Latest PG has been beaten..

Discussion in 'ProcessGuard' started by locomotive, Sep 23, 2006.

Thread Status:
Not open for further replies.
  1. locomotive

    locomotive Registered Member

    Joined:
    Sep 23, 2006
    Posts:
    3
    By World of Warcraft.. A new 'super' warden was uploaded to their PTR and users who were previously safe with PG 3.410 have been caught.

    Please look into this to make us safe again!! :)
     
  2. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    Just to let you know, ProcessGuard is not intended for cheating. Your post sounds like a request for DiamondCS to circumvent Blizzard's anti-cheating system. If you fear Warden will result in a privacy violation, your best bet (whether or not ProcessGuard or similar can prevent it) is not to run the software. Otherwise, close any programs that may have potentially private information when running the game.
     
  3. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    I was curious about this, and play WoW, so I downloaded the PTR patch. Indeed Blizzard seems to have beaten ProcessGuard, intentionally or not. Specifically the read protection has been circumvented. I can't speak for the original poster but for me it has nothing to do with cheating. PG being circumvented is a valid concern.

    With nothing allowed (protect, authorize, other) the live version of WoW.exe fills PGs log with read attack blocks, when running processes have read protection enabled. With the test version of WoW.exe nothing is blocked. A quick read of the test forum shows people whining about being banned so they are probably still probing processes. I can't confirm the latter one way or another. I am not risking my WoW account testing this further, test server or not :D

    I do think further investigation is in order though.
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Which could be simply due to Blizzard using other means of checking for a process that doesn't trigger PG's Read protection - while it prevents process information from being collected, it doesn't hide the process itself like a rootkit might.

    I would second StriderSkorpion's comment - if you don't like Warden, stop paying Blizzard their monthly fee for it.
     
  5. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    If that was the case couldn't people just rename the files or change the hash size? Or is PGs read protection...limited?

    Either way I don't have a problem with Blizzard and I don't really use read protection. I was just trying to help clarify what he was suggesting.
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If Locomotive is running a cheat program that is now being detected then it is unlikely that renaming it would make any difference and he would have to hex-edit it (which could break it if he changes the wrong part) to alter its hash.

    However this doesn't have any bearing on PG which can protect files regardless of name/hash - it seems far more likely that Blizzard are using other means to get the information which aren't seen as an "attack" by PG.
     
  7. Laserbream

    Laserbream Registered Member

    Joined:
    Sep 26, 2006
    Posts:
    1
    Hello - thought I would stop lurking to say that I play WoW a lot and I'm thinking of buying Processguard.

    I made a post in the euro tech support forums asking whether Processguard would be blacklisted by Blizzard. Answer there came none, and my post was deleted. Interesting!

    Clearly a little sensitive about Warden methinks. Or maybe my comparing it to a rootkit touched a nerve. Anyhoo, I'm going to email them with the same question and I'll let you know what they say.
     
  8. locomotive

    locomotive Registered Member

    Joined:
    Sep 23, 2006
    Posts:
    3
    ProcessGuard IS intended to keep my system safe from outside intruders. I am posting this to let everyone know that the new warden system has defeated PG. Do you not think others will follow blizzard with this new warden?

    Doesn't matter what I use it for, that's none of YOUR business or PGs.

    From what I've been reading that the new warden uses Ring0 in which case I don't know how PG or any other program will be able to stop warden from reading the processes now.
     
  9. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    This thread is in danger of going over my head, but how would WoW start running at Ring0? WoW has never asked to install drivers/services.
     
  10. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    As Paranoid2000 said, they may not be using what ProcessGuard thinks is an attack vector. It may just be getting a process list and then finding out the programs to compare their hashes against known cheat programs or analyze their code according to signatures &/or heuristics (akin to anti-virus). My recommendation still stands as some do believe Warden to be spyware and thus it would be best not to use it. If it can actually read the programs and you still wish to play WoW, you should not leave any programs containing sensitive information running while using Warden. That's just a recommendation for safety in regards to using Warden as things currently stand. If it does bypass ProcessGuard's read protection, DiamondCS should definitely look into this. True, it's not my business what you use it for, but I was only giving fair warning in regards to ProcessGuard's intended use. There's no need to get upset (not saying that you are) as I wasn't accusing you of cheating, only giving a fair warning.

    Edit: I can't say for sure, but I wouldn't believe that it could access Ring0 (at least not without ProcessGuard triggering an alert). It would have to somehow inject its code it to a process running at that priviledge or create a driver/service as you've stated. That's AFAIK, though, since I don't have advanced knowledge in regards to rootkits and their subversion techniques.
     
  11. locomotive

    locomotive Registered Member

    Joined:
    Sep 23, 2006
    Posts:
    3
    Actually starforce is a ring0 application and as far as I know PG can't stop it, right?

    I learned about the ring0 in the latest warden by the hacker community, so the reliability is not 100%. However for something as instrusive as the warden I wouldn't put it past them.

    For those out there: Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.

    So ring0 would have access to everything your system has running. I noticed the scan.dll and other files relating to the warden system with blizzard has been updated to today's date (they had a patch today).

    This is for concern considering other companies besides Blizzard will use this new warden for their own purposes. Maybe we could get a reply from a developer on here?
     
  12. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    The thing is, StarForce installs itself as a driver and adds itself the CD/DVD drives filters (can't remember if it was upper, lower, or both). Warden would require to install itself as a driver/service to emulate the capabilities of StarForce. If it has installed itself as such or requires to be installed in such a way, there is definitely a cause for concern as Sony's rootkit was used for malicious purposes and the same could be done with Warden. If it's never installed a driver or service, then it might not be actually reading the process (this is what I hope) or it could be it somehow discovered an unprotected "attack vector". Either case, this should be investigated further to discover what it's actually doing and if the latter is the case, protect against it.
     
  13. Very Paranoid

    Very Paranoid Registered Member

    Joined:
    Jun 17, 2006
    Posts:
    2
    Location:
    Michigan, USA
    I do not use Warden or any of the other things mentioned here. But if something had managed to learn how to use ring 0 would it be best not to routinely log on as an admin? Instead create a guest account with more limited authorizatins?

    Any comments or suggestions?

    Thanks.
     
  14. controler

    controler Guest

    I agree if it is truley Ring0 PG should stop it.

    Even if it is simply a process PG should stop it.

    con
     
  15. fcrick

    fcrick Registered Member

    Joined:
    Nov 15, 2006
    Posts:
    1
    I don't really see why this is relevant. If World of Warcraft is doing something that gets past PG, doesn't mean other programs can take the same route?

    Surely, if your concern is for the integrity of the software, the intentions of a violating program shouldn't be of much concern. How do I know hackers won't disassemble Warden and use identical techniques for some other purpose?
     
Thread Status:
Not open for further replies.