needs to do is call VirtualQueryEx and they’ve bypassed the hook. It astounds me how stupid the WoWMimic team is. Lastly, afaik it’s possible to manually walk the VAD tree (I have never attempted it but have seen code that can do it). No amount of API hooking can protect you from that either.
To the WoWMimic devs:
Tip: Unless you decide to elevate to the kernel (which still won’t protect you from stack traces) or actively attack warden (which is a LOT of work and still impossible to get 100% right, even if you’re an expert), you’re screwed. It’s that simple. At the very least, if you’re going to do usermode protection, at least do a decent job, your current half-assed attempt is just plain sad.
Cypherjb Categories: Games, Programming, Windows anti-cheat, botting, Programming, Reversing, warden, wow, wowmimic