# Forum > World of Warcraft > World of Warcraft Bots and Programs > WoW Bots Questions & Requests > [How To] Why Pixel Botting is Detected

## Vicer

This communication is for the 99.999% of people on this site who are not technical.

_Tech Details:_

Starting form Windows 8 there's the GetCurrentInputMessageSource function. You can use it, and check the originId enum for the following value:

IMO_INJECTED - The input message has been injected (through the SendInput function) by an application that doesn't have the UIAccess attribute set to TRUE in its manifest file.

_Q&A:_

Q) What does the above mean? 
A) If your bot is using keysend or click commands it will be detected in Windows 8 or higher if the game has implemented the code above.

Q) How does the game detect this?
A) The game client runs a procedure with the above functions. The result is reported back to the game server/db. Your account is flagged as a botter, you get banned/suspended at some point.

Q) Is there a work around?
A) Yes, there are a few. You actually just read one. 

Good luck and have fun.

----------


## Hazzbazzy

For those who prefer the TLDR: 

Set the UIAccess flag to TRUE, under the requestedExecutionLevel section, in your solution's Application Manifest. If you're using Visual Studio, see here: Adding an application manifest file.



```
 <requestedExecutionLevel level="asInvoker" uiAccess="true"/>
```

----------


## Razzue

"why pixel Botting is detected" 

Yet out of all my Botting acounts, the only ones to still survive are in fact pixel bots .. kek

----------


## Xaxoxuxu

> For those who prefer the TLDR: 
> 
> Set the UIAccess flag to TRUE, under the requestedExecutionLevel section, in your solution's Application Manifest. If you're using Visual Studio, see here: Adding an application manifest file.
> 
> 
> 
> ```
>  <requestedExecutionLevel level="asInvoker" uiAccess="true"/>
> ```


How would that help? The messages are still injected LLHKF_INJECTED (right?)

----------


## Spacechemist

This is more a issue of an hierarchy concept, just like executing something under administrator privileges, the execution level you use makes you capable of executing things under "the OS hood" or "above the OS", though this is not the most clear explanation, basically a warden could help himself with different libraries that Windows/NET Framework provides and could easily detect your method of using them against him.

----------


## Hazzbazzy

> How would that help? The messages are still injected LLHKF_INJECTED (right?)


Well in theory it shouldn't be an issue if the UIAccess flag is set, and the .exe is signed. However, I did try this an hour or so ago and the SendInput still resolves as "IMO_INJECTED" when queried with he function.

----------


## Xaxoxuxu

> Well in theory it shouldn't be an issue if the UIAccess flag is set, and the .exe is signed. However, I did try this an hour or so ago and the SendInput still resolves as "IMO_INJECTED" when queried with he function.


Is this the detection method they use? I can't think of external applications that could possibly be legit and use SendInput ?

----------


## Hazzbazzy

> Is this the detection method they use? I can't think of external applications that could possibly be legit and use SendInput ?


I wasn't looking for the detection method I was looking for a POC. I cannot emulate a hardware keypress with SendInput, even with the UIAccess flag set to true and the application being (self)signed.

----------


## ChimpeonFan

Personally I think Blizzard simply looks for known pixel bots in memory or on the hard drive. If you keep a pixel bot completely private, Blizzard never gets to hear about it and you won't get banned (although I've not tested this personally). It is only when the pixel bot gets popular in the public domain (like Chimpeon did) will it become detected by Blizzard. There are ways to circumvent detection - using the pixel bot on a PC remote from WOW being one... Chimpeon 101 - Using Chimpeon on a Remote PC

----------


## KKira

Solution: Use Arduino and simulate real keyboard input, no need to over-complicate an easy work around.

----------


## fonillius

> Solution: Use Arduino and simulate real keyboard input, no need to over-complicate an easy work around.


Yes, very simple method! thx
at same go i made artificial-intelligence-one-button-bot with arduino

----------


## aerichardso3

Has anyone found a solution to this, minus purchasing and coding a physical button pressing bot?

----------


## LegitSale

What bot isnt detected? lol

----------


## kamil234

I’m using python with win32 api that translates C functions into python. Is it certain it will use the same sendkey APIs? How can i test the response from GetCurrentInputMessageSource without writing a C program?

