# Forum > World of Warcraft > World of Warcraft Bots and Programs > WoW Bots Questions & Requests >  How does Warden detect injections/hooks?

## Syltex

Hello

I read that if u stay private you can inject how much you want.
But why is it different between private and public?
Why cant private be detected and why does public onces?
We all use the same Lua adress to inject?

Got a theory about it, that warden guy downloads the bot/hack and looks @ the MD5 and sends the order to detect the MD5 to warden?

----------


## whitekidney

A private bot is more likely not to be added to warden's "hitlist"

and afaik (i masy be wrong) warden ddoesnt detect injections, but what you do after you inject.

----------


## Syltex

> A private bot is more likely not to be added to warden's "hitlist"
> 
> and afaik (i masy be wrong) warden ddoesnt detect injections, but what you do after you inject.


How come mimics and eBot got detected? Wasent it injection?

----------


## -Ryuk-

*




Originally Posted by Syltex




How come mimics and eBot got detected? Wasent it injection?


They got detected via injecting yes... but, not for injecting the dll - they check for what you do with the dll. They cant ban you because you injected a dll because fraps and many other legit programs do this. That being said, im sure im going to be corrected if im wrong ^^*

----------


## Syltex

> *
> 
> They got detected via injecting yes... but, not for injecting the dll - they check for what you do with the dll. They cant ban you because you injected a dll because fraps and many other legit programs do this. That being said, im sure im going to be corrected if im wrong ^^*


Hm, im using EndSceen hook & injection for Lua, but im only using ASM to inject for lua. 
Isnt that pretty safe then?

----------


## Cheatz0

> Hm, im using EndSceen hook & injection for Lua, but im only using ASM to inject for lua. 
> Isnt that pretty safe then?


Am i wrong in assuming that you are using the ahook dll? If so, that is pretty public and would be quite easy to detect. If not, you should be relatively safe with only hooking endscene, and not modifying/patching other parts of memory.

----------


## -Ryuk-

*




Originally Posted by Syltex




Hm, im using EndSceen hook & injection for Lua, but im only using ASM to inject for lua. 
Isnt that pretty safe then?


Private hook? or using a public one like EasyHook/aHook?

If is private; have fun, do you you like. Just beware if a public one is using the same method you can still get banned. if its a public one, I think you need to get working on your own*

----------


## Syltex

> *
> 
> Private hook? or using a public one like EasyHook/aHook?
> 
> If is private; have fun, do you you like. Just beware if a public one is using the same method you can still get banned. if its a public one, I think you need to get working on your own*


Im using a hook/injection made by (cant remeber his name, but he posted in the mem section)