All im really doing, is pressing 1 key at a random interval over and over to snipe limited items from vendors. (The buying is handled by a macro, completely within WOW’s own function) 

What is the likelyhood that i’d get caught? I’m not using injection or focus window or anything of that nature.

----------


## REGELE33

there is an academic paper on cheats and stuff.. you guys should read it and be amazed of what they can do without scanning anything in your computer. if you manage to make a bot using real hardware input it will get detected

----------


## KKira

> there is an academic paper on cheats and stuff.. you guys should read it and be amazed of what they can do without scanning anything in your computer. if you manage to make a bot using real hardware input it will get detected


Feel free to link it, we can't guess its name or URL.

----------


## REGELE33

read it years ago and i can;t find the bookmark for it. basically they said that mouse movement its like an online fingerprint where no two people are the same. if blizzard tracks it and you gonna play at your friend house they can tell its you. to beat it you would need human movement+hardware input (seems like in wow input doesn't matter that much) and it can be done. then they can't ban you because its basically a human playing  :Smile: )) has anyone been falsely banned for botting ?

----------


## TehVoyager

> Yes, very simple method! thx
> at same go i made artificial-intelligence-one-button-bot with arduino


for the longest time, I would wonder "why hasn't someone started using an intel Nuc with some sort of USB and HDMI passthrough device and just have a hardware bot

I guess that snarky answer explains why  :Wink:

----------


## KijoSenzo

Was planning to make a simple AHK script where I press one button and have it send a key based on image searching.

Detectable and bannable?

----------


## InnerSilence

> Is this the detection method they use? I can't think of external applications that could possibly be legit and use SendInput ?


Well, that's not the only windows API that can be used to get simulated inputs. About legit software, Windows on screen keyboard sends simulated inputs too! Or when you use steam or other software to stream your game those probably send simulated inputs too. Anyway hiding inputs with UIAccess even if was possible was as bad as sending simulated inputs to the game.




> Personally I think Blizzard simply looks for known pixel bots in memory or on the hard drive. If you keep a pixel bot completely private, Blizzard never gets to hear about it and you won't get banned (although I've not tested this personally). It is only when the pixel bot gets popular in the public domain (like Chimpeon did) will it become detected by Blizzard. There are ways to circumvent detection - using the pixel bot on a PC remote from WOW being one... Chimpeon 101 - Using Chimpeon on a Remote PC


Looking in the hard drive is pretty lame and they wont do it, still they can search memory for signature of known bots as u said just like what antiviruses do. And to be honest it is not easy to hide from signature detection methods for public bots. Using bot on a remote PC prevents signature detection but still you are sending simulated inputs to WoW which is suspicious and can get you flagged.




> Has anyone found a solution to this, minus purchasing and coding a physical button pressing bot?


Yes there are some ways, but not without hassle. If you want hardware input you need to do it from driver level.




> there is an academic paper on cheats and stuff.. you guys should read it and be amazed of what they can do without scanning anything in your computer. if you manage to make a bot using real hardware input it will get detected


True, there are actually many papers about bot detection. Most bots are detectable because they act very stupidly. i.e. no human player can move his mouse from point A to point B instantly or on a perfectly straight line. Or when honnerbuddy used to work I always knew that despite what they claim their bot was so detectable because all path findings where based on a single algorithm which caused all bots that wanted to move from a point A to B walk through a similar path. You could easily see this in BGs where all bots moved together.

----------


## nemesis2578

> ... I cannot emulate a hardware keypress with SendInput, even with the UIAccess flag set to true and the application being (self)signed.


I was playing with it a bit and managed to use "mouse_event" and still have INPUT_MESSAGE_ORIGIN_ID set to: IMO_HARDWARE. It is important to meet ALL those 3 requirements(described here: Security Considerations for Assistive Technologies - Windows applications | Microsoft Docs ):

1] Be signed with a certificate to interact with applications running at a higher privilege level.
2] Be trusted by the system. The application must be installed in a secure location that requires a user account control (UAC) prompt for access. For example, the Program Files folder.
3] Be built with a manifest file that includes the uiAccess flag.

For 1, I used OpenSSL and generated CA key+cert, then generated user certificate used for signing. Then exported it to .pfx and used with signtool.exe to sign my .NET app. Also I had to import this CA cert into computer's trusted root CA.
For 2, I moved it into C:\Program Files\Test. I think you might be missing this part. When I was running it from C:\Users\xxx\repos\.... I was not getting any errors/warnings, but result was IMO_INJECTED.
For 3, It is quite simple, no need to describe it more.

----------


## InnerSilence

> I was playing with it a bit and managed to use "mouse_event" and still have INPUT_MESSAGE_ORIGIN_ID set to: IMO_HARDWARE. It is important to meet ALL those 3 requirements(described here: Security Considerations for Assistive Technologies - Windows applications | Microsoft Docs ):
> 
> 1] Be signed with a certificate to interact with applications running at a higher privilege level.
> 2] Be trusted by the system. The application must be installed in a secure location that requires a user account control (UAC) prompt for access. For example, the Program Files folder.
> 3] Be built with a manifest file that includes the uiAccess flag.
> 
> For 1, I used OpenSSL and generated CA key+cert, then generated user certificate used for signing. Then exported it to .pfx and used with signtool.exe to sign my .NET app. Also I had to import this CA cert into computer's trusted root CA.
> For 2, I moved it into C:\Program Files\Test. I think you might be missing this part. When I was running it from C:\Users\xxx\repos\.... I was not getting any errors/warnings, but result was IMO_INJECTED.
> For 3, It is quite simple, no need to describe it more.


Please check hooking with SetWindowsHookEx api and see if you are still not getting Injected flag. If any program wants to check source of input, most likely will use that function not the one mentioned in this topic.

----------


## REGELE33

i need something like this 403 Forbidden if anyone knows a software or a device like this lmk  :Big Grin: 
Anti-AFK Undetectable Hardware Device - YouTube
hardware bot Basic AFK Leveling - YouTube

----------


## nemesis2578

> Please check hooking with SetWindowsHookEx api and see if you are still not getting Injected flag. If any program wants to check source of input, most likely will use that function not the one mentioned in this topic.


You are right, after hooking SetWindowsHookEx and inspecting lParam.flags I have there LLMHF_INJECTED(=0x00000001). Question is how to prevent it(beside having some hardware machine). Would device driver be sufficient?

----------


## Kwapuzzi

For Mouse Clicks you could build this. I tested this when blizz random disconnects me on classic launch. Wanted to test of they check real hardware inputs. Worked well. Open Java/C# libary for switching the relais and sending mouse 1,2,3
t7MHjhl.jpg

----------


## InnerSilence

> You are right, after hooking SetWindowsHookEx and inspecting lParam.flags I have there LLMHF_INJECTED(=0x00000001). Question is how to prevent it(beside having some hardware machine). Would device driver be sufficient?


Emulating hardware input is not only point of interest of wow. There are many games out there people looking for such methods for long time. As I said before solution depends on howmuch trouble you can endure. There are some unsigned drivers out there you can use but you need to configure windows to allow it. Also there is well knowned one named 'interception driver' which is signed but free version has some limitations and is not easy to use.

----------


## anaithnid

> Solution: Use Arduino and simulate real keyboard input, no need to over-complicate an easy work around.


While this is a funny thought it also is a brilliant idea.
An arduino due with a camera module could read "pixels" on your screen and send key presses simulating a USB keyboard.
I guess there is no way that warden will ever detect that.

----------


## makkk

> For Mouse Clicks you could build this. I tested this when blizz random disconnects me on classic launch. Wanted to test of they check real hardware inputs. Worked well. Open Java/C# libary for switching the relais and sending mouse 1,2,3
> t7MHjhl.jpg


That's pretty cool, did you buy it somewhere or make it yourself?

----------


## makkk

Allowed software such as multiboxing tools or key scramblers or whatever use the same APIs, so would this be a major problem for non-public bots at all?

----------


## aua

Just tryed on a VM (Windows 10, ESXi 6.7u3 Host, latest VMware-Tools) with "IdentifyInputSource" (Windows-classic-samples/Samples/IdentifyInputSource at master . microsoft/Windows-classic-samples . GitHub. 
Inputs over VMware Console and RemoteDesktop are recognized as hardware input. PixelBots via RemoteDesktop or Vmware console should not be detectable via this method.

----------