This will inject(lua) hook (endsceen)


```
; get address of EndScene
$pDevice = _MemoryRead("0x" & hex($pDevicePtr_1), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + $pDevicePtr_2), $wow, "dword")
$pScene = _MemoryRead("0x" & hex($pEnd), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pScene + $oEndScene), $wow, "dword")
; injected code
Global $injected_code 

; check if already hooked   
$orig = _MemoryRead( "0x" & hex($pEndScene), $wow, "byte[64]" )

; autoit is garbage
$orig_ptr = DllStructCreate("byte[64]")
DllStructSetData( $orig_ptr, 1, $orig )

; check for push xxxxxxxx/ret/nop
; 0x68, 0xC3, 0x90
if DllStructGetData( $orig_ptr, 1, 1 ) == 104 and _
   DllStructGetData( $orig_ptr, 1, 6 ) == -61 and DllStructGetData( $orig_ptr, 1, 7 ) == -112 Then
   
  $injected_code = _MemoryRead( "0x" & hex($pEndScene + 1), $wow, "dword" ) 
else
  ; allocate memory to store injected code
  $injected_code = _MemVirtualAllocEx( $wow[1], 0, 2048, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE )

  ; Generate the STUB to be injected
  $Asm = AsmInit()
  AsmReset($Asm)
  ; save regs
  AsmAdd($Asm, "pushad")
  AsmAdd($Asm, "pushfd")
  ; check if theres something to be run
  AsmAdd($Asm, "mov esi, " & hex( $injected_code + 256 ) & "h")
  AsmAdd($Asm, "cmp dword [esi], 0" )
  AsmAdd($Asm, "jz $+73" ) ; label exit:
  ; UpdateCurMgr
  AsmAdd($Asm, "mov edx, [" & hex($OM_CLIENT_CONNECTION) & "h]")
  AsmAdd($Asm, "mov edx, [ edx + " & hex( $OM_OFFSET_1 ) & "h]")
  AsmAdd($Asm, "mov eax, fs:[2Ch]")
  AsmAdd($Asm, "mov eax, [eax]")
  AsmAdd($Asm, "add eax, 0x10")
  AsmAdd($Asm, "mov [eax], edx")
  ; DoString
  AsmAdd($Asm, "mov esi, " & hex( $injected_code + 1024 ) & "h")
  AsmAdd($Asm, "push 0" )
  AsmAdd($Asm, "push esi" )
  AsmAdd($Asm, "push esi" )
  AsmAdd($Asm, "mov eax, " &$offset& "h" )
  AsmAdd($Asm, "call eax" )
  AsmAdd($Asm, "add esp, 0Ch" )
  ; check if theres something to be returned on
  AsmAdd($Asm, "mov esi, " & hex( $injected_code + 512 ) & "h")
  AsmAdd($Asm, "cmp dword [esi], 0" )
  AsmAdd($Asm, "jz $+2D" ) ; label exit: 

  ; copy return string
  AsmAdd($Asm, "mov esi, eax")
  AsmAdd($Asm, "mov edi, " & hex( $injected_code + 768 ) & "h")
  AsmAdd($Asm, "copy:")
  AsmAdd($Asm, "lodsb")
  AsmAdd($Asm, "stosb")
  AsmAdd($Asm, "cmp al, 0")
  AsmAdd($Asm, "jnz @copy")
  ; clean state busy flag
  AsmAdd($Asm, "exit:")
  AsmAdd($Asm, "xor eax, eax")
  AsmAdd($Asm, "mov edi, " & hex( $injected_code + 256 ) & "h")
  AsmAdd($Asm, "stosd")
  AsmAdd($Asm, "mov edi, " & hex( $injected_code + 512 ) & "h")
  AsmAdd($Asm, "stosd")
  ; restore regs
  AsmAdd($Asm, "popfd")
  AsmAdd($Asm, "popad")

  ; copy injected code
  _MemoryWrite( "0x" & hex( $injected_code ), $wow, AsmGetBinary($Asm), "byte[" & $Asm[2] & "]" )

  ; create hook jump
  $jmpto = AsmInit()
  AsmReset( $jmpto )
  AsmAdd( $jmpto, "push " & hex( $injected_code ) & "h" )
  AsmAdd( $jmpto, "ret")
  AsmAdd( $jmpto, "nop")

  ; save original instructions
  _MemoryWrite( "0x" & hex($injected_code + $Asm[2]), $wow, $orig, "byte[64]" )
    
  ; disasm original bytes
  $DecodeArray = DllStructCreate("byte[" & $sizeofDecodedInst * 64 & "]")
  $ret = distorm_decode(0,  DllStructGetPtr($orig_ptr), 64, $Decode32Bits, DllStructGetPtr($DecodeArray), 64)

  ; parse until we can jump back
  $sumsize = 0
  If $ret[0] == $DECRES_SUCCESS Then
    For $i = 0 To $ret[1] ; number of decoded instructions
      ; get size of 1 instruction
      $instr = DllStructCreate($tagDecodedInst, DllStructGetPtr($DecodeArray) + ($i * $sizeofDecodedInst))
      $sumsize += DllStructGetData($instr, "size")

      ; check if we copied enough instructions
      if $sumsize >= $jmpto[2] Then
      
        ; create jump back stub
        $jmpback = AsmInit()
        AsmReset( $jmpback )
        AsmAdd( $jmpback, "push " & hex($pEndScene + $sumsize) & "h" )
        AsmAdd( $jmpback, "ret")
        AsmAdd( $jmpback, "nop")

        ; write jump back 
        _MemoryWrite( "0x" & hex($injected_code + $Asm[2] + $sumsize), $wow, AsmGetBinary($jmpback), "byte[" & $jmpback[2] & "]" )
        ExitLoop
      Endif	
    Next
  Endif
    
  ; write jump hook
  _MemoryWrite( "0x" & hex($pEndScene), $wow, AsmGetBinary($jmpto), "byte[" & $jmpto[2] & "]" )
```

----------


## Cheatz0

Way too tired too look through it now, but assuming it's just a normal detour you should be relatively safe.

----------

